778 reports
Zscaler ThreatLabz details recent APT37 activity against Windows systems, linking the North Korean-aligned actor to Rustonotto, Chinotto, and FadeStealer. The campaigns use Windows shortcut files and CHM help files as initial delivery vectors, including a…
A Kimsuky-attributed phishing email impersonated South Korea's National Tax Service and Naver electronic document notices to steal Naver account credentials. The lure claimed a September tax filing and payment deadline notice, but the message was sent thr…
DomainTools examines the “Kim” dump as a rare operational leak tied in the text to Kimsuky/APT43 and North Korean-aligned credential theft activity. The material shows South Korean and Taiwanese targeting through phishing domains, AiTM credential capture,…
Chollima Group links the Hailong Jin and Lian Hung personas to suspected North Korean IT worker activity, including GitHub accounts tied to Unity/game development, blockchain work, and overlap with strings seen in Moonstone Sleet's DeTankZone research. Le…
SentinelLABS and Validin observed North Korea-aligned Contagious Interview operators creating and using cyber intelligence platform accounts to monitor their own exposed infrastructure. The activity is tied to the ClickFix-style job seeker lure chain, whe…
NSHC’s August 2025 roundup identifies SectorA activity against finance and cryptocurrency targets using fileless attacks, malicious LNK files, and software package exploitation. The SectorA section highlights the Contagious Interview campaign distributing…
A PowerShell script identified in the source as ESET PowerShell/Kimsuky.AX targeted a South Korean foreign-policy organization and collected host reconnaissance data before staging additional payloads. The script gathered running processes, OS version, pu…
Cyble profiles Lazarus Group as a North Korean state-sponsored actor conducting financially motivated intrusions, espionage, ransomware, supply-chain compromise, and cryptocurrency and fintech targeting alongside broader activity against defense, governme…
FalconFeeds analyzes a leaked Kimsuky operator workstation and related VPS that exposed backdoors, source code, internal documents, browsing history, credentials, and phishing infrastructure. The attribution discussion cites Korean Standard Time configura…
Fox-IT and NCC Group analyzed a Lazarus subgroup targeting financial and cryptocurrency organizations, overlapping with activity linked to AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces. In a 2024 DeFi intrusion, the actor used Telegram social eng…
Kimsuky is attributed in the source to a Korean-language lure named “donation receipt.pdf.lnk,” which masquerades as a Hangul document and child-welfare donation receipt. When executed, the LNK launches hidden PowerShell, decodes embedded Base64 content, …
NK Internet examined an Arirang 182 North Korean feature phone, a rugged IP68-rated handset with a 2.4-inch display, removable battery/SIM compartment, and domestic support references such as the 999 subscription number. The device could be switched to En…
A phishing email sent to a South Korean energy-company domain delivered a RAR attachment containing a .NET executable disguised as an air cargo waybill. The executable was identified as a PureCrypter first-stage loader that contacted 158.247.250[.]251 for…
Kimsuky activity is described using a password-protected ZIP containing a PDF-themed LNK named Update Schedule_INVITATION - 250625 UNC Ambassador's Roundtable.pdf.lnk. The lure impersonated a United Nations Command ambassador roundtable invitation and was…
Seqrite links Operation HanKook Phantom to APT37, a North Korean state-backed espionage actor also known as InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper, and Ricochet Chollima. The campaign used a National Intelligence Research Society newsletter d…