778 reports
Korea University's Graduate School of Information Security announced a technical briefing on material from Phrack's “APT Down: The North Korea Files,” which was said to be based on files taken from a workstation used by a suspected Kimsuky operator. The s…
Elliptic describes the February 2025 Bybit exploit as a North Korean act in which about $1.46 billion in ETH and ERC-20 tokens were transferred to an attacker-controlled address. Six months later, laundering had moved more than $1 billion through rapid mu…
A Korean-language analysis attributes a malicious LNK lure to APT37/Reaper and identifies RokRAT delivery through a decoy about an academy for successful resettlement of North Korean defectors in South Korea. The shortcut searches for PowerShell, locates …
Spur investigated anonymizing infrastructure after a leaked dataset tied IP address 156.59.13[.]153 to activity targeting organizations in South Korea and Taiwan, while the leak author attributed the activity to Kimsuky and Spur explicitly left that attri…
BTC Turk suffered a $51.7 million hot-wallet theft in August 2025 after private keys were reportedly compromised, repeating a similar $55 million breach from June 2024. The attackers moved assets across Ethereum, Avalanche, Arbitrum, Base, Optimism, Mantl…
WOO X attributed a July 24, 2025 cryptocurrency-theft incident to suspected North Korea-linked activity, citing evidence for UNC4899 and later considering UNC4899 or UNC5565 involvement. The intrusion began when a developer accepted an open-source collabo…
Axios reports that North Korean remote IT worker operations have reached major U.S. companies, including Fortune 500 environments, as a sanctions-evasion revenue stream for Pyongyang. The scheme uses stolen or fabricated identities, AI-generated resumes a…
Leaked email datasets are used to profile DPRK IT worker tradecraft, with the source linking the activity to Microsoft’s Jasper Sleet classification and remote-work fraud against DApp, Web3, blockchain, and cryptocurrency companies. The analysis says 1,38…
AhnLab observed July 2025 APT activity in South Korea dominated by spear-phishing, with LNK-based delivery making up the largest share of identified cases. The LNK files executed malicious PowerShell commands, unpacked CAB archives, ran scripts such as BA…
Trellix attributes an active early-2025 espionage campaign against embassies and foreign ministries in Seoul to DPRK-linked actors, with infrastructure overlaps to known Kimsuky operations. The attackers sent at least 19 spear-phishing emails impersonatin…
A Korean malware analysis attributes the auto.py sample to Lazarus/Famous Chollima and identifies it as part of the PyLangGhost RAT tooling. The script is described as collecting Chrome extension local storage from multiple browser profiles, which could e…
North Korean hackers were accused in an OFSI-referenced assessment of stealing about £17m in Bitcoin, Ethereum, and other cryptocurrency from Lykke, a trading platform incorporated in Britain. The article says Lazarus was identified as a potential culprit…
A Kimsuky-focused APTDown presentation was archived from YouTube as a DPRK-relevant CTI source. The title and existing metadata identify Kimsuky as the relevant actor context and APTDown as the subject of the presentation. The record is useful for trackin…
Leaked workstation and server material is presented as evidence of suspected Kimsuky activity against South Korean government, military, prosecution, foreign ministry, portal, media, and Taiwan-related targets. The excerpt describes spear-phishing infrast…
A leaked Kimsuky data set is described as exposing internal files and tools tied to backdoors, phishing frameworks, and reconnaissance activity after a compromise around early June 2025. The excerpted work.zip analysis highlights operator tooling rather t…