778 reports
A Konni-attributed LNK malware sample impersonates a Korean National Tax Service overseas financial account declaration form and abuses Windows PowerShell to unpack and run embedded payloads. The obfuscated script searches for a matching .lnk file by size…
PIOLINK analyzed HappyDoor malware activity attributed in the report to the Kimsuky group, described as a North Korea-linked APT focused on espionage against South Korean and other Asian diplomatic, defense, government, and military research targets. The …
Leaked data reviewed by WIRED and researcher SttyK exposes the internal workflow of an alleged North Korean IT-worker operation that tracks job applications, fake identities, hardware, earnings, and team budgets across Google, GitHub, Slack, and spreadshe…
A spear-phishing operation targeted a specific person at a South Korean nonprofit policy research institute by impersonating a domestic media employee during an otherwise plausible column-submission workflow. The attack delivered a password-protected ZIP …
S2W TALON attributes a postal-code update lure campaign against South Korean users to ChinopuNK, an internally tracked ScarCruft subgroup associated with Chinotto malware. The infection chain begins with a malicious LNK in a RAR archive, drops an AutoIt l…
CyberBlade Security examines how North Korea’s cyber apparatus is connected to education, military infrastructure, and regime-controlled facilities in Pyongyang’s Mangyongdae district. The analysis focuses on Kim Il Sung Military University, described as …
ANY.RUN analyzes PyLangGhost RAT as a Python-based evolution of GoLangGhostRAT linked in the excerpt to the Lazarus subgroup Famous Chollima. The malware is delivered through targeted ClickFix social engineering against technology, finance, and cryptocurr…
Bybit lost more than $1.4 billion in ETH after Lazarus-linked operators compromised Safe{Wallet} infrastructure and manipulated the multisignature transaction flow used for a routine cold-to-warm wallet transfer. The excerpt describes initial access throu…
A U.S. civil forfeiture complaint seeks approximately 1,008,902.606307 USDT tied to alleged identity theft, computer fraud, wire fraud, money laundering, and related conspiracies. The excerpt defines the legal basis for seizing virtual-currency property d…
CNN reports that thousands of North Korean IT workers use stolen or fabricated U.S. identities to pose as Western developers, engineers, and technology consultants. The operation relies on AI-generated resumes and headshots, face-masking tools, VPNs, remo…
BigONE reported that a July 16, 2025 attack drained about $27 million from its hot wallets without exposing private keys. HackenProof attributed the intrusion path to social engineering against a key developer, followed by compromise of the developer’s de…
The Chinese source uses a Lazarus-inspired ByBit/Safe{Wallet} scenario to explain how front-end tampering can redirect cryptocurrency transactions without crashing the service or visibly altering the user experience. The described attacker studies Next.js…
CrowdStrike reports that DPRK-nexus FAMOUS CHOLLIMA infiltrated more than 320 companies over the past 12 months, a 220% year-over-year increase. The activity centers on North Korean IT workers using generative AI throughout hiring and employment, includin…
The analysis attributes a malicious LNK file disguised as an HWP document to Kimsuky and shows it abusing PowerShell to locate a specific-size shortcut file and extract embedded data. The script reads bytes from offset 0x17DC, XOR-decrypts them with 0x8C,…
UNC4899, UNC1069, UNC1720 is described as a cyber threat report requiring defender review of the published evidence. The source discusses attacker tradecraft, victim targeting, malware or infrastructure references, and operational context that may affect …