778 reports
AhnLab observed June 2025 APT activity in South Korea dominated by spear phishing, with LNK-based attacks the largest share and HWP-based attacks increasing from the previous month. The LNK cases embedded malicious PowerShell in shortcut files, unpacked C…
The Korean-language analysis attributes a Naver blog restriction phishing email to a North Korean hacking group and frames it as Kimsuky-related activity. The lure claimed the recipient's Naver blog posts would be excluded from search or deleted unless th…
The June 2025 APT group trend report highlights several DPRK-linked operations, including North Korean remote IT worker infiltration and Kimsuky spear-phishing activity against South Korean targets. In the remote IT worker cases, Jasper Sleet and other No…
Socket reports that North Korean Contagious Interview operators expanded their software supply-chain activity with 67 malicious npm packages, including 28 tied to the newly identified XORIndex loader and 39 new HexEval packages. XORIndex collects host met…
North Korea-linked operators, assessed in the excerpt as likely Stardust Chollima, used NimDoor macOS malware against Web3 and cryptocurrency organizations. The intrusion chain began with Telegram social engineering and fake Zoom meeting lures, then deliv…
Moonlock summarizes SentinelOne research on North Korean fake-interview malware targeting Web3, crypto, and blockchain businesses through Zoom-themed social engineering. Victims are lured into interviews and instructed to run a fake Zoom SDK update script…
AhnLab’s June 2025 domestic APT monitoring found spear phishing remained the dominant intrusion method against South Korean targets, with LNK-based delivery accounting for the largest share and HWP-based attacks increasing from the previous month. One obs…
Venn Network reported that anomalous transactions exposed a backdoor in thousands of uninitialized ERC1967Proxy smart contracts, leaving more than $10 million at risk. The attacker front-ran deployers, set malicious implementations, and spoofed Etherscan …
Greek authorities froze cryptocurrency linked to the February 2025 Bybit hack after tracing funds from a suspicious transaction back to wallets used in the roughly $1.5 billion theft, which the excerpt says is widely attributed to North Korea’s Lazarus Gr…
OFAC sanctioned Song Kum Hyok, a DPRK cyber actor associated with the Reconnaissance General Bureau’s Andariel unit, for facilitating an IT worker scheme that used falsified identities and nationalities to obtain employment at unwitting companies. The act…
360 Advanced Threat Research Institute attributes a recent South Korea-focused intrusion to APT-C-55/Kimsuky, delivered through a trojanized Bandizip installer that installs the legitimate Korean Bandizip binary while launching malicious components in the…
OFAC designated Song Kum Hyok, a DPRK-based cyber actor affiliated with Andariel, for helping North Korean IT workers obtain remote employment through falsified identities and U.S. personal information. The scheme placed workers in technology, Web3, softw…
A WooriCard-themed LNK sample is assessed by the source as likely Konni-linked, with caution, and is aimed at users of Woori Bank/Woori Card security-mail workflows. The shortcut runs obfuscated batch logic to launch hidden PowerShell, locate a specifical…
The available excerpt only identifies a CodeEngn Conference 21 PDF titled as a case analysis of North Korean APT group attacks, hosted in the codeengn/codeengn-conference GitHub repository. The captured text does not include the PDF body, case details, ac…
Wav3 examines how defenders can detect obfuscated PiKVM and TinyPilot KVM-over-IP devices in endpoint telemetry, noting that North Korean state-sponsored actors have shown interest in similar remote-access hardware. The article focuses on CrowdStrike USB …