778 reports
The investigation pivots from 158.247.215[.]121 to infrastructure assessed with high confidence as related to Kimsuky/APT43. The observed hosts used Vultr infrastructure, exposed RDP, WinRM, HTTP services, and a repeated RDP certificate common name, CN=Co…
DTEX reports that DPRK-affiliated IT workers attempted post-termination access against a blockchain entity’s critical infrastructure. After dismissal, the workers tried to regain access to the organization’s main database and execute malicious code intend…
Unit 42 analyzes two new KimJongRAT stealer variants, one PE-based and one PowerShell-based, both initiated by Windows LNK files that retrieve droppers from attacker-controlled content hosted on a legitimate CDN service. The PE chain uses cmd.exe, curl.ex…
S2W attributes a May 2025 cryptocurrency-themed malware campaign to North Korea-backed Kimsuky, centered on a malicious Windows CHM help file named wallet.chm. Opening the CHM and triggering the embedded content leads through JavaScript, ActiveX shortcut …
An exposed ownCloud instance at cloud.star.net.kp, resolving to 175.45.176.31, revealed user files and server logs from North Korean-hosted infrastructure. The accessible /data directory exposed files for each user and logs showing activity from RFC-1918 …
Kimsuky is linked to a phishing email impersonating Naver's takedown-request service, telling the recipient that a blog post had been suspended for an alleged rights violation. The lure appears to target users writing about cryptocurrency by pushing them …
North Korean threat groups are highlighted as persistent drivers of 2024 crypto theft, with the article attributing $1.3 billion in stolen funds to DPRK activity. The DPRK-relevant section focuses on private-key exploits enabled by weak wallet governance,…
ASEC observed Kimsuky phishing professors with paper-review lures that delivered password-protected HWP documents containing malicious OLE objects. When the victim opened the document and followed the embedded “More…” prompt, peice.bat copied staged files…
AhnLab’s May 2025 South Korea APT trend data identifies spear phishing as the dominant observed intrusion vector, with lures tied to tax reporting, privacy compliance, virtual assets, foreign exchange, and administrative submissions. The excerpt describes…
AhnLab’s May 2025 APT trend roundup highlights North Korean activity against Ukrainian government agencies and broader attempts to infiltrate organizations by posing as workers in cybersecurity and other industries. The Konni section describes February 20…
Aikido found the npm package web3-wrapper-ethers impersonating the legitimate ethers library while targeting Web3, blockchain, and cryptocurrency developers. The package copied ethers metadata and modified the Wallet constructor to exfiltrate private keys…
AhnLab's May 2025 domestic APT trend data shows spear phishing as the dominant intrusion route against South Korean targets, with LNK-based delivery taking the largest share. The observed lures used tax, privacy, virtual-asset, business-document, and unif…
ASEC links a Kimsuky campaign to phishing emails sent to professors under the guise of academic paper review requests, with password-protected HWP documents carrying malicious OLE objects. Opening the document creates staged files in %TEMP%, and a "more" …
The podcast excerpt presents Lazarus as an active North Korean threat actor with past activity ranging from the Sony Pictures attack to major cryptocurrency theft such as the Bybit incident. Its current focus in the provided text is infiltration campaigns…
Genians analyzed a March-April 2025 AppleSeed campaign attributed in the report to Kimsuky, a North Korea-linked state-sponsored group active against defense, military, cryptocurrency, vaccine, and North Korea-related activist targets. The operators used …