778 reports
Genians analyzed a March-April 2025 AppleSeed campaign attributed in the source to Kimsuky, a North Korea-linked state-sponsored group targeting Korean Facebook, email, and Telegram users. The operators approached North Korea-related workers and activists…
Reaper/APT37 is described using a malicious LNK file named “National Intelligence and Counterintelligence Manuscript.lnk” against South Korea–focused North Korea watchers. The targeted audience includes human rights groups, journalists covering North Kore…
Suspected North Korean threat actors showed sustained interest in Validin threat intelligence data, especially infrastructure publicly attributed to them and reporting that exposed their operations. The activity was attributed in the talk to a North Korea…
OpenAI says it disrupted abusive uses of its services involving social engineering, cyber espionage, deceptive employment schemes, covert influence operations, scams, spam and malicious cyber activity. The excerpt frames these cases as part of a broader e…
The U.S. Department of Justice filed a civil forfeiture complaint seeking more than $7.74 million tied to North Korean IT worker revenue generation and cryptocurrency laundering. The complaint alleges DPRK IT workers used fraudulent or stolen identities, …
TRM Labs analyzed the DOJ forfeiture action targeting more than $7.7 million in cryptocurrency, NFTs, and digital assets allegedly tied to a North Korean IT worker laundering network. The activity involved DPRK nationals deployed abroad, mainly in China, …
A Kimsuky-linked CHM file named SecurityMail.chm presents a Korean virtual-asset user-protection notice as a decoy while hiding malicious execution logic inside the compiled HTML help content. The embedded HTML abuses an ActiveX object to launch hidden Po…
ENKI analyzed GitHub repositories where an actor posing as a full-stack and blockchain developer hid malicious scripts inside apparently legitimate projects. In the Ly_AutoPayBot repository, malicious code was concealed far below the visible logger.ts con…
ENKI analyzed GitHub repositories operated by an actor posing as a full-stack and blockchain job seeker under accounts including RealToma, mthomas0802, and L34rnT0C0d3. The actor copied legitimate projects and hid malicious scripts in files such as logger…
Microsoft explains a weather-themed threat actor taxonomy that maps nation-state, financially motivated, private sector offensive, influence, and developing clusters into consistent naming families. North Korea-attributed actors are assigned the Sleet fam…
OtterCookie is described as a Lazarus-linked JavaScript stealer delivered through the Contagious Interview or DevPopper social engineering pattern against tech, financial, and cryptocurrency professionals. In the observed case, a LinkedIn freelance bug-fi…
CrowdStrike and Microsoft announced an analyst-led collaboration to deconflict threat actor naming across their attribution systems rather than force a single universal standard. The effort has already mapped more than 80 adversaries, allowing defenders t…
Kimsuky is attributed to a Korean-language phishing email impersonating a National Tax Service notice about a June filing and payment deadline. The lure sends victims to hxxp://nts(.)authenticatesvc(.)kro(.)kr/nts/ with parameters that mimic a Naver login…
IGLOO links a CJ Olivenetworks certificate-abuse malware sample to Kimsuky based on tradecraft overlap with an earlier Nexaweb certificate-abuse phishing campaign, including a Go-built dropper, Acrobat-like icon, and a backdoor internally named httpSpy.dl…
BitMEX analyzed a Lazarus Group campaign targeting cryptocurrency-sector personnel through LinkedIn outreach and a private GitHub repository for a supposed NFT marketplace collaboration. The repository contained a Next.js/React project with JavaScript tha…