778 reports
A Konni-attributed LNK masquerades as a Korean HWP notice about appointing external evaluators for virtual assets. The shortcut runs PowerShell through rshell.exe, searches for a specific-size LNK, extracts embedded payloads from fixed offsets, XOR-decode…
Sygnia’s investigation found a North Korean IT worker, hired under a false identity by a Western organization, using a covert remote-control setup on a company-issued laptop. The tooling combined lightweight Python scripts, persistent WebSocket command-an…
Kimsuky used a Korean National Tax Service-themed phishing email claiming that a May filing and payment deadline change notice was available for review. The lure targeted Naver users by pre-filling the victim email address and asking only for the password…
An arXiv paper analyzes a malware sample attributed in the title to Lazarus Group activity targeting crypto-wallets and financial data. Static and dynamic analysis identified persistence mechanisms, command-and-control communication, data exfiltration rou…
Hauri analyzed a tax-notice-themed LNK attack that launches mshta.exe to retrieve txjyh.hta from cdn.glitch.global and execute an information-stealing chain. The HTA displays a tax.pdf decoy and branches on Windows Defender status: Defender-enabled hosts …
The excerpt is a Click Here podcast feed entry for a May 27, 2025 episode titled “227 new reasons to worry about North Korea,” but it does not include a transcript or technical episode body. The feed context shows the program covers cyber and intelligence…
South Korean prosecutors charged the alleged head of a China-based gambling-site distribution group for working with North Korean hackers from the 313 Bureau, formerly the Korea Computer Center, and the Reconnaissance General Bureau’s 5th Bureau. The indi…
Konni activity is described using a KB Kookmin Bank foreign-exchange transaction explanation lure that delivers a malicious LNK named like an HWP document. The LNK runs obfuscated PowerShell to locate a specific-size LNK, decrypt embedded data with single…
ASEC reports that Larva-25004, a cluster related to Kimsuky activity, used malware signed with a Nexaweb Inc. certificate. Two SCR files, including a job-description-themed sample, were signed in May 2024 with certificate serial 0315e137a6e2d658f07af454c6…
The simulation models a Velvet Chollima attack chain attributed in the excerpt to a January 2025 campaign against South Korean government officials, NGOs, government agencies, and media organizations across multiple regions. The described delivery starts …
ASEC identified malware associated with Larva-25004, a group connected to previously reported Kimsuky activity, that was signed with a Nexaweb Inc. certificate. The two discovered SCR files were signed on May 24 and May 28, 2024, using certificate serial …
IGLOO analyzes four LNK-based malware samples believed to be distributed by North Korea-linked Konni and Kimsuky activity. The samples are grouped into three types based on C2, code structure, and obfuscation: modular batch-file use, copied legitimate pro…
The report examines three malicious LNK files attributed to Kimsuky spear-phishing activity and groups them into two types based on C2 ports, filenames, and Google Drive details. The LNK files masquerade as .docx or .eml documents with Microsoft Word or O…
Nisos tracks the Saja DPRK Employment Scam Network as a likely DPRK-affiliated IT worker operation seeking remote engineering and full-stack blockchain roles. The actors posed as Polish and U.S. nationals through GitHub accounts, portfolio sites, freelanc…