778 reports
The Bybit hack is tied in the excerpt to TraderTraitor, a DPRK threat group that used the no-KYC exchange eXch to launder almost $100 million from the stolen funds. eXch is described as an automated centralized exchange with Tor access, no registration, d…
ASEC reports malicious LNK files distributed to Korean users under notice-themed filenames such as local tax bill and sex-offender information notice PDFs. When executed, the LNK downloads and runs an HTA file from an attacker-controlled server, which con…
ASEC documents March 2025 distribution of the PebbleDash backdoor in activity it attributes to Kimsuky, noting that PebbleDash was originally named by CISA as Lazarus/Hidden Cobra malware but has recently appeared frequently in Kimsuky cases. The attack c…
S2W links the Willo Campaign to TraderTraitor and describes a North Korea-backed phishing operation against cryptocurrency employees, including developers and sales staff. The activity used malicious NPM packages in June 2024, a Versus X-themed installer …
The excerpt presents raw, unfiltered OSINT links around a likely DPRK-linked GitHub persona identified as zeus-dev919, while repeatedly warning that the linkages require double verification. It describes repositories and public Google Drive folders that a…
The archived executive summary tracks roughly $1.4 billion in hacked funds, about 500,000 ETH, with 68.57% still traceable, 27.59% gone dark, and 3.84% frozen. It says DPRK-linked laundering moved most value from Ethereum into BTC through Thorchain, conve…
Unit 42 reports that DPRK IT-worker operations are adopting real-time deepfake technology to pass remote job interviews under synthetic identities. The team found that a researcher with no prior deepfake experience could create a passable interview person…
The archived post lists practical detection cues for DPRK remote IT-worker schemes during recruiting and onboarding. It advises employers to watch for VPN use during applications, formulaic developer-themed email addresses, virtual phone numbers, new or r…
The excerpt is a beginner-oriented reverse engineering walkthrough for WannaCry rather than a new intrusion report. It focuses on static analysis with PE viewers and string extraction, safe dynamic analysis in a virtual machine, and recognition of ransomw…
ASEC identified Larva-24005 as an operation related to Kimsuky after breach investigations involving exploitation of the BlueKeep RDP vulnerability, CVE-2019-0708. The activity targeted South Korean software, energy, and financial organizations and used s…
Rewterz profiles Kimsuky, also tracked as Black Banshee, as a North Korean espionage group using phishing, malware infections, supply-chain compromise, lateral movement, and data exfiltration against targets in South Korea, Japan, the United States, and o…
Trail of Bits describes an ELUSIVE COMET social-engineering attempt that invited its CEO to a fake "Bloomberg Crypto" appearance through suspicious Twitter accounts and non-Bloomberg Calendly pages. The campaign targets cryptocurrency and security profess…
Logpresso's CTI Report Vol. 11 covers first-quarter 2025 threat analysis, including phishing attacks disguised as public documents and a comparison of malware used by two groups masquerading as Korean Hangul documents. The excerpt indicates that the repor…
Proofpoint observed TA427, overlapping with Kimsuky or Emerald Sleet, adding ClickFix social engineering to its North Korea affairs targeting in January and February 2025. Operators used spoofed meeting-request conversations, benign and malicious PDF lure…
The Korean malware write-up analyzes an LNK lure named as a North Korea flood interview request and assesses it as likely Kimsuky-related, while explicitly noting the attribution is an estimate. The shortcut masquerades as a PDF and launches hidden PowerS…