778 reports
NSHC's February 2025 threat actor intelligence report summarizes activity from multiple tracked groups, including SectorA clusters associated with North Korean operations. The report describes recruitment-themed social engineering on LinkedIn, Telegram, a…
Ketman expands the Nick L Franklin investigation into a broader DPRK IT worker cluster centered on Aqua Protocol and related GitHub personas. The source says Aqua Protocol was a fake Web3 lending application built around Aave V3 code, seeded with nearly $…
NTT Security published a white paper on malicious Microsoft Management Console MSC files, a technique observed across multiple attack campaigns beginning around March 2024. The report explains how MSC functionality such as Taskpad can be abused to execute…
Google Threat Intelligence Group reports that DPRK IT-worker operations have expanded beyond the United States into Europe while adopting more aggressive extortion and virtualized infrastructure tactics. One late-2024 worker operated at least 12 personas …
ENKI analyzed malware signed with a leaked Somansa code-signing certificate and assessed links to a North Korean APT cluster. The backdoor sample used command-and-control infrastructure under p-e[.]kr, a domain pattern the report says is frequently used b…
Genians analyzes a Konni APT campaign impersonating South Korean government bodies, including the National Human Rights Commission and police investigators, to pressure targets with spear-phishing themes. The activity uses spoofed sender identities, conve…
Paradigm uses the Bybit theft to explain how DPRK cryptocurrency operations are organized and how different RGB-linked clusters target the industry. The report says the February 2025 Bybit incident involved compromise of Safe{Wallet} infrastructure and a …
Sekoia describes ClickFake Interview, a Lazarus campaign that targets cryptocurrency job seekers through fake interview websites and uses ClickFix-style instructions to make victims run malicious commands. The operation is assessed with high confidence as…
The report analyzes an APT37 Reaper lure that impersonates Korean military studies journal material to distribute RokRAT. The malicious file abuses PowerShell and a shortcut-based execution chain, with the report providing hashes including SHA-256 d182834…
The archived thread collects suspicious comments and on-chain observations tied to the Nick L. Franklin persona and alleged DPRK-linked activity around cryptocurrency hacks and exploits. The source links some incidents to DPRK IT workers or Contagious Int…
In February 2024, it was embedded in software used by the Russian Ministry of Foreign Affairs to target sensitive systems, while in November 2023, phishing attacks employed malicious documents to deploy the malware, enabling attackers to exfiltrate data a…
The report analyzes a Kimsuky-attributed LNK lure named like a sex offender information notice PDF. Execution runs cmd.exe from the shortcut context, changes into the user temporary directory, downloads sfmw.hta from cdn.glitch.global, and launches it wit…
Vidoc Security Lab encountered a backend-engineer applicant who used a deepfake during a coding interview while presenting a credible CV and LinkedIn profile. The company says the incident could be linked to a North Korean hacker group that has used simil…
A suspected Konni APT spear-phishing campaign used a malicious LNK file that launches mshta and extracts an embedded PowerShell script into C:\ProgramData. The script connects to 64.20.59.148 on ports 8855 and 6699, downloads a ZIP from Dropbox, and drops…
Nisos tracks likely DPRK-affiliated IT workers posing as Singaporean, Turkish, Finnish, and US nationals to obtain remote engineering and blockchain jobs. The report identifies reusable persona infrastructure, including GitHub portfolios, resumes, contact…