778 reports
Trend, Kimsuky, Konni is described as a cyber threat report requiring defender review of the published evidence. The source discusses attacker tradecraft, victim targeting, malware or infrastructure references, and operational context that may affect dete…
TRM Labs reports that North Korea-linked cryptocurrency hacks continued in 2024, with nearly USD 800 million stolen. The excerpt places that activity in a broader illicit-crypto landscape where overall illicit volume declined by 24%, while ransomware paym…
The Korean analysis attributes a malicious VBS backdoor sample named vbs.html to Kimsuky and says it was distributed from hxxp://mrasis(.)n-e(.)kr. The sample is heavily obfuscated, uses random variable names, suppresses errors, decodes hexadecimal string…
KISA warns that vulnerable INNORIX Agent versions 9.2.18.001 through 9.2.18.538 can allow external file download and execution, creating an exploitation path that could be abused for malware delivery or follow-on compromise. Affected organizations are adv…
Connectivity to North Korea-linked AS131279 dropped on March 18, 2025 after changes to the SOA record and Route Origin Authorization for 175.45.176.0/22. The new ROA authorized AS131279 as the origin but set the maximum prefix length to /22, while the net…
Trend Micro ZDI found extensive exploitation of ZDI-CAN-25373, a Windows shortcut vulnerability that lets crafted .lnk files hide malicious command-line arguments and execute payloads. The research says 11 state-sponsored groups from North Korea, Iran, Ru…
Rewterz summarizes Kimsuky, also known as Black Banshee, as a North Korean APT active since at least 2012 and focused on espionage against targets including South Korea, Japan, and the United States. The advisory lists common tradecraft such as phishing, …
KoSpy is Android spyware linked to Ricochet Chollima, also known as APT37, Inky Squid, RedEyes, ScarCruft, and Reaper. The malware masquerades as utility apps, has appeared in Google Play and third-party stores such as Apkpure, and retrieves an encrypted …
OKX says it detected a coordinated Lazarus effort to misuse its DeFi services through OKX Web3, which it characterizes as a DEX aggregator rather than a custodian of customer assets. In response, the company temporarily suspended its DEX aggregator servic…
Sygnia summarizes the February 2025 Bybit heist as a multi-stage compromise attributed by the FBI to TradeTraitor, also known as Lazarus Group and UNC4899. The attack began with a Safe{Wallet} developer's macOS workstation, likely compromised through soci…
NSHC’s January 2025 intelligence report recorded four SectorA clusters, with activity observed in Brazil, the United States, Russia, Poland, the Netherlands, France, South Korea, the United Kingdom, and Japan. SectorA01 impersonated recruiters on LinkedIn…
Lazarus is reported to have distributed six malicious npm packages through typosquatting and package impersonation, exposing developers to credential theft, sensitive data collection, backdoor installation, and malicious code execution during software bui…
Kimsuky activity described in the source uses a PowerShell malware sample tracked as 1.ps1 to collect host, user, process, disk, and IP information into temporary files and stage the data for exfiltration. The report publishes hashes for the sample and sh…
SlowMist analyzes a LinkedIn recruiting lure that pushed a blockchain engineer toward a Bitbucket project for a supposed Socifi game and staking platform. The repository hid a malicious payload far to the right of an otherwise normal-looking server.js lin…
The article attributes the February 2025 Bybit theft to TraderTraitor, also tracked as Jade Sleet, UNC4899, and Slow Pisces, and describes it as a 19-day operation against Bybit's Safe wallet workflow. The attackers allegedly compromised Safe infrastructu…