778 reports
A LinkedIn recruiter-themed lure pushed a developer toward a Bitbucket repository and pressured them to run the project quickly, matching fake-job social engineering used to compromise software developers. The repository’s visible Node.js code appeared or…
Konni activity described in the source uses an ECRM-themed HWP LNK lure that impersonates South Korea's cybercrime reporting system and launches mshta with obfuscated JavaScript and PowerShell commands. The malware chain relies on shortcut-file execution,…
PSCORE's report examines North Korea's cyber threats as state-sponsored activity with security and human-rights consequences, emphasizing that cyber operations support control, manipulation, surveillance, and global coercion rather than only technical dat…
Rekt News summarizes reporting on the Bybit Safe{Wallet} compromise as a TraderTraitor and Lazarus-linked social-engineering operation against a Safe developer. The article cites forensic work from Sygnia, Verichains, Mandiant, Safe, and Bybit showing tha…
ASEC found a malicious HWP file linked from a March 5 post recruiting students for a reunification-related course, where the HWP download was disguised as an application form. Opening the document created a normal decoy document, document.bat, scheduled-t…
AhnLab reports a malicious HWP document distributed through a unification education application post, where the downloaded file masquerades as a legitimate application form while dropping BAT, executable, manifest, and scheduled-task XML components into t…
NSHC's January 2025 threat actor report identifies four SectorA clusters, the report's North Korea-aligned grouping, active across Brazil, the United States, Russia, Poland, the Netherlands, France, South Korea, the United Kingdom, and Japan. SectorA01 us…
S2W analyzed DocSwap, an Android malware sample first seen in January 2025 that disguised itself as a document viewing authentication app and appeared aimed at South Korean mobile users based on Korean-language strings and the app lure. The malware decryp…
The Financial Security Institute warns that state-backed hacking groups are targeting financial institutions and consumers with phishing emails carrying malicious LNK files or document scripts disguised as virtual-asset materials from financial authoritie…
The Pragmatic Engineer case study describes how Vidoc Security nearly hired fake remote developer candidates who used AI-generated video disguises and false professional identities during interviews. The article treats the incident as part of a wider fake…
Through Research Center 227, North Korean authorities appear to be planning to neutralize Western countries’ cybersecurity systems while strengthening hacking capabilities aimed at stealing information and assets and disrupting computer networks. North Ko…
BI.ZONE attributes a December 2024 recruiter-themed phishing campaign against an industrial organization to Squid Werewolf, also known as APT37, Ricochet Chollima, ScarCruft, and Reaper. The lure used a password-protected job-offer ZIP containing an LNK f…
The criminals, known as the Lazarus Group, swiped the huge haul of digital tokens in an audacious and remarkable hack on the crypto exchange ByBit last month. Hackers thought to be working for the North Korean regime have successfully cashed out hundreds …
The thread describes a North Korea-linked social-engineering attempt that used a fake executive persona and legitimate-looking scheduling material to build trust with the target. The attacker moved the interaction from a Google Meet scheduling flow to a f…
Lookout identifies KoSpy as an Android spyware family attributed with medium confidence to North Korea-linked APT37, also known as ScarCruft, targeting Korean and English-speaking users. Samples masquerade as utility apps such as file managers, software u…