778 reports
ENKI links a set of VirusTotal-hunted LNK samples to Konni activity associated with North Korean operations and describes a multi-stage infection chain ending in an AsyncRAT variant. The LNK files extract and execute obfuscated PowerShell from embedded da…
Validin pivots from Safe{Wallet}, SlowMist, and Mandiant/Google Cloud indicators tied to the FBI-attributed North Korean Lazarus Group Bybit hack to hunt for related command-and-control infrastructure. The analysis uses rare host-response traits from gets…
Foresiet links several early-2025 cryptocurrency theft and laundering events to a broader pattern of DPRK-linked crypto operations, while noting that responsibility for the Bybit outflow was not yet confirmed. The DPRK-relevant evidence includes a suspect…
A fake Web3 recruiting process led a freelance developer to run a project that installed malware through an unfamiliar npm package named process-log. The package started a second Node.js server, fetched obfuscated JavaScript from npoint.io JSON endpoints,…
To perform this attack, the attackers targeted Safe{Wallet}, a widely used multi-signature wallet solution that required multiple approvals (in Bybit’s case, at least three signers) before executing a transaction. These changes were subtle and specificall…
North Korea’s Lazarus Group continues to infiltrate the npm ecosystem, deploying six new malicious packages designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor. The secondary payload (SHA256…
ASEC reports Lazarus compromises South Korean Windows IIS web servers and turns them into first-stage C2 infrastructure using ASP web shells and proxy scripts. The January 2025 cases resembled earlier Lazarus activity but used a newer C2 script that suppo…
By 2023, APT37 had shifted to phishing campaigns targeting users on both Windows and Android platforms. Infection Vector: The attack begins with phishing emails containing ZIP attachments that hide malicious LNK files, masquerading as documents related to…
A Kimsuky-linked LNK file masquerades as a Korean PDF addressed to an executive associated with Blocore and Gameberry, suggesting targeting of technology-sector leadership. The shortcut contains AES-encrypted data and embedded PowerShell that decrypts a s…
Arkham reports that Lazarus laundered the Bybit ETH cold-wallet proceeds by bridging 500,000 ETH, worth about $1.3 billion, from Ethereum into native Bitcoin. About 72% moved through THORChain, with other flows using THORChain frontends, AsgarDEX, and eXc…
While he claimed eight years of software engineering experience, a review of his GitHub contributions revealed patterns consistent with other DPRK-linked accounts. This operation highlights a larger systematic effort by North Korea to embed IT workers wit…
GTIG says North Korean IT workers have expanded beyond salary fraud into extortion, data theft, and operations inside corporate virtual desktops, networks, and servers. The scheme uses fake identities, resumes, profiles, and remote technical roles to plac…
A Konni-linked LNK sample masqueraded as a 2024 year-end tax settlement guide document and embedded heavily obfuscated PowerShell in the shortcut command line. The script searched for a PowerShell executable, extracted and XOR-decrypted payload data from …
ESRC reports a Kimsuky watering-hole attack that abused an application document for a university-hosted unification education program. Visitors seeking the application could download a malicious HWP file whose visible link text triggered an embedded OLE o…
Moonstone Sleet is known for combining many techniques successfully used by other North Korean threat actors as well as unique attack methodologies to target organizations for their financial and cyberespionage objectives. Since late February 2025, Micros…