778 reports
AhnLab attributes a Japan-focused phishing operation to Larva-24005, a Kimsuky sub-group supported by North Korea. The actor compromised South Korean Windows systems over RDP, in some cases exploiting BlueKeep, then installed RDPWrap, a keylogger, XAMPP, …
CrowdStrike's 2025 Global Threat Report landing page highlights FAMOUS CHOLLIMA as a DPRK-relevant actor using generative AI to support insider-threat and social-engineering operations. The excerpt says social engineering, cloud intrusions, and malware-fr…
SlowMist examines the Bybit theft as a targeted Lazarus Group attack in which a compromised Safe{Wallet} developer environment enabled malicious front-end code to alter a multisig transaction proposal. The attack injected malicious JavaScript into Safe{Wa…
Nurilab describes phishing sites impersonating DeepSeek and abusing the brand's popularity to lure users into a fake partnership registration flow. The site presents a Captcha-like process that instructs users to press Windows+R, paste clipboard content, …
Trend, TA-Ant is described as a cyber threat report requiring defender review of the published evidence. The source discusses attacker tradecraft, victim targeting, malware or infrastructure references, and operational context that may affect detection en…
AhnLab reports that Larva-24005, identified as a Kimsuky sub-group, compromised poorly secured Windows RDP hosts in South Korea and used them as phishing infrastructure. The actor installed RDPWrap, a custom keylogger, XAMPP, PHPMailer, and Japanese IME s…
Stolen credentials from infected devices provide cybercriminals with backdoor access to corporate systems, facilitating ransomware, APT campaigns, and fraud. These compromised hosts became prime entry points for ransomware operations, APT campaigns, and l…
Sygnia's interim Bybit report concludes that malicious code served from Safe{Wallet}'s AWS S3 infrastructure manipulated the transaction during the February 21, 2025 ETH cold-wallet signing process. Forensic review of the three signer hosts found cached S…
Verichains' preliminary Bybit report says the February 21, 2025 breach drained more than $1.4 billion from Bybit's Ether multisignature cold wallet, including 401,347 ETH plus stETH, mETH, and cmETH. The attacker first deployed malicious contracts, then u…
Safe{Wallet}'s forensic statement says the Bybit attack attributed to Lazarus was enabled by a compromised Safe{Wallet} developer machine that led to a disguised malicious transaction proposal for a Bybit Safe account. External reviewers did not find vuln…
Huntabil.IT connects the WazirX, Radiant Capital, and Bybit compromises to a pattern of capable adversary-in-the-middle attacks against multi-signer cryptocurrency workflows. The source highlights the WazirX case, where the attacker allegedly changed what…
The Federal Bureau of Investigation (FBI) is releasing this PSA to advise the Democratic People's Republic of Korea (North Korea) was responsible for the theft of approximately $1.5 billion USD in virtual assets from cryptocurrency exchange, Bybit, on or …
The excerpt is a landing-page teaser for Chainalysis' 2025 Crypto Crime Report rather than a detailed CTI write-up. It states that cryptocurrency has become a tool across many forms of crime and that the report will provide data-science and expert insight…
Danchev's preserved excerpt is an indicator-oriented note on a malicious JavaScript sample associated by the article title with Bybit UI spoofing. The text says the script was not obfuscated and that the author extracted callback URLs, Safe ecosystem endp…
NSHC's December 2024 threat actor report observed 65 total group activities, with SectorJ accounting for 49% and SectorA and SectorE following. SectorA activity included recruitment-themed social engineering, a Korean LNK lure named for Kim Guk-seon's lec…