778 reports
Bybit published an incident update about unauthorized activity involving an ETH cold wallet. The excerpt does not provide technical details about actor attribution, infection chain, infrastructure, IOCs, or recovery actions. Based only on the available te…
Trail of Bits frames the February 2025 Bybit theft as an operational-security compromise rather than a smart-contract exploit, with attackers allegedly manipulating what multisig signers saw while collecting valid approvals. The article connects the Bybit…
The DPRK-relevant section analyzes a Kimsuky malicious LNK sample used for initial access and payload staging. The shortcut points to mshta.exe, a legitimate Windows utility, and uses obfuscated JavaScript to run PowerShell with execution policy bypass. T…
A Korean security firm reported that a suspected nation-state hacking group stole a product code-signing certificate, creating a supply-chain risk because signed malware can appear to be legitimate software and bypass some security controls. The source sa…
ESET tracks DeceptiveDevelopment as a North Korea-aligned cluster that targets freelance software developers, especially people working on cryptocurrency and DeFi projects. Operators pose as recruiters or headhunters on job and freelancing platforms, then…
The sample is attributed in the source to North Korea's KONNI group and uses a large Windows shortcut disguised as a virtual-asset business inspection and party-government meeting HWP document. The LNK launches obfuscated PowerShell that searches for a Po…
Kandji analyzes DriverEasy.app, a Swift and Objective-C macOS application attributed in the source to North Korea’s Contagious Interview activity. The app masquerades as a Google Chrome or Google-related prompt, asks for microphone permission, then displa…
APT-C-28 (ScarCruft), also known as APT37, Reaper, and Group123, targeted South Korean government and enterprise personnel with phishing archives containing malicious LNK files. The LNK files used PowerShell to extract decoy documents, malicious BAT and P…
NSHC’s December 2024 report lists four SectorA groups active in DPRK-linked operations, with activity observed in South Korea, Russia, and South Korea-focused targeting. SectorA01 used LinkedIn hiring-manager impersonation and fake job opportunities, with…
IGLOO analyzed two GitHub accounts, CryptoNinja0331 and ican0220, as likely infrastructure for North Korean IT worker fake-employment activity. The repositories held resume and portfolio material, fake profile images, email and Upwork account data, projec…
Chollima Group tracks a North Korean IT worker cell using open-source data, photos, and logs discovered in an exposed Dropbox folder. The reporting places the cluster in Laos from roughly September 2021 to February 2024, with some members later appearing …
The article presents an adversary simulation based on Labyrinth Chollima activity targeting people in the energy and aerospace sectors with job-description lures. The simulated chain uses a password-protected ZIP containing an encrypted PDF and a trojaniz…
The write-up analyzes Moonstone Sleet activity involving a trojanized PuTTY installer delivered through platforms such as LinkedIn and Telegram. The installer checks the victim-entered password against a hardcoded value before decrypting the next-stage pa…
SOCRadar's 2024 APT roundup profiles Lazarus Group as a North Korean state-sponsored actor tied to espionage, disruptive activity, and large-scale financial theft. The Lazarus section says the group intensified fake recruitment and developer-focused opera…
S2W TALON analyzed LINKON malware associated with the North Korea-backed KONNI group, delivered as an LNK file disguised as a South Korean Financial Services Commission virtual-asset inspection document. The January 2025 sample used PowerShell to drop and…