778 reports
Nurilab analyzes malware distribution that mirrors the Lazarus ClickFix technique, in which a fake CAPTCHA page persuades the victim to copy and run a script through social engineering. The script downloads an rzy.mp3 file from the web server and executes…
Christina Marie Chapman pleaded guilty in Washington, D.C. to helping overseas IT workers pose as U.S. citizens and residents to obtain remote jobs at more than 300 U.S. companies. Prosecutors said she hosted company laptops at her Arizona home to make th…
A U.S. court case described Christina Marie Chapman’s role in helping North Korean IT workers obtain remote jobs at more than 300 U.S. companies. Prosecutors said Chapman helped workers use stolen identities from more than 70 U.S. citizens and operated a …
A 360 review of 2024 public APT activity counted more than 730 reports covering 124 groups, including 41 groups disclosed for the first time. The excerpt says state-linked intrusion activity tracked geopolitical competition and regional conflicts, with go…
NSHC's November 2024 Japanese threat actor report says SectorA activity included five North Korea-linked clusters, with operations observed across Korea, the United States, the United Kingdom, Japan, Russia, and other regions. The SectorA examples include…
The source analyzes malware attributed to Kimsuky that was distributed as a ZIP archive masquerading as a lifetime membership notice. The archive evidence includes a SHA-256 hash and an encoded PowerShell-style command chain that retrieves files from Drop…
USD 2.2 billion was stolen in crypto-related hacks Crypto-related hacks saw a 17% year-over-year increase, with North Korean-linked groups alone stealing nearly USD 800 million. While progress has been made in curbing illicit activities, crypto crime rema…
Play, also known as PlayCrypt, is a double extortion ransomware family active since mid-2022 against corporations, municipal entities, and critical infrastructure in the Americas and Europe. The source describes initial access through exposed services, ph…
The report examines nearly three years of targeted digital threats against five civil society organizations in South Korea, with a focus on activists, journalists, and human rights defenders working on North Korea-related issues. It argues that these grou…
Attackers posed as job seekers or collaboration partners, typically approaching victims through LinkedIn and sending a seemingly legitimate project that executed malicious code when run. The activity targeted Web3 companies and individuals working with sm…
The author analyzes a malicious Python infostealer delivered through a cloned Git repository and compares the pattern to Lazarus Contagious Interview activity against developers. The script uses repeated reversed Base64 and zlib decoding stages before rev…
The excerpt analyzes a Kimsuky-linked LNK file disguised as a transaction statement Excel spreadsheet. The shortcut contains Base64-encoded PowerShell that downloads and executes Dropbox-hosted payloads, writes scripts such as chrome.ps1 and system_first.…
NSHC reports five SectorA clusters active in November 2024, with targeting across South Korea, the United States, the United Kingdom, Russia, Japan, and other regions. SectorA01 abused remote hiring processes and fake identities to obtain jobs and steal s…
The Python malware ultimately delivers a .NET-based binary capable of launching a Tor proxy server for secure C2 communications, exfiltrating system data, logging keystrokes, stealing credentials, and deploying a cryptocurrency miner. The Lazarus Group's …
This attack exploits job seekers and developers, tricking them into installing malware disguised as legitimate applications. These tactics align with previously documented North Korean cyber-espionage campaigns. Beyond targeting job seekers, attackers hav…