778 reports
Genians analyzes an APT37 campaign that used identity impersonation and a Korean messenger group chat channel to deliver malicious HWP and LNK files. The report highlights spear phishing, lateral-movement risk after initial endpoint compromise, evasion-fo…
The report analyzes a phishing email attributed as likely Kimsuky that impersonates Kakao customer support and warns recipients that an account will become dormant. It identifies suspicious sender infrastructure, mismatched Kakao branding, and mail-header…
The report analyzes a suspected Kimsuky phishing email that impersonates a Korean tax payment notice delivered through a Naver-style electronic document theme. The lure pressures users to open the notice before an authentication deadline while the sending…
Socket found a malicious npm package, postcss-optimizer, that impersonated the legitimate postcss library and contained BeaverTail malware linked to North Korean Contagious Interview activity within the broader Lazarus ecosystem. The package targeted deve…
Google Threat Intelligence Group examined how government-backed APT and information-operations actors attempted to use Gemini for operational support. The source says actors used the tool mainly for research, troubleshooting, content generation, localizat…
SecurityScorecard describes Operation Phantom Circuit as a Lazarus Group campaign that embedded malware in trusted development tools to compromise cryptocurrency and technology developers worldwide. The infrastructure used C2 servers active from late 2024…
Hunt.io identifies additional SparkRAT infrastructure tied to a suspected DPRK macOS campaign previously observed using fake meeting-themed lures. The activity includes open directories serving bash scripts and Mach-O SparkRAT clients, with delivery paths…
Farnsworth Intelligence lists IP addresses allegedly used by North Korean IT-worker farms to connect into U.S. companies through remote desktop tooling, including RustDesk and AnyDesk-style access. The source warns that the operators also abuse legitimate…
NuriLab analyzes Maui ransomware, a file-encryption malware family reported in U.S. advisories as affecting public health and healthcare organizations since 2021. The report says Maui likely spread through X-PopUp, an open-source messenger used by small a…
KISA analyzes four malware types attributed to Lazarus activity observed in 2024 incidents affecting South Korean private-sector organizations, including IT companies and a major media company. The first type uses DLL side-loading, MachineGuid-based CRC32…
Securr describes the Phemex incident as a January 2025 hot-wallet breach that caused at least $37 million in unauthorized withdrawals across multiple blockchain networks. The report says attackers executed more than 125 suspicious transactions on chains i…
Rekt News describes a January 2025 compromise of Phemex hot wallets that drained roughly $73 million across more than a dozen blockchains. The attacker moved through wallets on Ethereum, Solana, XRP, Bitcoin, BSC, Sui, Base, Tron, Litecoin, Avalanche, Arb…
AhnLab reports that Andariel used malicious files and a CreateHiddenAccount-style tool to perform RID hijacking during Windows intrusions. The technique modifies SAM registry values so a low-privilege or newly created hidden account is treated as having t…
The Korean analysis attributes a tax-collection correction request-themed `.hwp.lnk` sample to Konni APT, a North Korean-linked group described as targeting government and organizational victims in South Korea and the United States. The LNK command search…
ESRC reports an active phishing campaign impersonating domestic portal customer-support notices, including takedown, account-change, and policy-violation themes. The emails contain buttons leading to attacker-controlled phishing pages that closely mimic l…