778 reports
The FBI warned that North Korean IT workers have expanded beyond revenue generation into data theft and extortion against U.S. businesses. Recent cases include workers using unlawful network access to exfiltrate proprietary data and code, copy repositorie…
The U.S. Justice Department indicted two North Korean nationals and three alleged facilitators for a remote IT worker scheme that obtained jobs at at least 64 U.S. companies from 2018 to 2024. Prosecutors allege the defendants used forged and stolen ident…
Nisos traced a likely DPRK IT worker who appears to have used multiple personas to obtain remote software engineering and full stack developer roles with Japanese companies. The investigation pivoted from an email address cited in a UN sanctions report to…
Logpresso reports a Kimsuky-linked APT attack against prominent Korean law firms using a malicious Hangul document lure related to a defense industry digital innovation seminar. The document used password protection and OLE object execution to drop files …
S2W analyzed a January 2025 phishing email that used a defense industry digital innovation seminar lure to deliver a malicious HWP document linked to Kimsuky Babyshark activity. The attachment embedded an OLE object that dropped files for persistence and …
AhnLab reports that the Andariel threat group used RID Hijacking during intrusions to manipulate Windows account relative identifier values and elevate privileges. The technique can make a limited or guest account inherit administrator-like access, suppor…
| Cloudflare Sorry, you have been blocked You are unable to access s2w.inc Why have I been blocked? This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are se…
Trend, Youtube is described as a cyber threat report requiring defender review of the published evidence. The source discusses attacker tradecraft, victim targeting, malware or infrastructure references, and operational context that may affect detection e…
KISA’s JSAC 2025 presentation describes North Korean hacking activity targeting centralized management solutions used to administer corporate devices. The speakers tie the investigation to Maui ransomware leads, attacker Google account activity, leased Ko…
A U.S. civil forfeiture complaint seeks approximately 942,462.845 USDT in connection with an investigation into identity theft, computer fraud, wire fraud, money laundering, and related conspiracies. The excerpt establishes the legal basis for seizing vir…
ANY.RUN analyzes InvisibleFerret, a Python malware used in North Korean job-interview campaigns known as Contagious Interview or DevPopper. The campaign targets developers in technology, finance, and cryptocurrency sectors by posing as hiring workflows an…
SOCRadar's crypto and NFT threat overview includes the Ronin Network breach as a major DPRK-linked case. The article says attackers stole about 173,600 ETH and 25.5 million USDC from the Axie Infinity Ronin bridge after compromising five of nine validator…
NSHC's JSAC presentation describes a June 2024 Kimsuky social-engineering operation that used LinkedIn reconnaissance against Republic of Korea Navy-related personnel and then moved into spear phishing. The actors prepared VPS/VDS infrastructure, used mai…
The JSAC/KrCERT presentation analyzes attacks against centralized management solutions by separating attacker-leased infrastructure from victim-environment activity. The source describes evidence from a retained Google account, North Korean wording, acces…
The JSAC source presents Lazarus-focused CTI methods for following clues across malware, infrastructure, and external knowledge bases such as Malpedia and the Pyramid of Pain. The report is useful as analytic tradecraft for strengthening Lazarus attributi…