778 reports
The report analyzes Kimsuky malware delivered as a Windows LNK file disguised as a public service citation personal form. The lure executes PowerShell commands after the victim opens the shortcut, indicating a social-engineering intrusion path consistent …
ENKI tracks a Lazarus-attributed Contagious Interview variant that continues to target job seekers through fake recruitment activity with an apparent cryptocurrency-theft objective. The newer flow replaces coding-test package lures with a fake Willo-style…
ScarletShark reported a Kimsuky, also known as Emerald Sleet, approach against a United States-based think tank using a free Proton Mail account to impersonate an employee of the Japanese Embassy in Washington, D.C. The message invited the target to a mee…
360 describes APT-C-26, also tracked as Lazarus, using Electron-packaged malicious applications against cryptocurrency users and organizations. The campaign reportedly poisoned a uniswap-sniper-bot project and delivered an installer masquerading as an aut…
SentinelOne's macOS malware review highlights DPRK-linked activity against job seekers and cryptocurrency targets during 2024. The BeaverTail section describes North Korean operators impersonating recruiters on LinkedIn, X, and Freelancer, then pushing tr…
The Springer study analyzes DPRK cyber activity by mining more than 2,000 public reports from 2009 through May 2024. It clusters vendor naming conventions into 160 actor code names, maps those names into seven widely recognized DPRK threat groups, and ext…
This Kimsuky profile summarizes DPRK Reconnaissance General Bureau-linked espionage activity, aliases, objectives, and observed vulnerability references. The source identifies Kimsuky as a North Korea-aligned threat actor focused on intelligence collectio…
JPCERT/CC warns that Lazarus-linked operators have repeatedly used LinkedIn as an initial contact vector against organizations in Japan since around 2019, including cases tied to cryptocurrency theft and earlier operations documented by the center. The so…
JPCERT/CC discusses the practical attribution problem created by treating Lazarus as a single threat actor label rather than a collection of DPRK-aligned subgroups. The report argues that subgroup-level classification matters for incident response because…
Please note that simple phishing exploits were excluded due to the challenges associated with tracking criminal funds. In most cases, this vulnerability allows exploiters to abuse the authorization that has been set to the target contract. We aimed to pro…
NSHC's September 2024 intelligence review says 47 hacking-group activity cases were observed from August 21 to September 20, with SectorA accounting for the largest share and activity most often affecting finance and government targets. The North Korea-li…
NSHC's October 2024 report says SectorA activity was the most prominent among 31 tracked threat-actor groups and lists four North Korea-linked SectorA clusters active across the United States, South Korea, Japan, Brazil, Egypt, and other regions. SectorA0…
KISA describes a cryptocurrency-theft phishing operation that used reconnaissance on Naver Cafe and online communities, phishing email delivery, and Python automation to target virtual-asset users. The attackers focused on wallet seed phrases, private key…
Lazarus is described using ClickFix social engineering inside the Contagious Interview campaign to target job seekers, especially software developers, through fake recruiter workflows on platforms such as LinkedIn, Telegram, and Discord. Victims are led t…
OFAC sanctioned two individuals and four entities tied to North Korean IT worker revenue generation for DPRK weapons programs. The action names Department 53, Korea Osong Shipping, Chonsurim Trading Corporation, Jong In Chol, Son Kyong Sik, and Liaoning C…