778 reports
A Kimsuky-linked test.zip sample is described as a Cobalt Strike-related malware package that uses a Windows shortcut file to disguise execution as a document. The LNK uses a WordPad icon and launches hidden PowerShell that searches for a same-directory s…
SecurityScorecard attributes Operation 99 to Lazarus Group and says it targets developers seeking freelance Web3 and cryptocurrency work. Fake recruiters on LinkedIn direct victims to clone malicious GitLab repositories for project tests or code reviews, …
Secureworks links NICKEL TAPESTRY's North Korean IT worker operations to infrastructure that also appeared in a 2016 IndieGoGo crowdfunding scam. The report cites OFAC-designated Yanbian Silverstar and Volasys Silver Star, FBI evidence that freelancer acc…
The Korean-language source attributes a malicious HWP lure targeting the Korea Association of Defense Industry Studies to Kimsuky. The attack begins with an email about a defense-industry digital innovation seminar and includes an HWP attachment that wait…
SecAI analyzed a Kimsuky DOCX infection chain in which the document retrieves a malicious DOTM template from ms-work.com-info.store and runs its macro. The macro decrypts and drops a DLL, then calls an exported function that downloads another DLL payload …
Hunt identified a Hostwinds server at 23.254.167[.]216 hosting a resurfaced "JustJoin" landing page, a theme previously linked in public reporting to TA444 or BlueNoroff activity. The cluster includes domains such as make-hex-32332e3235342e3136372e323136-…
The South Korea, United States, and Japan joint statement warns that North Korean cyber actors continue targeting blockchain organizations, exchanges, custodians, and individual virtual-asset users to steal cryptocurrency. It links groups including Lazaru…
HAURI describes APT37 reconnaissance phishing against people connected to North Korea issues and defector communities. The attack embeds an IMG tag in email so that opening the message automatically reaches a phishing site, while compromised legitimate Ko…
SlowMist links 2024 cryptocurrency theft and laundering activity to North Korean hackers, highlighting social engineering against blockchain and angel-investing communities alongside fund-movement techniques after major incidents. The excerpt describes at…
JPCERT/CC reviews Lazarus use of LinkedIn as an initial access vector against organizations, including cryptocurrency-related and defense-industry targets. The activity includes suspicious recruiter-style contact, pressure to move conversations from Linke…
ZeroShadow describes a DPRK Contagious Interview campaign that impersonated the Willo video interview platform to target cryptocurrency workers with fake recruiter outreach. Victims were moved from job messages to a lookalike interview site, where a stage…
SecAI analyzed a Kimsuky JSE sample that used obfuscated JavaScript to drop a JPG decoy and an encrypted PowerShell payload. The PowerShell stage decrypted embedded data into an executable file, launched it with a VMP-packed PE payload, and connected to t…
WatchTowr describes a research project that registered expired domains embedded in old web shells and used them to observe compromised hosts reporting back to abandoned backdoor infrastructure. The researchers say more than 4,000 live backdoors checked in…
The archived X article argues that Hyperliquid has concentrated operational risk in its API, validator model, closed-source binary distribution, and jurisdictional setup. The author says validators rely on prepackaged software and that many do not indepen…
AhnLab's December 2024 domestic APT trend report summarizes attacks observed against Korean targets through the vendor's monitoring infrastructure. The report classifies the month's intrusions by penetration type and finds spear phishing to be the dominan…