778 reports
The research tracks UNC3782 infrastructure first pivoted from Mandiant-shared indicators and finds extensive phishing activity impersonating Naver Corp from 2021 through late 2022. The author identifies hundreds of Naver typosquat domains, WHOIS registrat…
Genians links newly observed Android remote-wipe activity to the KONNI APT campaign, which the report describes as associated with Kimsuky or APT37 and connected to North Korean state-directed operations. The campaign targeted South Korea-based individual…
Genians reports KONNI APT activity linked in the source to Kimsuky or APT37, involving South Korea-based victims including a counselor supporting North Korean defector youth. The campaign used National Tax Service-themed spear phishing and KakaoTalk messa…
Bitso's Quetzal Team describes another attempted DPRK-aligned remote hiring infiltration involving a Colombian software engineer persona named Sebastian who failed live interview scrutiny. The excerpt says the persona claimed native Spanish ability, delet…
Bloo Labs draws on exposed Kimsuky/APT43 infrastructure, logs, and PHP code from January-May 2025 to show how the North Korean actor used tracking pixels in targeted phishing operations. The observed implementation embedded 1x1 image requests with reversi…
NSHC’s October 2025 intelligence roundup says SectorA activity used multi-stage social engineering against Windows, macOS, and Linux systems, with software developers and technical experts among the main targets. The SectorA section describes fake softwar…
Security Alliance reports that DPRK-linked IT workers have expanded from seeking fraudulent employment into recruiter-style operations that enlist collaborators on platforms such as Upwork, Freelancer, Fiverr, and RandstadUSA. The observed workflow uses s…
ENKI analyzes a Lazarus Group Comebacker variant recovered from office-theme[.]com, where malicious DOCX files with VBA macros acted as droppers for a staged loader chain. The lures impersonated aerospace and defense-related organizations including Edge G…
ENKI identified a Lazarus-attributed Comebacker variant delivered through malicious Word documents staged on office-theme[.]com and themed around aerospace and defense organizations. When macros run, the dropper decrypts a loader and decoy document, write…
Logpresso assesses that a late-October 2025 attack using a health-check notice lure was conducted by the North Korea-linked Kimsuky group. The intrusion relied on an archive containing a JSE file disguised as a PDF, which displayed a benign document while…
ESET’s Q2–Q3 2025 APT activity report says North Korea-aligned actors targeted the cryptocurrency sector and expanded operations to Uzbekistan, a country ESET had not previously observed in their scope. The DPRK-relevant activity includes campaigns by Dec…
Australia's Department of Foreign Affairs and Trade designated one person and four entities under the Autonomous Sanctions Regulations 2011 for Democratic People's Republic of Korea-related sanctions. The listed person and entities were added to DFAT's Co…
Sophos publishes a defensive playbook for organizations facing North Korean IT-worker impersonation, a scheme it says has expanded from U.S. technology companies into finance, healthcare, government, and other regions. The guidance is based on Sophos’s in…
The Pulsedive analysis examines a Kimsuky JavaScript dropper tied to public IOCs and sandbox traffic for a North Korean espionage group active against government, think-tank, and expert targets. The initial script contacts iuh234[.]medianewsonline[.]com t…
A Kimsuky-linked EndClient RAT campaign targeted North Korean human-rights defenders after an initial victim’s Google and KakaoTalk accounts were compromised and then used in manual one-to-one conversations to push a StressClear.msi lure. The MSI was sign…