S2W TALON analyzed leaked material distributed with Phrack’s “APT Down: The North Korea Files” and found evidence of operations against Korean government entities and domestic companies, including webmail-related source code, Ministry of Foreign Affairs-r…
« Reports in 2025 »
779 reports
Korea University's Graduate School of Information Security announced a technical briefing on material from Phrack's “APT Down: The North Korea Files,” which was said to be based on files taken from a workstation used by a suspected Kimsuky operator. The s…
Elliptic describes the February 2025 Bybit exploit as a North Korean act in which about $1.46 billion in ETH and ERC-20 tokens were transferred to an attacker-controlled address. Six months later, laundering had moved more than $1 billion through rapid mu…
A Korean-language analysis attributes a malicious LNK lure to APT37/Reaper and identifies RokRAT delivery through a decoy about an academy for successful resettlement of North Korean defectors in South Korea. The shortcut searches for PowerShell, locates …
Spur investigated anonymizing infrastructure after a leaked dataset tied IP address 156.59.13[.]153 to activity targeting organizations in South Korea and Taiwan, while the leak author attributed the activity to Kimsuky and Spur explicitly left that attri…
BTC Turk suffered a $51.7 million hot-wallet theft in August 2025 after private keys were reportedly compromised, repeating a similar $55 million breach from June 2024. The attackers moved assets across Ethereum, Avalanche, Arbitrum, Base, Optimism, Mantl…
WOO X attributed a July 24, 2025 cryptocurrency-theft incident to suspected North Korea-linked activity, citing evidence for UNC4899 and later considering UNC4899 or UNC5565 involvement. The intrusion began when a developer accepted an open-source collabo…
Axios reports that North Korean remote IT worker operations have reached major U.S. companies, including Fortune 500 environments, as a sanctions-evasion revenue stream for Pyongyang. The scheme uses stolen or fabricated identities, AI-generated resumes a…
Leaked email datasets are used to profile DPRK IT worker tradecraft, with the source linking the activity to Microsoft’s Jasper Sleet classification and remote-work fraud against DApp, Web3, blockchain, and cryptocurrency companies. The analysis says 1,38…
AhnLab observed July 2025 APT activity in South Korea dominated by spear-phishing, with LNK-based delivery making up the largest share of identified cases. The LNK files executed malicious PowerShell commands, unpacked CAB archives, ran scripts such as BA…
Trellix attributes an active early-2025 espionage campaign against embassies and foreign ministries in Seoul to DPRK-linked actors, with infrastructure overlaps to known Kimsuky operations. The attackers sent at least 19 spear-phishing emails impersonatin…
A Korean malware analysis attributes the auto.py sample to Lazarus/Famous Chollima and identifies it as part of the PyLangGhost RAT tooling. The script is described as collecting Chrome extension local storage from multiple browser profiles, which could e…
North Korean hackers were accused in an OFSI-referenced assessment of stealing about £17m in Bitcoin, Ethereum, and other cryptocurrency from Lykke, a trading platform incorporated in Britain. The article says Lazarus was identified as a potential culprit…
A Korean OSINT discussion analyzes a leaked "APT Down North Korea Hacker" dump that allegedly exposed a suspected Kimsuky operator's virtual workstation and VPS images. The speakers describe phishing infrastructure, tools, recovered documents or source ma…
Leaked workstation and server material is presented as evidence of suspected Kimsuky activity against South Korean government, military, prosecution, foreign ministry, portal, media, and Taiwan-related targets. The excerpt describes spear-phishing infrast…