ESRC reports an active phishing campaign impersonating domestic portal customer-support notices, including takedown, account-change, and policy-violation themes. The emails contain buttons leading to attacker-controlled phishing pages that closely mimic l…
« Reports in 2025 »
779 reports
The FBI warned that North Korean IT workers have expanded beyond revenue generation into data theft and extortion against U.S. businesses. Recent cases include workers using unlawful network access to exfiltrate proprietary data and code, copy repositorie…
The U.S. Justice Department indicted two North Korean nationals and three alleged facilitators for a remote IT worker scheme that obtained jobs at at least 64 U.S. companies from 2018 to 2024. Prosecutors allege the defendants used forged and stolen ident…
Nisos traced a likely DPRK IT worker who appears to have used multiple personas to obtain remote software engineering and full stack developer roles with Japanese companies. The investigation pivoted from an email address cited in a UN sanctions report to…
Logpresso reports a Kimsuky-linked APT attack against prominent Korean law firms using a malicious Hangul document lure related to a defense industry digital innovation seminar. The document used password protection and OLE object execution to drop files …
S2W analyzed a January 2025 phishing email that used a defense industry digital innovation seminar lure to deliver a malicious HWP document linked to Kimsuky Babyshark activity. The attachment embedded an OLE object that dropped files for persistence and …
AhnLab reports that the Andariel threat group used RID Hijacking during intrusions to manipulate Windows account relative identifier values and elevate privileges. The technique can make a limited or guest account inherit administrator-like access, suppor…
| Cloudflare Sorry, you have been blocked You are unable to access s2w.inc Why have I been blocked? This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are se…
FSI's JSAC 2025 talk explains how South Korean financial-sector defenders turn high-volume CTI into usable detection and hunting workflows. The speaker describes DPRK state-sponsored activity as a daily concern for Korean financial institutions and uses t…
KISA’s JSAC 2025 presentation describes North Korean hacking activity targeting centralized management solutions used to administer corporate devices. The speakers tie the investigation to Maui ransomware leads, attacker Google account activity, leased Ko…
A U.S. civil forfeiture complaint seeks approximately 942,462.845 USDT in connection with an investigation into identity theft, computer fraud, wire fraud, money laundering, and related conspiracies. The excerpt establishes the legal basis for seizing vir…
ANY.RUN analyzes InvisibleFerret, a Python malware used in North Korean job-interview campaigns known as Contagious Interview or DevPopper. The campaign targets developers in technology, finance, and cryptocurrency sectors by posing as hiring workflows an…
SOCRadar's crypto and NFT threat overview includes the Ronin Network breach as a major DPRK-linked case. The article says attackers stole about 173,600 ETH and 25.5 million USDC from the Axie Infinity Ronin bridge after compromising five of nine validator…
NSHC's JSAC presentation describes a June 2024 Kimsuky social-engineering operation that used LinkedIn reconnaissance against Republic of Korea Navy-related personnel and then moved into spear phishing. The actors prepared VPS/VDS infrastructure, used mai…
The JSAC/KrCERT presentation analyzes attacks against centralized management solutions by separating attacker-leased infrastructure from victim-environment activity. The source describes evidence from a retained Google account, North Korean wording, acces…