Reddit NetSec

CVE Database V5

AlienVault OTX General

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

This report details a cyber-espionage campaign attributed to Kimsuky, a North Korean APT group, targeting South Korean entities. The attack uses malicious Windows shortcut files as initial access, followed by obfuscated scripts and a sophisticated malware framework. The malware performs extensive system profiling, steals credentials and sensitive documents, monitors user activity, and exfiltrates data over standard web traffic. It establishes persistence, evades detection, and maintains communication with command-and-control infrastructure. The campaign demonstrates Kimsuky's evolution in stealth, modularity, and targeting precision, representing a serious espionage threat that requires advanced behavioral monitoring and network anomaly detection to combat.

The reported threat is a cyber-espionage campaign attributed to the North Korean advanced persistent threat (APT) group known as Kimsuky (also referenced as APT43). This campaign targets primarily South Korean entities but represents a broader espionage risk due to its sophisticated operational blueprint. The attack chain begins with initial access via malicious Windows shortcut (.lnk) files, which are used to execute obfuscated PowerShell scripts. These scripts deploy a modular malware framework capable of reflective DLL injection, allowing the malware to load code into memory stealthily without touching disk, thereby evading traditional signature-based detection. The malware performs extensive system reconnaissance, including profiling the infected host, harvesting credentials (likely through techniques such as credential dumping and keylogging), and stealing sensitive documents. It also monitors user activity to gather intelligence and exfiltrates stolen data covertly over standard web traffic protocols, blending with legitimate network communications to avoid detection. Persistence mechanisms are employed to maintain long-term access, and the malware uses command-and-control (C2) infrastructure hosted on dynamic DNS domains (e.g., hvmeyq.viewdns.net, ygbslb.hopto.org) to receive instructions and exfiltrate data. The campaign demonstrates Kimsuky’s evolution in stealth, modularity, and targeting precision, leveraging multiple MITRE ATT&CK techniques such as T1218.011 (Mshta), T1056.001 (Keylogging), T1204.002 (User Execution: Malicious File), reflective DLL injection, obfuscation, and T1547.001 (Registry Run Keys/Startup Folder) for persistence. The absence of known exploits in the wild suggests this is a targeted, manual intrusion rather than mass exploitation. The campaign requires advanced behavioral monitoring and network anomaly detection to identify and mitigate due to its stealthy nature and use of legitimate system tools and protocols.

Detailed information about From Reconnaissance to Control: The Operational Blueprint of Kimsuky APT for Cyber Espionage. Get real-time updates, technical detail

From Reconnaissance to Control: The Operational Blueprint of Kimsuky APT for Cyber Espionage - Live Threat Intelligence - Threat Radar | OffSeq.com

From Reconnaissance to Control: The Operational Blueprint of Kimsuky APT for Cyber Espionage

This comprehensive analysis covers cyber threats and security issues affecting financial companies in South Korea and globally. It examines malware and phishing cases targeting the financial sector, including the top 10 malware strains and leaked Korean account statistics on Telegram. The report delves into dark web threats, focusing on credit card data breaches, financial institution database leaks, and ransomware attacks. Notable incidents include the M*** digital payment platform data breach in Indonesia, affecting 44 million users, and the Everest ransomware group's attack on J*** Bank in Jordan, compromising 11.7 GB of internal data. The analysis emphasizes the need for enhanced security measures, including real-time protection systems, account takeover detection, and strengthened internal defense mechanisms in the financial industry.

The June 2025 Security Issues report highlights a range of cyber threats targeting the financial sector in South Korea and globally, with a focus on malware, phishing, ransomware, and data breaches. The report identifies the top 10 malware strains affecting financial institutions and notes the leakage of Korean account statistics on Telegram, indicating active data exfiltration and potential credential abuse. Dark web activities are emphasized, particularly the trade and exposure of credit card data and financial institution database leaks. Noteworthy incidents include a massive data breach of a digital payment platform in Indonesia impacting 44 million users and a ransomware attack by the Everest group on a bank in Jordan, resulting in the compromise of 11.7 GB of internal data. The threat actors employ various tactics, techniques, and procedures (TTPs) such as data destruction (T1489), command and control communication (T1071), data from local system (T1005), data from network shared drive (T1567), exploitation for credential access (T1219), data encrypted for impact (T1486), and account takeover strategies. The report underscores the critical need for real-time protection systems, advanced account takeover detection, and robust internal defense mechanisms tailored for the financial sector to mitigate these evolving threats. Indicators of compromise (IOCs) include multiple malware hashes linked to these campaigns, although no known exploits are currently reported in the wild. The medium severity rating reflects the significant but not yet fully exploited threat landscape.

Detailed information about June 2025 Security Issues in Korean & Global Financial Sector. Get real-time updates, technical details, and mitigation strategies.

June 2025 Security Issues in Korean & Global Financial Sector - Live Threat Intelligence - Threat Radar | OffSeq.com

June 2025 Security Issues in Korean & Global Financial Sector

The APT-C-55 (Kimsuky) group, a North Korean threat actor, has launched a new attack campaign targeting South Korea. They used a disguised Bandizip installation package to deliver malicious code and a VMP-protected HappyDoor trojan for espionage activities. The attack involves remote script loading, multi-stage malware deployment, and information theft. The malware collects sensitive data, including user information, system details, and files from specific directories. It also implements keylogging, screen capture, and mobile device monitoring functionalities. The attack methodology and infrastructure align with Kimsuky's historical patterns, including the use of similar scripts, backdoor families, and domain naming conventions.

The threat detailed involves the APT-C-55 group, also known as Kimsuky, a North Korean state-sponsored advanced persistent threat actor. This group has initiated a new espionage campaign primarily targeting South Korea, leveraging a sophisticated multi-stage malware attack. The initial infection vector is a disguised Bandizip installation package, which serves as a trojanized delivery mechanism for the HappyDoor backdoor malware. HappyDoor is protected by VMP (VMProtect), a strong shell obfuscation technology designed to hinder reverse engineering and detection efforts. The attack chain involves remote script loading and multi-stage deployment, enabling the malware to evade early detection and maintain persistence. Once deployed, HappyDoor conducts extensive information theft operations, including harvesting user credentials, system information, and files from targeted directories. It also incorporates advanced surveillance capabilities such as keylogging, screen capturing, and monitoring of mobile devices connected to the infected system. The attack infrastructure and methodologies align with Kimsuky’s historical tactics, techniques, and procedures (TTPs), including the use of similar scripting techniques, backdoor families, and domain naming conventions. Indicators of compromise include multiple file hashes, IP addresses, and suspicious domains linked to the campaign. The malware leverages a variety of MITRE ATT&CK techniques such as T1113 (Screen Capture), T1547 (Boot or Logon Autostart Execution), T1082 (System Information Discovery), T1071 (Application Layer Protocol), T1053 (Scheduled Task), T1005 (Data from Local System), T1140 (Deobfuscate/Decode Files or Information), T1055 (Process Injection), T1059 (Command and Scripting Interpreter), T1083 (File and Directory Discovery), T1074 (Data Staged), T1571 (Non-Standard Port), T1027 (Obfuscated Files or Information), T1056 (Input Capture), T1012 (Query Registry), and T1132 (Data Encoding). This campaign demonstrates a high level of operational security and technical sophistication, emphasizing espionage and data exfiltration objectives.

Detailed information about Analysis of APT-C-55 (Kimsuky) Organization's HappyDoor Backdoor Attack Based on VMP Strong Shell. Get real-time updates, technical d

Analysis of APT-C-55 (Kimsuky) Organization's HappyDoor Backdoor Attack Based on VMP Strong Shell - Live Threat Intelligence - Threat Radar | OffSeq.com

Analysis of APT-C-55 (Kimsuky) Organization's HappyDoor Backdoor Attack Based on VMP Strong Shell

A sophisticated spearphishing campaign targeting South Korea has been uncovered, utilizing GitHub as attack infrastructure. The threat actor, linked to the North Korean group Kimsuky, created multiple private repositories to store malware, decoy files, and exfiltrated victim data. The attack leveraged GitHub Personal Access Tokens to access private repositories and distribute XenoRAT malware. The campaign also employed Dropbox for malware distribution. The attackers used tailored decoy documents and impersonated legitimate entities to increase the effectiveness of their phishing attempts. Analysis of the infrastructure and malware samples revealed connections to previous Kimsuky operations, including shared test IP addresses and similar malware build environments.

The threat involves a sophisticated spearphishing campaign attributed to the North Korean threat actor group Kimsuky, targeting South Korean entities. The attackers leveraged GitHub as a core part of their malicious infrastructure by creating multiple private repositories to store malware samples, decoy documents, and exfiltrated victim data. They exploited GitHub Personal Access Tokens to gain unauthorized access to these private repositories, enabling them to distribute XenoRAT malware covertly. Additionally, Dropbox was used as an alternative malware distribution channel. The campaign employed highly tailored decoy documents and impersonated legitimate organizations to increase the likelihood of successful phishing attacks. Technical analysis revealed that the infrastructure and malware samples share characteristics with previous Kimsuky operations, including the use of shared test IP addresses and similar malware build environments, indicating a consistent operational methodology. The malware, XenoRAT, is a remote access trojan capable of extensive system reconnaissance, data exfiltration, and command execution. The attack chain involves initial spearphishing to deliver the malware, leveraging stolen GitHub tokens to maintain persistence and distribute payloads, and the use of cloud services to obfuscate command and control (C2) communications. The tactics, techniques, and procedures (TTPs) align with multiple MITRE ATT&CK techniques such as spearphishing (T1566.001), use of cloud services for C2 (T1102), credential access (T1056.001), and remote access tools (T1219). This campaign demonstrates an evolution in threat actor use of legitimate cloud platforms to evade detection and maintain operational security.

Detailed information about Dissecting Kimsuky's Attacks on South Korea: In-Depth Analysis of GitHub-Based Malicious Infrastructure. Get real-time updates, techn

Dissecting Kimsuky's Attacks on South Korea: In-Depth Analysis of GitHub-Based Malicious Infrastructure - Live Threat Intelligence - Threat Radar | OffSeq.com

Dissecting Kimsuky's Attacks on South Korea: In-Depth Analysis of GitHub-Based Malicious Infrastructure

This comprehensive analysis covers cyber threats targeting financial companies in Korea and globally. It examines malware and phishing cases, top 10 malware strains, and statistics on leaked Korean accounts. The report delves into major financial threats on the dark web, including credit card data breaches, database breaches, and ransomware attacks. A notable case involves the Arkana ransomware group's breach of a global online brokerage firm, In***, resulting in the theft of 50 GB of customer data, including KYC submissions and information of over 163,000 customers. The incident highlights vulnerabilities in trading platforms' identity verification and account protection systems, emphasizing the need for enhanced security measures beyond regulatory compliance.

The May 2025 Security Issues campaign highlights a series of cyber threats targeting financial institutions primarily in South Korea but with global implications. The campaign details multiple attack vectors including malware infections, phishing campaigns, and ransomware attacks, with a focus on the financial sector. Key malware strains are identified among the top 10 most prevalent, contributing to data breaches and account compromises. A significant incident involved the Arkana ransomware group breaching a global online brokerage firm, resulting in the theft of approximately 50 GB of sensitive customer data. This data included Know Your Customer (KYC) submissions and personal information of over 163,000 customers, exposing critical vulnerabilities in identity verification and account protection mechanisms within trading platforms. The campaign also discusses the presence of stolen financial data on the dark web, including credit card and database breaches, which facilitate identity theft and fraud. The threat actors employ a range of tactics, techniques, and procedures (TTPs) such as ransomware deployment (T1486), data destruction (T1489), credential access (T1078), phishing (T1566), and command and control communications (T1071). The campaign underscores that existing regulatory compliance measures are insufficient to mitigate these risks, emphasizing the need for enhanced security controls tailored to the unique challenges of financial services platforms. Indicators of compromise include multiple malware hashes linked to the Arkana group and associated ransomware families like LockBit. Although no known exploits in the wild are reported, the campaign reflects ongoing and evolving threats to financial institutions' confidentiality, integrity, and availability of data and services.

Detailed information about May 2025 Security Issues in Korean & Global Financial Sector. Get real-time updates, technical details, and mitigation strategies.

May 2025 Security Issues in Korean & Global Financial Sector - Live Threat Intelligence - Threat Radar | OffSeq.com

May 2025 Security Issues in Korean & Global Financial Sector

The Genians Security Center (GSC) detected an APT (Advanced Persistent Threat) campaign targeting users of Facebook, email, and Telegram in Korea between March and April 2025. The threat actor explored reconnaissance and selected attack targets through two Facebook accounts.

The threat detailed is an Advanced Persistent Threat (APT) campaign attributed to the Kimsuky group, a known North Korean state-sponsored actor. This campaign, detected by the Genians Security Center (GSC), targeted users primarily in South Korea between March and April 2025. The attack vector leveraged social media and communication platforms including Facebook, email, and Telegram to conduct reconnaissance and select targets. The adversary used two Facebook accounts for initial reconnaissance, indicating a targeted approach rather than broad indiscriminate attacks. The campaign is characterized by a 'Triple Combo' threat methodology, involving multiple stages and tools to achieve persistence and data exfiltration.

Technical analysis reveals the use of various malware components, including DLL files protected by VMProtect, PowerShell scripts, and shellcode execution techniques. The campaign employs obfuscation and evasion tactics such as code injection (T1055), command and scripting interpreter abuse (T1059), and persistence mechanisms (T1547). The threat actor also uses social engineering (T1566) and user execution (T1204) to trick victims into executing malicious payloads. Indicators of compromise include numerous file hashes (MD5, SHA1, SHA256) and domains primarily associated with Korean infrastructure (e.g., *.n-e.kr, *.o-r.kr, *.p-e.kr) and some international domains (e.g., download.uberlingen.com).

The campaign’s focus on Facebook, email, and Telegram suggests exploitation of widely used communication channels to infiltrate target networks. The use of multiple platforms increases the attack surface and complicates detection. The lack of known exploits in the wild indicates the campaign is currently limited in scope or newly discovered. The campaign’s medium severity rating reflects a moderate but credible threat level, given the sophistication and persistence of the Kimsuky group. The attack techniques align with MITRE ATT&CK tactics such as reconnaissance, execution, persistence, privilege escalation, defense evasion, credential access, and exfiltration.

Overall, this APT campaign demonstrates a multi-faceted, targeted attack leveraging social engineering and advanced malware to compromise selected users and organizations, primarily in South Korea but with potential implications for other regions.

SHA256 of 8346d90508b5d41d151b7098c7a3e868

SHA256 of 537806c02659a12c5b21efa51b2322c1

SHA256 of 7a0c0a4c550a95809e93ab7e6bdcc290

Detailed information about Analysis of the Triple Combo Threat of the Kimsuky Group. Get real-time updates, technical details, and mitigation strategies.

Analysis of the Triple Combo Threat of the Kimsuky Group - Live Threat Intelligence - Threat Radar | OffSeq.com

Analysis of the Triple Combo Threat of the Kimsuky Group

APT37, a North Korean state-sponsored hacking group, launched a spear phishing campaign targeting activists focused on North Korea. The attack involved emails with Dropbox links to malicious LNK files, which when executed, activated additional malware. The group utilized legitimate cloud services as Command and Control servers, a tactic known as 'Living off Trusted Sites.' The malware, identified as RoKRAT, collected system information, captured screenshots, and exfiltrated data to cloud-based C2 servers. The campaign, named 'Operation: ToyBox Story,' employed sophisticated techniques including fileless attacks and multiple encryption layers to evade detection. The threat actors impersonated academic events and used decoy documents to lure targets, highlighting the need for advanced endpoint detection and response solutions.

The threat described is a sophisticated cyber espionage campaign named 'Operation ToyBox Story,' attributed to APT37, a North Korean state-sponsored advanced persistent threat group. This campaign targets activists focused on North Korea by leveraging spear phishing emails containing Dropbox links to malicious Windows shortcut (LNK) files. When these LNK files are executed by the victim, they trigger the deployment of RoKRAT malware. RoKRAT is capable of collecting extensive system information, capturing screenshots, and exfiltrating sensitive data to cloud-based Command and Control (C2) servers. The attackers employ 'Living off the Land' tactics by using legitimate cloud services such as Dropbox as C2 infrastructure, which complicates detection and attribution efforts. The malware uses fileless attack techniques and multiple layers of encryption to evade traditional endpoint security solutions. The threat actors impersonate academic events and use decoy documents to increase the likelihood of successful compromise. The attack chain includes reconnaissance, initial access via spear phishing, execution of malicious LNK files, persistence, credential access, command and control communication, and data exfiltration. The campaign exploits CVE-2022-41128, a known vulnerability, although no active exploits in the wild have been reported. The use of legitimate cloud services for C2 and fileless techniques indicates a high level of operational security and sophistication, requiring advanced endpoint detection and response (EDR) capabilities for effective mitigation.

Detailed information about Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation ToyBox Story). Get r

Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation ToyBox Story) - Live Threat Intelligence - Threat Radar | OffSeq.com

Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation ToyBox Story)

A series of attacks targeting Korean Internet cafés have been identified, focusing on systems with specific management software installed. The threat actor, active since 2022, uses Gh0st RAT for system control and ultimately installs T-Rex CoinMiner for cryptocurrency mining. The initial access method remains unknown. The attacks involve memory patching of management software and use of downloaders. The malware suite includes Gh0st RAT, its droppers, patchers, downloaders, and T-Rex CoinMiner. Unlike typical coin mining operations using XMRig for Monero, this actor employs T-Rex, likely due to the presence of high-performance GPUs in Internet café PCs. The attacks have been ongoing since late 2024, prompting responses from management software manufacturers.

The T-Rex CoinMiner campaign targets Internet cafés in Korea by compromising systems running specific management software. Active since late 2024, the threat actor employs a multi-stage malware suite beginning with Gh0st RAT, a remote access trojan used for persistent system control. The initial infection vector remains unknown, but the attack involves memory patching of the management software and the use of downloaders to deploy additional payloads. Unlike common cryptocurrency mining malware that typically uses XMRig for Monero mining, this actor uses T-Rex CoinMiner, optimized for GPUs, reflecting the high-performance graphics hardware found in Internet café PCs. The malware suite includes Gh0st RAT, its droppers, patchers, downloaders, and the T-Rex miner itself. This approach allows the attacker to covertly mine cryptocurrency while maintaining control over compromised systems. The campaign’s focus on Internet cafés suggests targeting environments with multiple high-end GPUs, maximizing mining efficiency. Management software vendors have responded to the threat, but no patches or mitigations have been publicly detailed. The campaign does not currently have known exploits in the wild beyond the described activity, and the initial infection vector remains unclear, complicating detection and prevention efforts.

Detailed information about Analysis of T-Rex CoinMiner Attacks Targeting Internet Cafés in Korea. Get real-time updates, technical details, and mitigation strat

Analysis of T-Rex CoinMiner Attacks Targeting Internet Cafés in Korea - Live Threat Intelligence - Threat Radar | OffSeq.com

Analysis of T-Rex CoinMiner Attacks Targeting Internet Cafés in Korea

This analysis focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. The threat actors used redirector scripts to target users from various countries, mimicking the Google Play Store. Additionally, the XWorm campaign targeted Korean-speaking users through fake investment chat rooms. The Strela Stealer targeted email clients in German-speaking countries, while the WeaXor ransomware, a revised version of Mallox, was also observed. The report details the infection chains, provides IOCs, and recommends blocking CIDR ranges associated with Proton66 and Chang Way Technologies to mitigate risks.

This threat analysis focuses on a series of malware campaigns linked to the Proton66 group, which primarily target Android devices via compromised WordPress websites. The attackers leverage redirector scripts embedded in these compromised sites to funnel unsuspecting visitors to malicious payloads that mimic legitimate services such as the Google Play Store, thereby increasing the likelihood of successful infection. The campaigns are multi-faceted, including the XWorm malware targeting Korean-speaking users through fake investment chat rooms, the Strela Stealer focusing on email clients predominantly in German-speaking countries, and the WeaXor ransomware, a newer iteration of the Mallox ransomware family. 

The infection chains typically begin with exploitation of vulnerable WordPress sites, which are widely used content management systems, making them attractive targets. The redirector scripts serve as an initial infection vector, directing victims to download malware disguised as legitimate applications. The XWorm campaign employs social engineering tactics tailored to Korean-speaking victims, leveraging fake investment chat rooms to distribute malware. Strela Stealer is designed to harvest credentials from email clients, posing a significant risk to confidentiality, especially in German-speaking regions where it has been observed. The WeaXor ransomware encrypts victim data, demanding ransom payments, and represents a direct threat to availability and data integrity.

The report also highlights recommended mitigation strategies, including blocking CIDR IP ranges associated with Proton66 and Chang Way Technologies, which are linked to the infrastructure used in these campaigns. The campaigns utilize a variety of tactics, techniques, and procedures (TTPs) such as phishing (T1566), credential theft (T1552), persistence mechanisms (T1547), exploitation of public-facing applications (T1190), and execution of malicious scripts (T1059). This multi-vector approach increases the complexity and potential impact of the threat.

Detailed information about Part 2: Compromised WordPress Pages and Malware Campaigns. Get real-time updates, technical details, and mitigation strategies.

Part 2: Compromised WordPress Pages and Malware Campaigns - Live Threat Intelligence - Threat Radar | OffSeq.com

Part 2: Compromised WordPress Pages and Malware Campaigns

A deceptive HWP document, masquerading as a reunification education support application, was discovered on March 5. The document, when opened, creates multiple files in the TEMP folder, including a malicious BAT file. This BAT file executes various actions to ensure persistent malware operation, including registering task schedulers and executing additional malicious files. The malware ultimately accesses an external URL to download and execute additional files, allowing threat actors to execute various commands. This incident is part of a recent trend of malware distribution using HWP documents, with attacks now targeting the general public rather than specific users. Users are advised to be cautious and keep their security software updated.

This threat involves a malicious Hangul Word Processor (HWP) document disguised as a reunification education support application. Upon opening, the document drops multiple files into the TEMP directory, including a malicious batch (BAT) file. This BAT file is designed to establish persistence on the infected system by registering scheduled tasks, which ensures the malware continues to operate even after system reboots. Additionally, the BAT file executes further malicious payloads. The malware then reaches out to an external URL to download and execute additional files, enabling threat actors to remotely execute arbitrary commands on the compromised system. This attack vector leverages social engineering by masquerading as a legitimate application related to reunification education, increasing the likelihood of user interaction. Notably, this campaign marks a shift from targeting specific users to a broader audience, including the general public. The use of HWP documents is significant because they are widely used in South Korea and some other regions, and their exploitation is becoming a favored method for malware distribution. The campaign does not currently have known exploits in the wild beyond the described behavior, and no specific affected software versions or patches are identified. The medium severity rating reflects the potential for system compromise and persistence but does not indicate immediate widespread exploitation or critical vulnerabilities in software components.

Detailed information about Malicious HWP Document Disguised as Reunification Education Support Application. Get real-time updates, technical details, and mitiga

Title	Severity	Type	Source	Date

Threats Affecting South Korea

Filter Threats

Threats Affecting South Korea

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility