Reddit NetSec

CVE Database V5

AlienVault OTX General

Exploit-DB RSS Feed

Reddit InfoSec News

CIRCL OSINT Feed

ThreatFox MISP Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

This comprehensive analysis covers cyber threats targeting financial companies in Korea and globally. It examines malware and phishing cases, top 10 malware strains, and statistics on leaked Korean accounts. The report delves into major financial threats on the dark web, including credit card data breaches, database breaches, and ransomware attacks. A notable case involves the Arkana ransomware group's breach of a global online brokerage firm, In***, resulting in the theft of 50 GB of customer data, including KYC submissions and information of over 163,000 customers. The incident highlights vulnerabilities in trading platforms' identity verification and account protection systems, emphasizing the need for enhanced security measures beyond regulatory compliance.

The May 2025 Security Issues campaign highlights a series of cyber threats targeting financial institutions primarily in South Korea but with global implications. The campaign details multiple attack vectors including malware infections, phishing campaigns, and ransomware attacks, with a focus on the financial sector. Key malware strains are identified among the top 10 most prevalent, contributing to data breaches and account compromises. A significant incident involved the Arkana ransomware group breaching a global online brokerage firm, resulting in the theft of approximately 50 GB of sensitive customer data. This data included Know Your Customer (KYC) submissions and personal information of over 163,000 customers, exposing critical vulnerabilities in identity verification and account protection mechanisms within trading platforms. The campaign also discusses the presence of stolen financial data on the dark web, including credit card and database breaches, which facilitate identity theft and fraud. The threat actors employ a range of tactics, techniques, and procedures (TTPs) such as ransomware deployment (T1486), data destruction (T1489), credential access (T1078), phishing (T1566), and command and control communications (T1071). The campaign underscores that existing regulatory compliance measures are insufficient to mitigate these risks, emphasizing the need for enhanced security controls tailored to the unique challenges of financial services platforms. Indicators of compromise include multiple malware hashes linked to the Arkana group and associated ransomware families like LockBit. Although no known exploits in the wild are reported, the campaign reflects ongoing and evolving threats to financial institutions' confidentiality, integrity, and availability of data and services.

Detailed information about May 2025 Security Issues in Korean & Global Financial Sector. Get real-time updates, technical details, and mitigation strategies.

May 2025 Security Issues in Korean & Global Financial Sector - Live Threat Intelligence - Threat Radar | OffSeq.com

May 2025 Security Issues in Korean & Global Financial Sector

The Genians Security Center (GSC) detected an APT (Advanced Persistent Threat) campaign targeting users of Facebook, email, and Telegram in Korea between March and April 2025. The threat actor explored reconnaissance and selected attack targets through two Facebook accounts.

The threat detailed is an Advanced Persistent Threat (APT) campaign attributed to the Kimsuky group, a known North Korean state-sponsored actor. This campaign, detected by the Genians Security Center (GSC), targeted users primarily in South Korea between March and April 2025. The attack vector leveraged social media and communication platforms including Facebook, email, and Telegram to conduct reconnaissance and select targets. The adversary used two Facebook accounts for initial reconnaissance, indicating a targeted approach rather than broad indiscriminate attacks. The campaign is characterized by a 'Triple Combo' threat methodology, involving multiple stages and tools to achieve persistence and data exfiltration.

Technical analysis reveals the use of various malware components, including DLL files protected by VMProtect, PowerShell scripts, and shellcode execution techniques. The campaign employs obfuscation and evasion tactics such as code injection (T1055), command and scripting interpreter abuse (T1059), and persistence mechanisms (T1547). The threat actor also uses social engineering (T1566) and user execution (T1204) to trick victims into executing malicious payloads. Indicators of compromise include numerous file hashes (MD5, SHA1, SHA256) and domains primarily associated with Korean infrastructure (e.g., *.n-e.kr, *.o-r.kr, *.p-e.kr) and some international domains (e.g., download.uberlingen.com).

The campaign’s focus on Facebook, email, and Telegram suggests exploitation of widely used communication channels to infiltrate target networks. The use of multiple platforms increases the attack surface and complicates detection. The lack of known exploits in the wild indicates the campaign is currently limited in scope or newly discovered. The campaign’s medium severity rating reflects a moderate but credible threat level, given the sophistication and persistence of the Kimsuky group. The attack techniques align with MITRE ATT&CK tactics such as reconnaissance, execution, persistence, privilege escalation, defense evasion, credential access, and exfiltration.

Overall, this APT campaign demonstrates a multi-faceted, targeted attack leveraging social engineering and advanced malware to compromise selected users and organizations, primarily in South Korea but with potential implications for other regions.

SHA256 of 8346d90508b5d41d151b7098c7a3e868

SHA256 of 537806c02659a12c5b21efa51b2322c1

SHA256 of 7a0c0a4c550a95809e93ab7e6bdcc290

Detailed information about Analysis of the Triple Combo Threat of the Kimsuky Group. Get real-time updates, technical details, and mitigation strategies.

Analysis of the Triple Combo Threat of the Kimsuky Group - Live Threat Intelligence - Threat Radar | OffSeq.com

Analysis of the Triple Combo Threat of the Kimsuky Group

APT37, a North Korean state-sponsored hacking group, launched a spear phishing campaign targeting activists focused on North Korea. The attack involved emails with Dropbox links to malicious LNK files, which when executed, activated additional malware. The group utilized legitimate cloud services as Command and Control servers, a tactic known as 'Living off Trusted Sites.' The malware, identified as RoKRAT, collected system information, captured screenshots, and exfiltrated data to cloud-based C2 servers. The campaign, named 'Operation: ToyBox Story,' employed sophisticated techniques including fileless attacks and multiple encryption layers to evade detection. The threat actors impersonated academic events and used decoy documents to lure targets, highlighting the need for advanced endpoint detection and response solutions.

The threat described involves a sophisticated cyber espionage campaign dubbed 'Operation ToyBox Story,' attributed to APT37, a North Korean state-sponsored advanced persistent threat group. The campaign targets activists focused on North Korea by leveraging spear phishing emails containing Dropbox links to malicious LNK (Windows shortcut) files. When victims execute these LNK files, they trigger the deployment of RoKRAT malware, which is capable of collecting extensive system information, capturing screenshots, and exfiltrating sensitive data to cloud-based Command and Control (C2) servers. APT37 employs 'Living off the Land' tactics by using legitimate cloud services as C2 infrastructure, complicating detection and attribution efforts. The malware utilizes fileless attack techniques and multiple layers of encryption to evade traditional endpoint security solutions. The threat actors also impersonate academic events and use decoy documents to increase the likelihood of successful compromise. The campaign exploits CVE-2022-41128, a known vulnerability, although no known exploits in the wild have been reported. The attack chain includes reconnaissance, initial access via spear phishing, execution of malicious LNK files, persistence, credential access, command and control communication, and data exfiltration. The use of legitimate cloud services for C2 and fileless techniques indicates a high level of operational security and sophistication, requiring advanced endpoint detection and response (EDR) capabilities for effective mitigation.

Detailed information about Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation ToyBox Story). Get r

Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation ToyBox Story) - Live Threat Intelligence - Threat Radar | OffSeq.com

Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation ToyBox Story)

A series of attacks targeting Korean Internet cafés have been identified, focusing on systems with specific management software installed. The threat actor, active since 2022, uses Gh0st RAT for system control and ultimately installs T-Rex CoinMiner for cryptocurrency mining. The initial access method remains unknown. The attacks involve memory patching of management software and use of downloaders. The malware suite includes Gh0st RAT, its droppers, patchers, downloaders, and T-Rex CoinMiner. Unlike typical coin mining operations using XMRig for Monero, this actor employs T-Rex, likely due to the presence of high-performance GPUs in Internet café PCs. The attacks have been ongoing since late 2024, prompting responses from management software manufacturers.

The T-Rex CoinMiner campaign targets Internet cafés in South Korea by exploiting systems running specific management software. Active since 2022 and continuing into late 2024, the threat actor employs a multi-stage malware suite comprising Gh0st RAT for remote access and control, along with droppers, patchers, and downloaders to facilitate infection and persistence. The initial infection vector remains unidentified, but the attack involves memory patching of the management software to evade detection and maintain control. Unlike common cryptocurrency mining malware that uses XMRig to mine Monero, this actor uses T-Rex CoinMiner, optimized for GPUs, reflecting the high-performance graphics hardware typical in Internet café PCs. The campaign's infrastructure includes multiple IP addresses and malware hashes associated with the Gh0st RAT and T-Rex CoinMiner components. The use of Gh0st RAT indicates the attacker can remotely control infected systems, potentially exfiltrating data or deploying additional payloads. The campaign does not currently have known exploits in the wild for the management software, suggesting the attacker may be leveraging unknown vulnerabilities or social engineering for initial access. The ongoing nature of the attacks has prompted responses from the affected software vendors, indicating active mitigation efforts. The campaign's tactics align with MITRE ATT&CK techniques T1583 (Acquire Infrastructure) and T1496 (Resource Hijacking), highlighting the adversary's focus on establishing control infrastructure and illicit cryptocurrency mining. Overall, this campaign demonstrates a sophisticated approach combining stealthy persistence, targeted exploitation of niche software environments, and resource-intensive cryptocurrency mining leveraging GPU capabilities.

Detailed information about Analysis of T-Rex CoinMiner Attacks Targeting Internet Cafés in Korea. Get real-time updates, technical details, and mitigation strat

Analysis of T-Rex CoinMiner Attacks Targeting Internet Cafés in Korea - Live Threat Intelligence - Threat Radar | OffSeq.com

Analysis of T-Rex CoinMiner Attacks Targeting Internet Cafés in Korea

OSINT Duuzer back door Trojan targets South Korea to take over computers by Symantec

The Duuzer backdoor Trojan is a malware threat identified by Symantec that primarily targets computers in South Korea. As a backdoor Trojan, Duuzer is designed to provide unauthorized remote access and control over infected systems, enabling attackers to execute arbitrary commands, exfiltrate data, and potentially deploy additional malicious payloads. The malware operates stealthily to maintain persistence and evade detection, often leveraging OSINT (Open Source Intelligence) techniques to tailor its attacks or identify valuable targets. Although the specific infection vectors and affected software versions are not detailed, the Trojan’s capability to take over computers indicates it compromises system confidentiality, integrity, and availability. The absence of known exploits in the wild suggests limited propagation or targeted use, possibly in espionage or cybercrime campaigns. The threat level and analysis scores of 2 (on an unspecified scale) and the medium severity rating reflect a moderate risk profile, emphasizing the need for vigilance, especially in environments with potential geopolitical or strategic interest. Given its focus on South Korea, the malware may exploit region-specific vulnerabilities or social engineering tactics aligned with local user behavior or language. The lack of patch information and detailed technical indicators limits the ability to perform signature-based detection, necessitating behavioral and heuristic analysis for identification and mitigation.

Detailed information about OSINT Duuzer back door Trojan targets South Korea to take over computers by Symantec. Get real-time updates, technical details, and m

OSINT Duuzer back door Trojan targets South Korea to take over computers by Symantec - Live Threat Intelligence - Threat Radar | OffSeq.com

OSINT -  Over 100,000 South Korean Users Affected by BlackMoon Campaign

The BlackMoon campaign is an open-source intelligence (OSINT) reported threat that has affected over 100,000 users in South Korea. The campaign appears to be a large-scale operation targeting individual users rather than specific software or hardware vulnerabilities. Given the lack of detailed technical indicators, affected versions, or exploit descriptions, the campaign likely involves social engineering, phishing, or other non-technical attack vectors aimed at compromising user data or access. The campaign's low severity rating and absence of known exploits in the wild suggest that the threat may be limited in scope or impact, possibly focusing on information gathering or low-level intrusion attempts rather than destructive or highly disruptive attacks. The technical details indicate a moderate threat level (3) and analysis rating (2), which aligns with a campaign that is noteworthy but not critically dangerous. The lack of patch links or CWEs further supports that this is not a vulnerability-based attack but rather a campaign leveraging OSINT techniques to target users. Overall, the BlackMoon campaign represents a persistent, low-severity threat primarily affecting South Korean users through non-technical means.

Detailed information about OSINT -  Over 100,000 South Korean Users Affected by BlackMoon Campaign. Get real-time updates, technical details, and mitigation str

Title	Severity	Type	Source	Date

Threats Affecting South Korea

Filter Threats

Threats Affecting South Korea