What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2025-05-07 10:17:41 | Bluenoroff (lien direct) | > également connu sous le nom de heur: trojan-downloader.osx.lazarus.gen
Type:
Menace hybride
Plateforme:
Mac OS 9
Dernière mise à jour:
28/11/24 7:01 AM
Niveau de menace:
High
Description
Ce malware installe une porte dérobée pour l'exécution de la commande distante et abuse du fichier de configuration Zshenv pour la persistance, en contournant les mécanismes de sécurité de MacOS comme les notifications des éléments de connexion.
BLUENOROFF REPLATION DE LA MONAGE
MacScan peut détecter et supprimer la menace hybride Bluenoroff de votre système, ainsi que de protéger d'autres menaces de sécurité et de confidentialité. Un essai de 30 jours est disponible pour scanner votre système pour cette menace.
Télécharger macScan
>also known as HEUR:Trojan-Downloader.OSX.Lazarus.gen Type: Hybrid Threat Platform: Mac OS 9 Last updated: 11/28/24 7:01 am Threat Level: High Description This malware installs a backdoor for remote command execution and abuses the zshenv configuration file for persistence, bypassing macOS’s security mechanisms like Login Items notifications. BlueNoroff Threat Removal MacScan can detect and remove BlueNoroff Hybrid Threat from your system, as well as provide protection against other security and privacy threats. A 30-day trial is available to scan your system for this threat. Download MacScan |
Malware Threat | APT 38 | ★★ |
 |
2025-04-25 17:34:28 | Les pirates nord-coréens APT se présentent en tant qu'entre entreprises pour répandre les logiciels malveillants aux demandeurs d'emploi North Korean APT Hackers Pose as Companies to Spread Malware to Job Seekers (lien direct) |
> Les analystes de menaces de push silencieuses ont découvert une nouvelle campagne de cyberattaque effrayante orchestrée par le groupe de menace persistante avancée (APT) nord-coréen connue sous le nom d'interview contagieuse, également appelée célèbre Chollima, un sous-groupe du célèbre groupe Lazare. Cette entité parrainée par l'État a été impliquée dans de nombreux efforts de cyber-espionnage sophistiqués ciblant les industries mondiales, avec un […] particulier […]
>Silent Push Threat Analysts have uncovered a chilling new cyberattack campaign orchestrated by the North Korean Advanced Persistent Threat (APT) group known as Contagious Interview, also referred to as Famous Chollima, a subgroup of the notorious Lazarus group. This state-sponsored entity has been implicated in numerous sophisticated cyber-espionage efforts targeting global industries, with a particular […] |
Malware Threat | APT 38 | ★★★ |
 |
2025-04-24 19:41:00 | Lazarus frappe 6 entreprises sud-coréennes via Cross Ex, Innix Zero-Day et ThreatNeedle malware Lazarus Hits 6 South Korean Firms via Cross EX, Innorix Zero-Day and ThreatNeedle Malware (lien direct) |
Au moins six organisations en Corée du Sud ont été ciblées par le prolifique groupe de Lazare lié à la Corée du Nord dans le cadre d'une campagne surnommée Opération Synchole.
L'activité a ciblé les logiciels de la Corée du Sud, les logiciels, l'industrie financière, la fabrication de semi-conducteurs et les industries de télécommunications, selon un rapport de Kaspersky publié aujourd'hui. La première preuve de compromis a été détectée pour la première fois dans
At least six organizations in South Korea have been targeted by the prolific North Korea-linked Lazarus Group as part of a campaign dubbed Operation SyncHole. The activity targeted South Korea\'s software, IT, financial, semiconductor manufacturing, and telecommunications industries, according to a report from Kaspersky published today. The earliest evidence of compromise was first detected in |
Malware Vulnerability Threat | APT 38 | ★★★ |
|
2025-04-24 17:07:50 | Lazarus APT cible les organisations en exploitant des vulnérabilités d'une journée Lazarus APT Targets Organizations by Exploiting One-Day Vulnerabilities (lien direct) |
> Une récente campagne de cyber-espionnage par le célèbre groupe de menaces persistantes (APT) de Lazarus avancée (APT), suivie comme «Opération Synchole», a compromis au moins six organisations sud-coréennes à travers les logiciels, l'informatique, le financier, les semi-conducteurs et les secteurs de télécommunications depuis novembre 2024. […]
>A recent cyber espionage campaign by the notorious Lazarus Advanced Persistent Threat (APT) group, tracked as “Operation SyncHole,” has compromised at least six South Korean organizations across software, IT, financial, semiconductor, and telecommunications sectors since November 2024. According to detailed research, the attackers employed a combination of watering hole attacks and exploited vulnerabilities in widely […] |
Vulnerability Threat | APT 38 | ★★★ |
 |
2025-04-24 15:13:32 | Les pirates de Lazarus violent six entreprises dans des attaques de trou d'eau Lazarus hackers breach six companies in watering hole attacks (lien direct) |
Dans une récente campagne d'espionnage, le tristement célèbre groupe de menaces nord-coréen Lazarus a ciblé plusieurs organisations dans les secteurs du logiciel, de l'informatique, des finances et des télécommunications en Corée du Sud. [...]
In a recent espionage campaign, the infamous North Korean threat group Lazarus targeted multiple organizations in the software, IT, finance, and telecommunications sectors in South Korea. [...] |
Threat | APT 38 | ★★★ |
 |
2025-04-24 09:27:52 | Kaspersky découvre de nouvelles cyberattaques menées par Lazarus visant les chaînes d\'approvisionnement sud-coréennes (lien direct) | Kaspersky découvre de nouvelles cyberattaques menées par Lazarus visant les chaînes d'approvisionnement sud-coréennes - Malwares | APT 38 | ★★★ | |
 |
2025-04-24 05:00:04 | Opération Synchole: Lazarus APT remonte au puits Operation SyncHole: Lazarus APT goes back to the well (lien direct) |
Les grands experts de Kaspersky ont découvert une nouvelle campagne de Lazarus APT qui exploite les vulnérabilités dans les produits logiciels sud-coréens et utilise une approche du trou d'eau.
Kaspersky GReAT experts uncovered a new campaign by Lazarus APT that exploits vulnerabilities in South Korean software products and uses a watering hole approach. |
Vulnerability | APT 38 | ★★★ |
 |
2025-04-16 02:46:50 | APT ROGUES \\ 'Gallery: le cyber-adversaires les plus dangereux du monde \\ APT Rogues\\' Gallery: The World\\'s Most Dangerous Cyber Adversaries (lien direct) |
Les groupes avancés de menace persistante (APT) ne sont pas un nouveau fléau. Ces cyber-adversaires sophistiqués et parrainés par l'État, avec des poches profondes et des compétences techniques très avancées, effectuent des attaques prolongées et ciblées pour infiltrer les réseaux, exfiltrer des données sensibles et perturber l'infrastructure critique. Les enjeux n'ont jamais été plus élevés, donc dans ce blog, nous examinerons certains des acteurs appropriés les plus notoires, leurs tactiques, techniques et procédures uniques (TTPS) et les attaques qui leur sont attribuées, et offrir quelques conseils sur la façon de se défendre contre eux. Le groupe Lazare originaire de la Corée du Nord, le ...
Advanced Persistent Threat (APT) groups are not a new scourge. These sophisticated, state-sponsored cyber adversaries, with deep pockets and highly advanced technical skills, conduct prolonged and targeted attacks to infiltrate networks, exfiltrate sensitive data, and disrupt critical infrastructure. The stakes have never been higher, so in this blog, we\'ll look at some of the most notorious APT actors, their unique Tactics, Techniques, and Procedures (TTPs), and attacks attributed to them, and offer a few tips on how to defend against them. The Lazarus Group Originating from North Korea, the... |
Threat Technical | APT 38 | ★★★ |
|
2025-04-03 17:52:00 | Le groupe Lazarus cible les demandeurs d'emploi avec une tactique Clickfix pour déployer des logiciels malveillants de Golangghost Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware (lien direct) |
Les acteurs de la menace nord-coréenne derrière une interview contagieuse ont adopté la tactique de l'ingénierie sociale de Clickfix de plus en plus populaire pour attirer les demandeurs d'emploi dans le secteur de la crypto-monnaie pour offrir une porte dérobée au départ sans papiers sans documentation appelée Golangghost sur Windows et MacOS.
La nouvelle activité, évaluée comme étant une continuation de la campagne, a été nommé Code Clickfake Interview par
The North Korean threat actors behind Contagious Interview have adopted the increasingly popular ClickFix social engineering tactic to lure job seekers in the cryptocurrency sector to deliver a previously undocumented Go-based backdoor called GolangGhost on Windows and macOS systems. The new activity, assessed to be a continuation of the campaign, has been codenamed ClickFake Interview by |
Malware Threat | APT 38 | ★★★ |
 |
2025-04-02 10:45:54 | Lazarus utilise des tactiques Clickfix dans de fausses attaques d'emploi de crypto-monnaie Lazarus Uses ClickFix Tactics in Fake Cryptocurrency Job Attacks (lien direct) |
> Les pirates de Lazarus de la Corée du Nord utilisent la technique ClickFix pour le déploiement de logiciels malveillants dans de nouvelles attaques ciblant l'écosystème de crypto-monnaie.
>North Korea\'s Lazarus hackers are using the ClickFix technique for malware deployment in fresh attacks targeting the cryptocurrency ecosystem. |
Malware | APT 38 | ★★★ |
 |
2025-04-01 13:21:21 | Lazarus apt saute dans le train de Clickfix dans les attaques récentes Lazarus APT Jumps on ClickFix Bandwagon in Recent Attacks (lien direct) |
Une continuation de la campagne nord-coréenne de l'État-nation \\ contre les demandeurs d'emploi utilise l'attaque d'ingénierie sociale pour cibler les organisations CEFI avec la porte dérobée de Golangghost.
A continuation of the North Korean nation-state threat\'s campaign against employment seekers uses the social engineering attack to target CeFi organizations with the GolangGhost backdoor. |
Threat | APT 38 | ★★ |
 |
2025-03-31 15:00:00 | Campagne d'interview de Clickfake par Lazarus cible les demandeurs d'emploi cryptographiques ClickFake Interview Campaign by Lazarus Targets Crypto Job Seekers (lien direct) |
Nouvelle campagne «Clickfake Interview» attribuée au groupe Lazarus cible les professionnels des cryptos avec de fausses offres d'emploi
New “ClickFake Interview” campaign attributed to the Lazarus Group targets crypto professionals with fake job offers |
APT 38 | ★★★ | |
|
2025-03-31 11:56:54 | Les pirates nord-coréens adoptent des attaques Clickfix pour cibler les entreprises cryptographiques North Korean hackers adopt ClickFix attacks to target crypto firms (lien direct) |
Le célèbre groupe nord-coréen de piratage de Lazarus aurait adopté des tactiques \\ 'clickfix \' pour déployer des travailleurs de logiciels malveillants dans l'industrie de la crypto-monnaie, en particulier la finance centralisée (CEFI). [...]
The notorious North Korean Lazarus hacking group has reportedly adopted \'ClickFix\' tactics to deploy malware targeting job seekers in the cryptocurrency industry, particularly centralized finance (CeFi). [...] |
Malware | APT 38 | ★★★ |
|
2025-03-22 13:02:00 | Les sanctions en espèces de Tornado en espèces du Trésor américain au milieu de la Corée du Nord U.S. Treasury Lifts Tornado Cash Sanctions Amid North Korea Money Laundering Probe (lien direct) |
Le Département du Trésor américain a annoncé qu'il a supprimé les sanctions contre les tornadques, un service de mélangeur de crypto-monnaie qui a été accusé d'avoir aidé le groupe de Lazare lié à la Corée du Nord pour blanchir son produit mal acquis.
"Sur la base de l'examen de l'administration des nouvelles questions juridiques et politiques soulevées par l'utilisation de sanctions financières contre les activités financières et commerciales sur
The U.S. Treasury Department has announced that it\'s removing sanctions against Tornado Cash, a cryptocurrency mixer service that has been accused of aiding the North Korea-linked Lazarus Group to launder their ill-gotten proceeds. "Based on the Administration\'s review of the novel legal and policy issues raised by use of financial sanctions against financial and commercial activity occurring |
Commercial | APT 38 | ★★ |
 |
2025-03-12 22:31:17 | Le groupe Lazarus trompe les développeurs avec 6 nouveaux packages NPM malveillants Lazarus Group deceives developers with 6 new malicious npm packages (lien direct) |
> Les chercheurs de socket ont déclaré que les packages de logiciels malveillants avaient été téléchargés collectivement plus de 330 fois. GitHub a supprimé tous les packages malveillants mercredi.
>Socket researchers said the malware-ridden packages were collectively downloaded over 330 times. GitHub removed all of the malicious packages Wednesday. |
APT 38 | ★★ | |
|
2025-03-12 00:15:21 | Le groupe Lazare a caché la porte dérobée dans de faux packages NPM dans la dernière attaque Lazarus Group Hid Backdoor in Fake npm Packages in Latest Attack (lien direct) |
Le groupe Lazare cible les développeurs avec des forfaits NPM malveillants, le vol d'identification, la crypto et l'installation de la porte dérobée. Restez vigilant pour protéger vos projets.
Lazarus Group targets developers with malicious npm packages, stealing credentials, crypto, and installing backdoor. Stay alert to protect your projects. |
APT 38 | ★★ | |
 |
2025-03-10 01:11:47 | Les pirates nord-coréens encaissent des centaines de millions à partir de 1,5 milliard de dollars de piratage North Korean hackers cash out hundreds of millions from $1.5bn ByBit hack (lien direct) |
Les pirates du tristement célèbre groupe Lazare sont dans un jeu de chat et de souris pour blanchir leurs fonds volés au braquage du Bybit.
Hackers from the infamous Lazarus Group are in a cat-and-mouse game to launder their stolen funds from the ByBit heist. |
Hack | APT 38 | ★★★ |
 |
2025-03-05 13:03:46 | DET. Anglais. Hebdomadaire # 105 - Je rassemble une équipe Det. Eng. Weekly #105 - I\\'m assembling a team (lien direct) |
Soit \\ retirer Lazarus.
Let\'s take out Lazarus. |
APT 38 | ★★ | |
 |
2025-03-03 14:05:24 | Comment la Corée du Nord a exécuté le plus gros crispo de tous les temps How North Korea Executed the Largest Crypto Heist Ever (lien direct) |
Le groupe de Lazarus de la Corée du Nord a réussi le piratage de 1 milliard de dollars, ce qui en fait le plus grand braquage de crypto de tous les temps. Voici comment ils l'ont fait et ce qui est à côté.
North Korea\'s Lazarus Group pulled off the $1.5B Bybit hack, making it the biggest crypto heist ever. Here\'s how they did it-and what\'s next. |
Hack | APT 38 | ★★★ |
 |
2025-02-27 15:28:39 | Le FBI exhorte la communauté crypto à éviter le blanchiment de fonds de Bybit Hack FBI urges crypto community to avoid laundering funds from Bybit hack (lien direct) |
Le Bureau a attribué le piratage de 1,5 milliard de dollars à l'acteur de menace nord-coréen connu sous le nom de TraderTraitor, ou Lazarus, à la suite d'évaluations similaires de chercheurs en cybersécurité.
The bureau attributed the $1.5 billion hack to the North Korean threat actor known as TraderTraitor, or Lazarus, following similar assessments by cybersecurity researchers. |
Hack Threat | APT 38 | ★★★ |
|
2025-02-27 12:45:00 | Bybit Hack Traced to Safe {Wallet} Attaque de la chaîne d'approvisionnement exploitée par des pirates nord-coréens Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (lien direct) |
Le Federal Bureau of Investigation (FBI) des États-Unis a officiellement lié le piratage record de 1,5 milliard de dollars à des acteurs de menace nord-coréens, alors que le PDG de la société Ben Zhou a déclaré une «guerre contre Lazare».
L'agence a déclaré que la République de Corée du peuple démocrate (Corée du Nord) était responsable du vol des actifs virtuels de l'échange de crypto-monnaie, l'attribuant à un cluster spécifique
The U.S. Federal Bureau of Investigation (FBI) formally linked the record-breaking $1.5 billion Bybit hack to North Korean threat actors, as the company\'s CEO Ben Zhou declared a "war against Lazarus." The agency said the Democratic People\'s Republic of Korea (North Korea) was responsible for the theft of the virtual assets from the cryptocurrency exchange, attributing it to a specific cluster |
Hack Threat | APT 38 | ★★★ |
|
2025-02-27 09:35:00 | Le FBI confirme le groupe de Lazarus de la Corée du Nord en tant que pirates de crypto de Bybit FBI Confirms North Korea\\'s Lazarus Group as Bybit Crypto Hackers (lien direct) |
Le FBI confirme le groupe de Lazarus de la Corée du Nord responsable de Bybit Crypto Heist
FBI confirms North Korea\'s Lazarus Group responsible for Bybit crypto heist |
APT 38 | ★★★ | |
 |
2025-02-26 23:49:20 | Bybit déclare la guerre à la Corée du Nord la Corée du Nord Lazarus, le crime de crime pour regagner 1,5 milliard de dollars volé au portefeuille Bybit declares war on North Korea\\'s Lazarus crime-ring to regain $1.5B stolen from wallet (lien direct) |
jusqu'à 140 millions de dollars de récompenses de primes pour le retour d'Ethereum qui prétendument pilé par l'Hermit Nation Échange de crypto-monnaie, quelques jours seulement après que des agents nord-coréens présumés aient volé 1,5 milliard de dollars en Ethereum à partir de celui virtual = \\ '/ data_centre / _whitePaper_textLinks_top.html \' ->
Up to $140M in bounty rewards for return of Ethereum allegedly pilfered by hermit nation Cryptocurrency exchange Bybit, just days after suspected North Korean operatives stole $1.5 billion in Ethereum from it, has launched a bounty program to help recover its funds.… |
APT 38 APT 37 | ★★★ | |
|
2025-02-25 18:49:07 | Les analystes cryptographiques stupéfaits par les capacités de Lazarus Group \\ en vol de 1,46 milliard de dollars Crypto analysts stunned by Lazarus Group\\'s capabilities in $1.46B Bybit theft (lien direct) |
> Le montant volé la semaine dernière dépasse ce que le groupe a pu voler tout en 2024.
>The amount stolen last week surpasses what the group was able to steal in all of 2024. |
APT 38 | ★★★★ | |
|
2025-02-25 10:16:39 | La Lazarus de la Corée du Nord réalise le plus grand braquage cryptographique de l'histoire North Korea\\'s Lazarus Pulls Off Biggest Crypto Heist in History (lien direct) |
Les cyberattaques qui seraient affiliés au groupe de menaces parrainé par l'État ont réussi le plus grand braquage cryptographique signalé à ce jour, volant 1,5 milliard de dollars de borbit de bourse. Il a été réalisé en interférant avec un transfert de routine entre les portefeuilles.
Cyberattackers believed to be affiliated with the state-sponsored threat group pulled off the largest crypto heist reported to date, stealing $1.5 billion from exchange Bybit. It was carried out by interfering with a routine transfer between wallets. |
Threat | APT 38 | ★★★★ |
|
2025-02-24 18:28:46 | Les pirates de Lazarus de la Corée du Nord derrière le vol de crypto de 1,4 milliard de dollars de Bybit, disent les chercheurs North Korea\\'s Lazarus hackers behind $1.4 billion crypto theft from Bybit, researchers say (lien direct) |
Les chercheurs en cybersécurité affirment que les pirates nord-coréens sont à l'origine du plus grand braquage de crypto-monnaie de l'histoire et blanchissent activement les plus de 1,4 milliard de dollars de crypto-monnaie volées vendredi à l'échange de Bybit.
Cybersecurity researchers say North Korean hackers are behind the largest cryptocurrency heist in history and are actively laundering the more than $1.4 billion in cryptocurrency stolen from the Bybit exchange on Friday. |
APT 38 | ★★★★ | |
|
2025-02-24 18:25:49 | L'UE sanctions nord-coréen liée au groupe Lazare sur la participation à la guerre ukrainienne EU sanctions North Korean tied to Lazarus group over involvement in Ukraine war (lien direct) |
Le dernier paquet de sanctions de l'UE lié à l'invasion de l'Ukraine par la Russie comprenait le chef de l'agence de renseignement nord-coréenne connue pour soutenir le groupe Lazare et d'autres opérations de piratage de haut niveau.
The latest package of EU sanctions related to Russia\'s invasion of Ukraine included the leader of the North Korean intelligence agency known for backing the Lazarus group and other high-profile hacking operations. |
APT 38 | ★★★ | |
|
2025-02-23 20:13:39 | Les enquêteurs relient 1,4 milliard de dollars de piratage par bybit au groupe de Lazarus de la Corée du Nord Investigators Link $1.4B Bybit Hack to North Korea\\'s Lazarus Group (lien direct) |
Les enquêteurs relient le piratage de 1 milliard de dollars au groupe de Lazarus de la Corée du Nord, exposant un braquage de crypto majeur lié à la cybercriminalité et au blanchiment d'argent soutenues par l'État.
Investigators link the $1.4B Bybit hack to North Korea\'s Lazarus Group, exposing a major crypto heist tied to state-backed cybercrime and money laundering. |
Hack | APT 38 | ★★ |
|
2025-02-14 23:58:00 | Lazarus Group Deploys Marstech1 JavaScript Implant in Targeted Developer Attacks (lien direct) | The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers.
The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that\'s associated with a profile named "
The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers. The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that\'s associated with a profile named " |
Malware Threat | APT 38 | ★★ |
|
2025-02-13 10:15:00 | North Korea Targets Crypto Devs Through NPM Packages (lien direct) | SecurityScorecard has uncovered a sophisticated campaign linked to North Korea\'s Lazarus Group, distributing crypto-stealing malware
SecurityScorecard has uncovered a sophisticated campaign linked to North Korea\'s Lazarus Group, distributing crypto-stealing malware |
Malware | APT 38 | ★★★ |
 |
2025-02-11 20:00:00 | Cybercrime: A Multifaceted National Security Threat (lien direct) | Executive Summary Cybercrime makes up a majority of the malicious activity online and occupies the majority of defenders\' resources. In 2024, Mandiant Consulting responded to almost four times more intrusions conducted by financially motivated actors than state-backed intrusions. Despite this overwhelming volume, cybercrime receives much less attention from national security practitioners than the threat from state-backed groups. While the threat from state-backed hacking is rightly understood to be severe, it should not be evaluated in isolation from financially motivated intrusions. A hospital disrupted by a state-backed group using a wiper and a hospital disrupted by a financially motivated group using ransomware have the same impact on patient care. Likewise, sensitive data stolen from an organization and posted on a data leak site can be exploited by an adversary in the same way data exfiltrated in an espionage operation can be. These examples are particularly salient today, as criminals increasingly target and leak data from hospitals. Healthcare\'s share of posts on data leak sites has doubled over the past three years, even as the number of data leak sites tracked by Google Threat Intelligence Group has increased by nearly 50% year over year. The impact of these attacks mean that they must be taken seriously as a national security threat, no matter the motivation of the actors behind it. Cybercrime also facilitates state-backed hacking by allowing states to purchase cyber capabilities, or co-opt criminals to conduct state-directed operations to steal data or engage in disruption. Russia has drawn on criminal capabilities to fuel the cyber support to their war in Ukraine. GRU-linked APT44 (aka Sandworm), a unit of Russian military intelligence, has employed malware available from cybercrime communities to conduct espionage and disruptive operations in Ukraine and CIGAR (aka RomCom), a group that historically focused on cybercrime, has conducted espionage operations against the Ukrainian government since 2022. However, this is not limited to Russia. Iranian threat groups deploy ransomware to raise funds while simultaneously conducting espionage, and Chinese espionage groups often supplement their income with cybercrime. Most notably, North Korea uses state-backed groups to directly generate revenue for the regime. North Korea has heavily targeted cryptocurrencies, compromising exchanges and individual victims\' crypto wallets. Despite the overlaps in effects and collaboration with states, tackling the root causes of cybercrime requires fundamentally different solutions. Cybercrime involves collaboration between disparate groups often across borders and without respect to sovereignty. Any solution requires international cooperation by both law enforcement and intelligence agencies to track, arrest, and prosecute these criminals. Individual takedowns can have important temporary effects, but the collaborative nature of cybercrime means that the disrupted group will be quickly replaced by others offering the same service. Achieving broader success will require collaboration between countries and public and private sectors on systemic solutions such as increasing education and resilience efforts. aside_block | Ransomware Malware Tool Vulnerability Threat Legislation Medical Cloud Technical | APT 41 APT 38 APT 29 APT 43 APT 44 | ★★★ |
|
2025-02-06 14:50:00 | Lazarus Group Targets Bitdefender Researcher with LinkedIn Recruiting Scam (lien direct) | A Bitdefender researcher was targeted by North Korea\'s Lazarus with the lure of a fake job offer
A Bitdefender researcher was targeted by North Korea\'s Lazarus with the lure of a fake job offer |
APT 38 | ★★★ | |
|
2025-02-05 20:25:00 | Cross-Platform JavaScript Stealer Targets Crypto Wallets in New Lazarus Group Campaign (lien direct) | The North Korea-linked Lazarus Group has been linked to an active campaign that leverages fake LinkedIn job offers in the cryptocurrency and travel sectors to deliver malware capable of infecting Windows, macOS, and Linux operating systems.
According to cybersecurity company Bitdefender, the scam begins with a message sent on a professional social media network, enticing them with the promise of
The North Korea-linked Lazarus Group has been linked to an active campaign that leverages fake LinkedIn job offers in the cryptocurrency and travel sectors to deliver malware capable of infecting Windows, macOS, and Linux operating systems. According to cybersecurity company Bitdefender, the scam begins with a message sent on a professional social media network, enticing them with the promise of |
Malware | APT 38 | ★★★ |
|
2025-01-29 23:51:45 | North Koreans clone open source projects to plant backdoors, steal credentials (lien direct) | Stealing crypto is so 2024. Supply-chain attacks leading to data exfil pays off better? North Korea\'s Lazarus Group compromised hundreds of victims across the globe in a massive secret-stealing supply chain attack that was ongoing as of earlier this month, according to security researchers.…
Stealing crypto is so 2024. Supply-chain attacks leading to data exfil pays off better? North Korea\'s Lazarus Group compromised hundreds of victims across the globe in a massive secret-stealing supply chain attack that was ongoing as of earlier this month, according to security researchers.… |
APT 38 | ★★★ | |
|
2025-01-29 22:26:00 | Lazarus Group Uses React-Based Admin Panel to Control Global Cyber Attacks (lien direct) | The North Korean threat actor known as the Lazarus Group has been observed leveraging a "web-based administrative platform" to oversee its command-and-control (C2) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns.
"Each C2 server hosted a web-based administrative platform, built with a React application and a Node.js API," SecurityScorecard\'s
The North Korean threat actor known as the Lazarus Group has been observed leveraging a "web-based administrative platform" to oversee its command-and-control (C2) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns. "Each C2 server hosted a web-based administrative platform, built with a React application and a Node.js API," SecurityScorecard\'s |
Threat | APT 38 | ★★★ |
|
2025-01-29 21:39:00 | Researchers Uncover Lazarus Group Admin Layer for C2 Servers (lien direct) | The threat actor is using a sophisticated network of VPNs and proxies to centrally manage command and control servers from Pyongyang.
The threat actor is using a sophisticated network of VPNs and proxies to centrally manage command and control servers from Pyongyang. |
Threat | APT 38 | ★★★ |
 |
2025-01-25 20:07:25 | Hackers Using RID Hijacking To Create Admin Accounts In Windows (lien direct) | Cybersecurity researchers at AhnLab have discovered that a North Korean threat group uses malicious files to hijack RIDs and grant admin access to low-privilege Windows accounts.
According to ASEC researchers, AhnLab’s security intelligence center, the hacking group behind the attack is the “Andariel” threat group, linked to North Korea’s Lazarus hacker group.
“RID Hijacking is an attack technique that involves modifying the RID value of an account with low privileges, such as a regular user or a guest account, to match the RID value of an account with higher privileges (Administrator). By modifying the RID value, threat actors can deceive the system into treating the account as having administrator privileges,” AhnLab wrote in a blog post published on Thursday.
In Windows, a Relative Identifier (RID) is part of a Security Identifier (SID), which exclusively distinguishes each user and group within a domain. For instance, an administrator account will have a RID value of “500”, “501” for guest accounts, “512” for the domain admins group, and for regular users, the RID will start from the value “of 1000”.
In a RID hijacking attack, hackers change the RID of a low-privilege account to the same value as an administrator account. As a result, Windows grants administrative privileges to the account.
However, to pull this off, attackers need access to the SAM (Security Account Manager) registry, which requires them to already have SYSTEM-level access to the targeted machine for modification.
Attackers typically use tools such as PsExec and JuicyPotato to escalate their privileges and launch a SYSTEM-level command prompt.
While SYSTEM access is the highest privilege in Windows, it has certain limitations: it doesn\'t allow remote access, cannot interact with GUI apps, generates noisy activity that can be easily detected and doesn\'t persist after a system reboot.
To work around these issues, Andariel first created a hidden, low-privilege local user account by appending a “$” character to its username.
This made the account invisible in regular listings but still accessible in the SAM registry. The attackers then carried out RID hijacking to escalate the account’s privileges to the administrator level.
According to the researchers, Andariel added the modified account to the Remote Desktop Users and Administrators groups, giving them more control over the system.
The group tweaked the SAM registry using custom malware and an open-source tool to execute the RID hijacking.
Although SYSTEM access could allow the direct creation of administrator accounts, this method is less conspicuous, making it difficult to detect and prevent.
To avoid detection, Andariel also exported and backed up the modified registry settings, deleted the rogue account, and restored it later from the backup when needed, bypassing system logs and making detection even harder.
To reduce the risk of RID hijacking, system administrators should implement proactive measures such as:
Use the Local Security Authority (LSA) Subsystem Service to monitor unusual login attempts and password changes.
Prevent unauthorized access to the SAM registry.
Restricting the use of tools like PsExec and JuicyPotato.
Disabling guest accounts.
Enforcing multi-factor authentication (MFA) for all user accounts, including low-privileged ones.
Cybersecurity researchers at AhnLab have discovered that a North Korean threat group uses malicious files to hijack RIDs and grant admin access to low-privilege Windows accounts. According to ASEC researchers, AhnLab’s security intelligence center, the hacking group behind the attack is the “Andariel” threat group, linked to North Korea’s Lazarus hacker group. “RID Hijacking is |
Malware Tool Threat | APT 38 APT 45 | ★★ |
|
2025-01-17 15:30:00 | Lazarus Group Targets Developers in New Data Theft Campaign (lien direct) | SecurityScorecard identified a new campaign in which the North Korean Lazarus group aims to steal source code, secrets and cryptocurrency wallet keys from developer environments
SecurityScorecard identified a new campaign in which the North Korean Lazarus group aims to steal source code, secrets and cryptocurrency wallet keys from developer environments |
APT 38 | ★★★ | |
|
2025-01-15 21:07:00 | Lazarus Group Targets Web3 Developers with Fake LinkedIn Profiles in Operation 99 (lien direct) | The North Korea-linked Lazarus Group has been attributed to a new cyber attack campaign dubbed Operation 99 that targeted software developers looking for freelance Web3 and cryptocurrency work to deliver malware.
"The campaign begins with fake recruiters, posing on platforms like LinkedIn, luring developers with project tests and code reviews," Ryan Sherstobitoff, senior vice president of Threat
The North Korea-linked Lazarus Group has been attributed to a new cyber attack campaign dubbed Operation 99 that targeted software developers looking for freelance Web3 and cryptocurrency work to deliver malware. "The campaign begins with fake recruiters, posing on platforms like LinkedIn, luring developers with project tests and code reviews," Ryan Sherstobitoff, senior vice president of Threat |
Malware Threat | APT 38 | ★★ |
|
2025-01-15 16:02:08 | North Korea\\'s Lazarus APT Evolves Developer-Recruitment Attacks (lien direct) | "Operation 99" uses job postings to lure freelance software developers into downloading malicious Git repositories. From there, malware infiltrates developer projects to steal source code, secrets, and cryptocurrency.
"Operation 99" uses job postings to lure freelance software developers into downloading malicious Git repositories. From there, malware infiltrates developer projects to steal source code, secrets, and cryptocurrency. |
Malware | APT 38 | ★★ |
|
2025-01-15 15:47:12 | US, Japan and S. Korea urge crypto industry to take action against North Korean hackers (lien direct) | The governments said North Korea\'s notorious Lazarus Group hackers “continue to demonstrate a pattern of malicious behavior in cyberspace by conducting numerous cybercrime campaigns to steal cryptocurrency and targeting exchanges, digital asset custodians, and individual users.”
The governments said North Korea\'s notorious Lazarus Group hackers “continue to demonstrate a pattern of malicious behavior in cyberspace by conducting numerous cybercrime campaigns to steal cryptocurrency and targeting exchanges, digital asset custodians, and individual users.” |
APT 38 | ★★ | |
 |
2024-12-30 12:02:43 | Weekly OSINT Highlights, 30 December 2024 (lien direct) | ## Snapshot
Last week\'s OSINT reporting highlights the persistence and evolution of cyber threats targeting a wide range of sectors, from cryptocurrency exchanges to aerospace and defense industries. The predominant attack vectors include phishing, exploitation of long-standing vulnerabilities, and the use of advanced malware like StealBit, OtterCookie, and VBCloud. Threat actors such as North Korea\'s Lazarus Group and TraderTraitor, as well as botnets like FICORA and CAPSAICIN, continue to refine their tactics, leveraging social engineering, compromised software repositories, and ransomware-as-a-service to achieve their objectives. These campaigns predominantly target high-value organizations and unpatched systems, emphasizing the importance of addressing known vulnerabilities and monitoring for sophisticated attack chains.
## Description
1. [StealBit Data Exfiltration Tool](https://sip.security.microsoft.com/intel-explorer/articles/68a374b4): The LockBit ransomware group employs StealBit as part of its ransomware-as-a-service program, facilitating data theft in double extortion attacks. Recent updates to the tool broaden its target base and enhance efficiency, allowing faster data exfiltration and streamlined operations.
1. [FICORA and CAPSAICIN Botnets](https://sip.security.microsoft.com/intel-explorer/articles/77c183a0): FortiGuard Labs observed global activity from the FICORA and CAPSAICIN botnets, exploiting long-standing vulnerabilities in D-Link devices. These botnets, targeting unpatched systems, leverage DDoS capabilities and advanced features to dominate infected devices, focusing on East Asia and other global regions.
1. [OtterCookie and the Contagious Interview Campaign](https://sip.security.microsoft.com/intel-explorer/articles/b5a152a8): North Korean actors deploy OtterCookie malware through fake job offers to developers, targeting cryptocurrency wallets and sensitive data. Infection methods include compromised GitHub and npm projects, with evolving variants enhancing data theft and lateral movement.
1. [TraderTraitor\'s $308 Million Cryptocurrency Heist](https://sip.security.microsoft.com/intel-explorer/articles/9cd8b8b5): The North Korean TraderTraitor group stole $308 million from Japan\'s DMM Bitcoin, leveraging LinkedIn for social engineering and GitHub for malware delivery. By compromising a Japanese cryptocurrency wallet company, the group infiltrated systems to manipulate legitimate transactions.
1. [Lazarus Group\'s DeathNote Campaign](https://sip.security.microsoft.com/intel-explorer/articles/3b7cea68): Lazarus Group continues targeting industries like aerospace and cryptocurrency through Operation DreamJob, using trojanized tools and DLL side-loading techniques. Recent attacks deploy advanced malware strains to evade detection, establish persistence, and enable lateral movement within targeted systems.
1. [Cloud Atlas 2024 Campaigns](https://sip.security.microsoft.com/intel-explorer/articles/caa75881): Cloud Atlas targets Eastern Europe and Central Asia with phishing emails exploiting Equation Editor vulnerabilities, delivering VBShower and VBCloud malware. These tools use PowerShell scripts for data theft, lateral movement, and exfiltration, with region-specific tactics to avoid detection.
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot Last week\'s OSINT reporting highlights the persistence and evolution of cyber threats targeting a wide range of sectors, from cryptocurrency exchanges to aerospace and defense industries. The predominant attack vectors include phishing, exploitation of long-standing vulnerabilities, and the use of advanced malware like StealBit, OtterCookie, and VBCloud. Threat actors such as North Korea\'s Lazarus Group and TraderTraitor, as well as botnets like FICORA and CAPSAICIN, continue to refine their tactics, leveraging |
Ransomware Malware Tool Vulnerability Threat Cloud | APT 38 | ★★ |
|
2024-12-23 20:06:03 | Lazarus Group Targets Nuclear Industry with CookiePlus Malware (lien direct) | KEY SUMMARY POINTS Securelist by Kaspersky has published its latest threat intelligence report focused on the activities of…
KEY SUMMARY POINTS Securelist by Kaspersky has published its latest threat intelligence report focused on the activities of… |
Malware Threat | APT 38 | ★★★★ |
|
2024-12-23 19:32:18 | North Korean hackers spotted using new tools on employees of \\'nuclear-related\\' org (lien direct) | Researchers at Kaspersky said they found the Lazarus Group using “a complex infection chain that included multiple types of malware, such as a downloader, loader, and backdoor, demonstrating the group\'s evolved delivery and improved persistence methods.”
Researchers at Kaspersky said they found the Lazarus Group using “a complex infection chain that included multiple types of malware, such as a downloader, loader, and backdoor, demonstrating the group\'s evolved delivery and improved persistence methods.” |
Malware Tool | APT 38 | ★★ |
|
2024-12-20 16:14:00 | Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware (lien direct) | The Lazarus Group, an infamous threat actor linked to the Democratic People\'s Republic of Korea (DPRK), has been observed leveraging a "complex infection chain" targeting at least two employees belonging to an unnamed nuclear-related organization within the span of one month in January 2024.
The attacks, which culminated in the deployment of a new modular backdoor referred to as CookiePlus, are
The Lazarus Group, an infamous threat actor linked to the Democratic People\'s Republic of Korea (DPRK), has been observed leveraging a "complex infection chain" targeting at least two employees belonging to an unnamed nuclear-related organization within the span of one month in January 2024. The attacks, which culminated in the deployment of a new modular backdoor referred to as CookiePlus, are |
Malware Threat | APT 38 | ★★★★ |
|
2024-12-19 10:00:55 | Lazarus group evolves its infection chain with old and new malware (lien direct) | Lazarus targets employees of a nuclear-related organization with a bunch of malware, such as MISTPEN, LPEClient, RollMid, CookieTime and a new modular backdoor CookiePlus.
Lazarus targets employees of a nuclear-related organization with a bunch of malware, such as MISTPEN, LPEClient, RollMid, CookieTime and a new modular backdoor CookiePlus. |
Malware | APT 38 | ★★★ |
|
2024-11-18 12:22:31 | Weekly OSINT Highlights, 18 November 2024 (lien direct) | ## Snapshot Last week\'s OSINT reporting highlights a diverse array of cyber threats, including ransomware, phishing, espionage, and supply chain attacks. Key trends include evolving attack vectors like malicious .LNK files and PowerShell-based lateral movements, as seen in campaigns targeting Pakistan and other regions. Threat actors span from state-sponsored groups such as North Korea\'s Lazarus and China\'s TAG-112 to financially motivated groups like SilkSpecter, with targets including critical sectors like manufacturing, government, healthcare, and e-commerce. Information stealers emerged as a notable theme, with malware such as RustyStealer, Fickle Stealer, and PXA Stealer employing advanced obfuscation and multi-vector attacks to exfiltrate sensitive data from diverse sectors. The reports underscore sophisticated evasion tactics, the leveraging of legitimate platforms for malware delivery, and the persistent targeting of vulnerable backup and storage systems. ## Description 1. [Ymir Ransomware Attack](https://sip.security.microsoft.com/intel-explorer/articles/1444d044): Researchers at Kaspersky identified Ymir, a ransomware variant that performs operations entirely in memory and encrypts data using the ChaCha20 algorithm. Attackers used PowerShell-based lateral movement and reconnaissance tools, employing RustyStealer malware to gain initial access and steal data, targeting systems in Colombia among other regions. 1. [WIRTE Group Cyber Attacks](https://sip.security.microsoft.com/intel-explorer/articles/17c5101d): Check Point Research linked WIRTE, a Hamas-connected group, to espionage and disruptive cyber attacks in 2024, including PDF lure-driven Havoc framework deployments and SameCoin wiper campaigns targeting Israeli institutions. WIRTE, historically aligned with the Molerats, focuses on politically motivated attacks in the Middle East, showcasing ties to Gaza-based cyber activities. 1. [DoNot Group Targets Pakistani Manufacturing](https://sip.security.microsoft.com/intel-explorer/articles/25ee972c): The DoNot group launched a campaign against Pakistan\'s manufacturing sector, focusing on maritime and defense industries, using malicious .LNK files disguised as RTF documents to deliver stager malware via PowerShell. The campaign features advanced persistence mechanisms, updated AES encryption for C&C communications, and dynamic domain generation, highlighting their evolving evasion tactics. 1. [Election System Honeypot Findings](https://sip.security.microsoft.com/intel-explorer/articles/1a1b4eb7): Trustwave SpiderLabs\' honeypot for U.S. election infrastructure recorded attacks like brute force, SQL injection, and CVE exploits by botnets including Mirai and Hajime. The attacks, largely driven by exploit frameworks and dark web collaboration, underline persistent threats against election systems. 1. [Chinese TAG-112 Tibetan Espionage](https://sip.security.microsoft.com/intel-explorer/articles/11ae4e70): In May 2024, TAG-112, suspected to be Chinese state-sponsored, compromised Tibetan community websites via Joomla vulnerabilities to deliver Cobalt Strike payloads disguised as security certificates. The campaign reflects Chinese intelligence\'s enduring interest in monitoring and disrupting Tibetan and other minority organizations. 1. [Phishing Campaigns Exploit Ukrainian Entities](https://sip.security.microsoft.com/intel-explorer/articles/95253614a): Russian-linked threat actor UAC-0194 targeted Ukrainian entities with phishing campaigns, exploiting CVE-2023-320462 and CVE-2023-360251 through malicious hyperlinks in emails. The attacks leveraged compromised municipal servers to host malware and facilitate privilege escalation and security bypasses. 1. [Lazarus Group\'s MacOS Targeting](https://sip.security.microsoft.com/intel-explorer/articles/7c6b391d): Lazarus, a North Korean threat actor, deployed RustyAttr malware targeting macOS via malicious apps using Tauri framework, hiding payloads in Extended Attributes (EA). This campaign reflects evolvin | Ransomware Malware Tool Vulnerability Threat Prediction Medical Cloud Technical | APT 41 APT 38 | ★★★ |
|
2024-11-15 15:40:32 | Hackers use macOS extended file attributes to hide malicious code (lien direct) | ## Snapshot
Researchers at Group-IB have identified a new trojan targeting macOS, dubbed RustyAttr, that leverages extended attributes (EAs) in macOS files to conceal malicious code.
## Description
EA is meta data associated with files and directories in different file systems. This code smuggling is reminiscent of the [Bundlore adware approach in 2020](https://security.microsoft.com/intel-explorer/articles/71a3eed3), which also targeted macOS by hiding payloads in resource forks. Resource forks were mostly deprecated and replaced by the application bundle structure and EA. The RustyAttr malware uses the Tauri framework to build malicious apps that execute a shell script stored within an EA named \'test.\' Tauri creates lightweight desktop apps with a web frontend (HTML, CSS, JavaScript) and a Rust backend. These apps run a JavaScript that retrieves the shell script from the \'test\' EA and executes it. Some samples simultaneously launch decoy PDFs or error dialogs to distract the user. The decoy PDFs, and one of the malicious application bundles, were sourced from a pCloud instance containing cryptocurrency-related content. The applications were likely signed with a leaked certificate that Apple has since revoked. MacOS Gatekeeper currently blocks these applications from running unless the user actively chooses to override these malware protections.
Although Group-IB couldn\'t analyze the next-stage malware, they found that the staging server connects to a known North Korean threat actor group Lazarus\' (tracked by Microsoft as [Diamond Sleet](https://security.microsoft.com/intel-profiles/b982c8daf198d93a2ff52b92b65c6284243aa6af91dda5edd1fe8ec5365918c5)) infrastructure endpoint. Group-IB researchers suggest that Lazarus is trying out new ways to deliver malware. This discovery comes alongside a similar [report from SentinelLabs](https://security.microsoft.com/intel-explorer/articles/aea544a9) about the North Korean threat actor BlueNoroff (tracked by Microsoft as [Sapphire Sleet](https://security.microsoft.com/intel-profiles/45e4b0c21eecf6012661ef6df36a058a0ada1c6be74d8d2011ea3699334b06d1)), which has been using related evasion techniques on macOS, including cryptocurrency-themed phishing and modified \'Info.plist\' files to retrieve second-stage payloads. It remains unclear if the RustyAttr and BlueNoroff campaigns are connected, but it highlights a trend of North Korean hackers focusing on macOS systems for their operations.
## Recommendations
Group-IB recommends keeping macOS Gatekeeper enabled to protect your system from harmful software.
Additionally, Microsoft recommends the following mitigations to reduce the impact of this threat.
• Only install apps from trusted sources and official stores, like the Google Play Store and Apple App Store.
• Never click on unknown links received through ads, SMS messages, emails, or similar untrusted sources.
• Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it.
• To learn more about preventing trojans or other malware from affecting individual devices, [read about preventing malware infection](https://www.microsoft.com/security/business/security-101/what-is-malware).
## References
[Hackers use macOS extended file attributes to hide malicious code](https://www.bleepingcomputer.com/news/security/hackers-use-macos-extended-file-attributes-to-hide-malicious-code/). Bleeping Computer (accessed 2024-11-14)
[Stealthy Attributes of APT Lazarus: Evading Detection with Extended Attributes](https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/). Group-IB (accessed 2024-11-14)
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot Researchers at Group-IB have ide |
Malware Threat Prediction | APT 38 | ★★ |
|
2024-11-14 15:21:00 | New RustyAttr Malware Targets macOS Through Extended Attribute Abuse (lien direct) | Threat actors have been found leveraging a new technique that abuses extended attributes for macOS files to smuggle a new malware called RustyAttr.
The Singaporean cybersecurity company has attributed the novel activity with moderate confidence to the infamous North Korea-linked Lazarus Group, citing infrastructure and tactical overlaps observed in connection with prior campaigns, including
Threat actors have been found leveraging a new technique that abuses extended attributes for macOS files to smuggle a new malware called RustyAttr. The Singaporean cybersecurity company has attributed the novel activity with moderate confidence to the infamous North Korea-linked Lazarus Group, citing infrastructure and tactical overlaps observed in connection with prior campaigns, including |
Malware Threat | APT 38 | ★★★ |
|
2024-11-14 13:13:41 | Lazarus Group Targets macOS with RustyAttr Trojan in Fake Job PDFs (lien direct) | Group-IB has uncovered Lazarus group\'s stealthy new trojan and technique of hiding malicious code in extended attributes on…
Group-IB has uncovered Lazarus group\'s stealthy new trojan and technique of hiding malicious code in extended attributes on… |
APT 38 | ★★★ |
To see everything:
Our RSS (filtrered)
