All news with #kimsuky tag

🛡️ The U.S. Department of Justice announced the arrest of 23-year-old Canadian Jacob Butler (aka Dort) for allegedly operating the Kimwolf DDoS botnet, a variant of AISURU. The botnet enslaved devices like digital photo frames and webcams and was offered via a cybercrime-as-a-service model to launch global attacks, including against DoD network addresses. Authorities linked Butler through IP, account data, and Discord messages, and charged him with aiding and abetting computer intrusion.

🔎 This article analyzes public evidence tying the alleged Kimwolf botmaster—known online as Dort and by earlier handles like CPacket and M1ce—to accounts, emails and domain registrations linked to an Ottawa-based Jacob Butler. It reviews GitHub and forum footprints (jay.miner232@gmail.com / MemeClient), ties to SIM Land and LAPSUS$ activity, and allegations that Dort sold disposable-email and CAPTCHA-bypass tools. After KrebsOnSecurity published research in January 2026 that disrupted Kimwolf’s spread, Dort allegedly mounted doxing, DDoS, email-flooding and swatting campaigns against researchers and the author.

⚠️ Konni, a North Korea–linked threat actor, has deployed an AI-assisted PowerShell backdoor against blockchain developers in Japan, Australia, and India. The campaign uses spear-phishing ZIP archives hosted on WordPress and Discord CDN that drop LNK files which launch an AutoIt loader and extract a modular PowerShell implant. Check Point observed AI-style code structure and comments in the backdoor while attackers leverage UAC bypass, Defender exclusions, scheduled tasks, and a C2 encryption gate to maintain stealth and persistence.

🔒 The North Korean-linked Konni group is deploying AI-generated PowerShell malware to specifically target developers and engineers in the blockchain sector. The campaign uses Discord-hosted ZIP lures that contain a PDF, a malicious LNK shortcut, and an embedded DOCX/CAB payload which drops a backdoor, batch files, and a UAC bypass executable. The backdoor is heavily obfuscated, runs an XOR-encrypted script in-memory via an hourly scheduled task masquerading as OneDrive, and bears markers of LLM-assisted development such as structured documentation and placeholder comments like "# <- your permanent project UUID".

🔒The FBI has issued an alert about ongoing North Korean QR code phishing campaigns conducted by the Kimsuky APT, which targeted think tanks, academic institutions and government entities in May–June 2025. Attackers embedded QR codes in spear-phishing emails to redirect victims to mobile-optimized credential-harvesting pages, evading typical email security controls. The FBI recommends heightened user training, deployment of mobile device management, phishing-resistant MFA, and enhanced logging and monitoring to detect and mitigate these quishing attacks.

🚨 The FBI warns that North Korean state-sponsored actors, tracked as Kimsuky, have embedded malicious QR codes in targeted spear-phishing (quishing) campaigns observed in May–June 2025. Attackers spoofed advisors, embassy staff, and think-tank employees to trick recipients into scanning QR codes that redirect mobile devices to attacker-controlled infrastructure or fake login pages. Because scans take victims off enterprise-managed machines to unmanaged phones outside EDR and network inspection, adversaries can harvest session tokens, replay credentials to bypass MFA, establish persistence, and launch secondary spear-phishing from compromised mailboxes.

🔒 The FBI warns that North Korean state-sponsored group Kimsuky is using malicious QR codes in spearphishing campaigns targeting U.S. organizations involved in North Korea policy, research, and analysis. These quishing campaigns route victims to attacker-controlled sites that fingerprint devices and serve fake Microsoft 365, Okta, Google, or VPN login pages to steal credentials and session tokens. Because they require mobile interaction and can originate from compromised inboxes, the attacks can bypass email security and enable MFA-resistant cloud account hijacking; the FBI urges training, QR verification, mobile device management, strong MFA, and immediate reporting.

📱 ENKI links the North Korean actor Kimsuky to a campaign delivering a new Android remote-access trojan dubbed DocSwap via QR codes on phishing sites impersonating CJ Logistics. Victims are lured by smishing or phishing to scan a QR that prompts installation of a malicious "SecDelivery.apk," which decrypts and loads an embedded payload and requests broad permissions. The app mimics OTP authentication to reassure users while launching a background service that connects to attacker infrastructure and exposes capabilities including keystroke logging, audio and camera capture, and data exfiltration.

🔒 Security researchers at Gen Digital disclosed a targeted Kimsuky campaign that delivered a previously undocumented backdoor called HttpTroy, hidden inside a ZIP attachment masquerading as a VPN invoice. The multi-stage chain used a Golang dropper, a loader dubbed MemLoad and a DLL backdoor executed via a scheduled task named "AhnlabUpdate" to achieve persistence. HttpTroy provides extensive remote-control capabilities and communicates with a C2 server over HTTP, while employing layered obfuscation to hinder analysis and detection.

🛡️Researchers at Genians say North Korea’s Kimsuky group used ChatGPT to generate fake South Korean military ID images as part of a targeted spear-phishing campaign aimed at inducing victims to click a malicious link. The emails impersonated a defense-related institution and attached PNG samples later identified as deepfakes with a 98% probability. A bundled file, LhUdPC3G.bat, executed malware that enabled data theft and remote control. Primary targets included researchers, human-rights activists and journalists focused on North Korea.