Discover and read the best of Twitter Threads about #apt38
Most recents (4)
⚠️ Heads up y'all—we're seen a huge increase in the # of ultra-targeted spearphishes lately.
The most deadly one? A Google Doc share that appears to come from *someone you know* about *something you're interested in*
It won’t be flagged and looks super legit.
DO NOT CLICK! 🙏
The most deadly one? A Google Doc share that appears to come from *someone you know* about *something you're interested in*
It won’t be flagged and looks super legit.
DO NOT CLICK! 🙏
This campaign is the work of #Lazarus / #APT38 / #DangerousPassword / #T444
aka the same crew that compromised Ronin, Harmony, bZx, Bondly, EasyFi, mngr, Arthur0x, Hugh Karp, etc. etc. etc.
Their spear-phishing methods are diverse, targetted, and hard-to-detect.
aka the same crew that compromised Ronin, Harmony, bZx, Bondly, EasyFi, mngr, Arthur0x, Hugh Karp, etc. etc. etc.
Their spear-phishing methods are diverse, targetted, and hard-to-detect.
Recent subject lines / filenames:
Fast Changes in NFT Price (Protected)
Investor Demo Day-Animoca Brands (Protected)
Jump Crypto Investment Agreement
New Credit Investment Opportunity
Spirit Blockchain Capital 2023 - Pitch Deck
Opening the file *may* result in something like:
Fast Changes in NFT Price (Protected)
Investor Demo Day-Animoca Brands (Protected)
Jump Crypto Investment Agreement
New Credit Investment Opportunity
Spirit Blockchain Capital 2023 - Pitch Deck
Opening the file *may* result in something like:
1/ Today the FBI identified the North Korean hacker group Lazarus Group and APT38 as the Horizon Bridge attackers, with the hacker group using malware called 'TraderTraitor' to carry out the attack.
1/and laundered over $60 million in stolen Ether through a privacy protocol called Railgun. What are "TraderTraitor" and Railgun? @evilcos
2/ 'TraderTraitor' is Lazarus' malware that targets the cryptocurrency industry and blockchain technology primarily by luring employees of cryptocurrency-related platforms to download it.
#ICYMI, here's a #threatintel related🧵👇 by me on @USTreasury advisory on DPRK IT workers' attempts to obtain employment while posing as non-North Korean nationals: home.treasury.gov/system/files/1… (1/?)
DPRK IT workers "engage in a wide range of IT dev work, such as: mobile & web-based apps, virtual currency exchange platforms & digital coins. Some
designed virtual currency exchanges or created analytic tools/apps for virtual currency traders & marketed their products." (2/?)
designed virtual currency exchanges or created analytic tools/apps for virtual currency traders & marketed their products." (2/?)
This reminds me, for example, of Marine Chain Token: (justice.gov/opa/pr/three-n…; justice.gov/opa/press-rele…), #AppleJeus (cisa.gov/uscert/ncas/al…) and, more recently, #TraderTraitor (cisa.gov/uscert/ncas/al…). #HIDDENCOBRA/#APT38 loves loves loves their crypto (3/?)
#AssisesSI, J2 : in da place pour écouter @felixaime (chercheur @kaspersky) parler de l'enquête sur #OlympicDestroyer, le malware perturbateur de JO (cf mobile.lemonde.fr/pixels/article…)
Intéressant: les attaquants ont voulu se faire passer pour des pirates nord-coréens spécialisés dans le ciblage d'institutions financières (#Bluenoroff ou #APT38)
Où l'on retrouve #Sofacy a.k.a. #FancyBear / #APT28 et la galaxie autour (BlackEnergy, NotPetya, BadRabbit). #PoupéesRusses
