CHA Minseok(Jacky)

2.1K posts

CHA Minseok(Jacky) banner
CHA Minseok(Jacky)

CHA Minseok(Jacky)

@mstoned7

CHA is my family name. Threat Intelligence Researcher at AhnLab / Keybase : mstoned7 , Signal : mstoned7.21 / Tweets are my own.

Suwon, South Korea Katılım Ocak 2013
5.3K Takip Edilen3.3K Takipçiler
CHA Minseok(Jacky)
CHA Minseok(Jacky)@mstoned7·
There is an endless stream of resources on #SilverFox—wish I had looked into this sooner! Before the Winos (ValleyRAT) builder leaked, it was used in attacks targeting China, sharing the exact same PDB path. : 'C:\Users\谷堕\Desktop\2022远程管理gfi\\cangku\WinOsClientProject\Release\上线模块.pdb' 🔗 secrss.com/articles/51779 🔗 secrss.com/articles/52018 (Chinese) Also, credit to Proofpoint for officially naming it ValleyRAT: 谷堕 (Gǔduò) means 'falling into a valley,' which explains why it was named ValleyRAT. 🔗 proofpoint.com/us/blog/threat…
English
0
0
5
249
CHA Minseok(Jacky)
CHA Minseok(Jacky)@mstoned7·
South Korea's military-trained cyber talent gets paid tuition — then walks to the private sector The share of trained cyber officers who actually take their commission fell from 96% in 2016 to 29% in 2025. Over ten years, 267 students finished the program but only 170 (64%) became officers. Even those who join don't stay: of 104 officers commissioned from 2016–2019, 89 (85%) left right after their required 7-year service. Only 8 stayed on long-term. Students get about 40 million won (roughly $29,000) in tuition support each, yet more and more choose private jobs — defense firms, IT companies — once they graduate. It shows private-sector pay in AI and cyber security has pulled ahead of what the military can offer. North Korea, by contrast, runs a fixed force of roughly 8,400 hackers under its Reconnaissance General Bureau. As long as the South's military keeps training people it can't hold on to, the gap will keep growing. newsroad.co.kr/news/articleVi… (Korean)
English
0
1
1
233
CHA Minseok(Jacky) retweetledi
TeamT5
TeamT5@TeamT5_Official·
📢 Registration for Threat Analyst Summit 2026 opens now! Join threat researchers, CTI analysts, and cybersecurity leaders for two days of intelligence sharing and cyber defense insights. 📅 December 2–3, 2026 📍 Taipei, Taiwan 👉Secure your seat with best price: teamt5.kktix.cc/events/tas2026 #TAS2026 #ThreatIntel #CyberSecurity
English
0
5
7
601
CHA Minseok(Jacky)
CHA Minseok(Jacky)@mstoned7·
South Korea's National Office of Investigation issued a security advisory today after confirming that access credentials for over 500 GitHub accounts were leaked — about 30 of them belonging to Korean companies. The leaked data is GitHub Personal Access Tokens (PATs), which let a user sign in without a password. If an attacker gets hold of a PAT, they can reach a victim's private repos, pull out connection details for internal systems, and from there break into company networks to steal personal data or trade secrets. GitHub has already revoked the leaked tokens and sent warnings to the affected users. Police say they'll keep sharing new threat info with agencies and companies as it comes in. police.go.kr/user/bbs/BD_se… (Korean)
English
0
0
3
334
CHA Minseok(Jacky) retweetledi
MigawariIV
MigawariIV@strinsert1Na·
アクターに名前はつけてないけど、実行主体が感染拡大のために使っている(VPN)サービスやドメインやインフラ基盤の特徴はきちんと書いたつもり speakerdeck.com/nttcom/ghost-i…
日本語
0
5
27
1.3K
CHA Minseok(Jacky)
CHA Minseok(Jacky)@mstoned7·
IITP (Korea's key ICT R&D agency managing ~$1.4B in national research funding) suffered its second breach in 7 months. Root cause: a maintenance engineer accidentally set a firewall switch to "allow" instead of "block." No advanced attack. No zero-day. Just a misconfiguration. The exposed system holds access logs for external researchers and project participants — potentially years of R&D contributor data across universities, companies, and public institutions. First breach: Dec 2025 (APT attack, staff PII leaked) Second breach: Jul 6, 2026 (misconfiguration, scope TBD) Notification to regulators: Jul 9 — right at the 72-hour legal deadline When the agency responsible for securing national research infrastructure can't secure its own systems, something beyond patching is needed. biz.chosun.com/it-science/ict… (Korean) #DataBreach #InfosecKR
English
2
4
4
910
CHA Minseok(Jacky)
CHA Minseok(Jacky)@mstoned7·
I agree with the skeptical view on attributing all ValleyRAT (Winos 4.0) campaigns to Silver Fox. It's highly likely that multiple campaigns targeting Japan (and South Korea) are being run by separate, distinct threat groups.
SpiderLabs@SpiderLabs

ValleyRAT activity is accelerating and getting harder to see. From fake installers to #phishing emails, the campaign blends DLL sideloading, RC4-encrypted payloads, and fileless execution to evade detection (all while targeting regional users as entry points into global enterprises). Here's what we know on #ValleyRAT: hubs.ly/Q04nnCV70

English
0
0
5
438
CHA Minseok(Jacky)
CHA Minseok(Jacky)@mstoned7·
@jpcert_en Larva-25001 (APT-C-60) - Spotted some activity after a long hiatus! Looking into the public IOCs, at least 3 samples were used in attacks against South Korean orgs between Jan-Apr 2026. I haven't tracked the variants yet, but based on experience, there’s likely more to find.
English
1
0
1
52
CHA Minseok(Jacky)
CHA Minseok(Jacky)@mstoned7·
The EXE tampering part is interesting too. Too bad there's no IOC list, so I can't dig into it further. Does anyone know the IOCs for this?
English
0
0
0
54
CHA Minseok(Jacky)
CHA Minseok(Jacky)@mstoned7·
KBS shared some interesting insights into North Korean smartphones. North Korean smartphones are reportedly blocked from accessing the internet. They also have built-in censorship for text messages. Typing '남한' (South Korea) is automatically changed to '괴뢰 정권' (Puppet State), while '한국' (Republic of Korea) is replaced with "**." Even South Korean expressions like '오빠' (Oppa) are automatically corrected. The phone reportedly captures a screenshot every 5–10 minutes without the user's access. Videos stored on external SD cards that are not officially authorized cannot be played and are automatically deleted. Only documents and videos approved by the North Korean government can be stored or opened on the device. youtube.com/watch?v=8iHA-S… (Korean) full version : youtube.com/watch?v=_LNYHL…
YouTube video
YouTube
YouTube video
YouTube
English
0
1
0
446
CHA Minseok(Jacky) retweetledi
Virus Bulletin
Virus Bulletin@virusbtn·
Qianxin Threat Intelligence Center analyses MODBEACON, a highly modular Rust trojan delivered by a Ghost distributor to selected targets across technology, education, and state-owned enterprises. ti.qianxin.com/blog/articles/…
Virus Bulletin tweet media
English
0
8
16
2.1K
CHA Minseok(Jacky) retweetledi
International Cyber Digest
International Cyber Digest@IntCyberDigest·
‼️ A 15-year-old in Japan used ChatGPT to write a program that mass-unsubscribed 46,812 Bandai Anime streaming users, Tokyo police say. He has now been arrested. The November attack forced Bandai Namco Filmworks to take the anime streaming service offline for six weeks, with data on up to 1.366 million members potentially exposed. Police say the self-taught teen found the server flaw by studying network traffic, then let ChatGPT automate the rest. He told investigators he had no grudge against the company.
International Cyber Digest tweet mediaInternational Cyber Digest tweet media
English
41
139
1.4K
103.3K
CHA Minseok(Jacky)
CHA Minseok(Jacky)@mstoned7·
I just registered for TAS'26 yesterday — it'll be my first time in Taiwan, so I'm really looking forward to it. Hope to see you in Taiwan ! tas.teamt5.org
TeamT5@TeamT5_Official

🌟Reminder: CFP submissions for #TAS26 are still open. Have research on APTs, malware, threat intel, or emerging cyber threats in APAC? Share your findings with the global security community. Submit now: tas.teamt5.org/cfp2026 (Proposal submissions are open until July 15.) #CyberSecurity #ThreatIntelligence #CyberThreats

English
0
0
3
368
CHA Minseok(Jacky)
CHA Minseok(Jacky)@mstoned7·
@NikkeiAsia Unfortunately, it is still unclear what information the malware accessed from the secure USB drive or whether the device had been compromised at the firmware level.
English
0
0
0
10