CYBCRIME

New research reveals detailed analysis of DPRK VPN infrastructure used by North Korean operatives abroad. According to technical analysis published by NK Internet Watch, "Hangro" appears to be a specialized VPN client that enables North Koreans overseas to establish secure connectivity back to domestic networks, potentially including the Kwangmyong intranet. 📍 Infrastructure spans multiple countries with servers in Russia (188.43.136.115/116) and North Korea (175.45.176.21/22) 📍 Requires mutual TLS authentication with certificates signed by internal CA "hrra2024" 📍 Uses embedded GOST cipher references suggesting Russian cryptographic influence The research traces connections through Jo Myong Chol, a sanctioned DPRK national who registered supporting domains using the email support@silibank.com. This same email was used for other regime-affiliated sites including ournation-school.com and uriminzogkiri.com. 1️⃣ Radio Free Asia reported North Korean trading companies pay $350 to the Shenyang consulate for Hangro access 2️⃣ Technical analysis reveals the client is derived from SoftEther VPN with custom authentication mechanisms 3️⃣ The service recently appeared on DPRK-affiliated websites as "service for visitors away from home" before disappearing in July 2025 This infrastructure represents a sophisticated method for maintaining regime connectivity with overseas operatives and commercial entities. Source: nkinternet.wordpress.com/2025/01/06/han…

The value of losses in crypto thefts has soared this year to more than $2 billion over the first six months, the blockchain analytics company Chainalysis says therecord.media/chainalysis-cr…

@dystopiangf I think it's because we switched to a management era. Instead of leading to build and create new things inspired by a great vision, the "elite" now just manage stuff so that everything doesn't fall apart

Civilizations used to dream. Even communists wanted to go to the stars. At some point, the future died; we all silently decided that the purpose of a civilization is not to dream, but to just scrape by, to cut corners, to be as close to bare minimum functionality as possible

How tf did the FBI / NSA get a picture of North Korean IT workers working

A recent report reveals that Pakistani freelancers are creating cracking websites linked to stealer malware, using a pay-per-install model, while exploiting SEO tactics to promote these sites amidst low prosecution risks. #cybersecurity #malware ift.tt/bOGhQW7

💸 From dirty crypto to clean money: how Russophone cybercriminals launder illicit crypto profits? Fake inheritances, shady casinos, fake businesses, and shell companies. The real bottleneck? Legalization. 🔗 Link in comments #CTI #CryptoLaundering #DarkWeb

🔎 [THREAD] – New analysis by Intrinsec Cyber Threat Intelligence on the latest operations by Russian-aligned intrusion sets #UAC0050 & #UAC0006📢 🔗 Our Report: intrinsec.com/wp-content/upl…

🔎 [THREAD] – Doppelgänger: A New Disinformation Campaign Spreading on Social Media 📢 📄 A newly released report sheds light on the tactics used by this Russian-linked network to target multiple Western countries. ⬇️

Fake #installers bundled with #infostealers are a constant threat, compromising user credentials and data integrity. These malicious programs often appear in search results and GitHub comments. Find out more in our blog:⬇️ research.trendmicro.com/427R3LB

🚨 [New Report Alert!] Our CTI team just published: "Premium Panel: phishing tool used in longstanding campaigns worldwide." 👉 This report reveals insights into a phishing kit used in campaigns for over two years! 📅Read the full report here: intrinsec.com/premium-panel-…

Researcher turns insecure license plate cameras into open source surveillance tool Privacy advocate draws attention to the fact that hundreds of police surveillance cameras are streaming directly to the open internet. 🔗 404media.co/researcher-tur…

Earth Koshchei’s rogue Remote Desktop Protocol campaign targets government, military, and academia via spear-phishing, with alleged ties to Russia’s intelligence. Learn more about this new threat actor’s tactic:⬇️ research.trendmicro.com/3DhR710

Fake LDAPNightmware exploit on GitHub spreads infostealer malware - @billtoulas bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

Hackers claim to have breached Gravy Analytics, a US location data broker selling to government agencies. They shared 3 samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe. It's OSINT time! 👇

🎉 Happy New Year! Our CTI team has just published a new report: "CryptBot: Hunting for Initial Access Vectors." Here’s what we’ve uncovered about the malware’s spreading methods, originally shared privately with our clients in September. 🧵

🚨 New Report Alert! 🚨 Our CTI team has just released a new report: "Prospero & Proton66: Uncovering the links between bulletproof networks." Here's what we've uncovered about these two Russian Autonomous Systems and their malicious connections. 🧵

🚨 Mandiant observed #LummaC2 stealers leveraging a new obfuscation technique to thwart analysis tools and stifle reverse engineering efforts. Read about this tactic, and how we developed an automated method for removing this protection layer → bit.ly/47IImbK

⚠️Hier, un petit malin a enregistré qouv.fr. Son titulaire peut donc créer des sites et envoyer des mails très ressemblants aux vrais .gouv.fr. Suivant la typo, la comparaison est bluffante (ici, Lucida sans Unicode). Vigilance sur tous les domaines .gouv.fr !

⚠️ Breaking: North Korea just burned an 0-Day in Chromium. They used it to install a Windows rootkit and the campaign targeted cryptocurrency platforms and users. Here's what we know:

Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor named Tickler in attacks against multiple sectors in the United States and the United Arab Emirates. msft.it/6015lfpO5