After identifying cryptocurrency and decentralized firms that could be compromised, North Korean hackers target employees with investment or employment lures under the guise of known contacts.
Threat actors distributed phishing emails with malicious ZIP files containing a Word-spoofing LNK file purporting to be a list of individuals who committed remote control software regulation violations, which facilitates the deployment of a Microsoft binary and a DLL file concealing Cobalt Strike.
Attackers who spoofed U.S., European, and Asian tax agencies distributed more than 20,000 phishing emails purporting to have updated tax information and links, which when clicked redirect to a search-ms URI file triggering a Python script that displays a decoy PDF while DLL side-loading Voldemort.
Attacks commenced with the delivery of emails redirecting to sway[.]cloud[.]microsoft domain-hosted phishing pages that lured targets into scanning QR codes with their less secure mobile devices, which would facilitate further malicious activity.
Attacks commenced with the download of malicious ZIP files purporting to be pirated movies that contain an LNK file, which links with a memory-only JavaScript dropper-hosting content delivery network to execute PEAKLIGHT, according to an analysis from Mandiant.
Attacks involved the utilization of accounts spoofing Microsoft, Google, Yahoo, and AOL IT support to target other WhatsApp accounts belonging to individuals in the U.S., Iran, Israel, Palestine, and the UK, according to Meta researchers.