CHA Minseok(Jacky)

China's MPS announced 5 crackdowns (June 16, 2026) tied to Silver Fox malware (likely ValleyRAT/Winos4.0) development, sale, and distribution. Unclear if the 5 cases are linked or separate. Since the Silver Fox source code/builder leaked in 2023, this looks like Chinese nationals who built variants from the leaked builder or sold/used it got arrested — not necessarily the original threat actor we've been tracking. Similar to ransomware ecosystems: resellers/affiliates tend to get caught before the core developers do. https://t.co/tiyDNf68DD (Chinese) #SilverFox

The group we suspect to be Silver Fox attacked Korean organizations via SEO poisoning, and it appears they implemented IP filtering. While some of the targets were identified, we were unable to determine what actions were taken post-infection. The activity targeting Japan differs somewhat from the traditional Silver Fox we have been tracking, which leads us to assess it as either an affiliated group or an entirely separate threat actor.

Attribution of Silver Fox remains challenging. I consider it a misguided approach when some security vendors classify any ValleyRAT usage as Silver Fox activity. While Silver Fox is more aligned with cybercrime operations, their behavior outside of China tends to resemble that of an APT actor. (Though it's also possible this represents a distinct group operating in a similar manner.)

BGF Networks, the operator of CU convenience store parcel delivery, announced that a personal data breach was confirmed on June 4 at 3:30 PM. The leaked data items include: User ID & Password Name, Date of Birth, & Gender Address, Email, & Phone number Connecting Information (CI) https://t.co/ZBnODiGOEq (Korean)

The President of LG Electronics' TV (MS) Business Division met with representatives from rival TV manufacturer Hisense and retailer https://t.co/YTdE9VTOXC in Beijing late last month. https://t.co/OM390ntIEl (Korean) While one Korean media outlet reported that LG Electronics might abandon its TV business, the accuracy of this claim remains unverified. https://t.co/1C6Wjgq2Vg (Korean) ,

Microsoft has identified a npm supply chain compromise impacting 90+ redhat-cloud-services/* packages, including patch-client 4.0.4, insights-client 4.0.4, rbac-client 9.0.3, host-inventory-client 5.0.3, frontend-components 7.7.2, and others. The payload is a self-propagating worm that infects other npm packages and self-publishes. Each compromised package adds a malicious preinstall hook, embedding an index.js script in the package.json that silently executes “node index.js” during installation, downloads Bun, and runs a payload that steals secrets from npm, GitHub, Amazon Web Services (AWS), and Secure Shell (SSH). The added code bloats index.js from ~8KB to ~4.3MB, acting as a heavily obfuscated ROT-9 eval loader. If any of the compromised packages are installed, users and organizations should assume compromise, rotate credentials, revert to a previously trusted version, and block compromised packages. Identified compromised npm packages have been taken down, and we continue to work with the npm team. Microsoft continues to investigate this attack and will publish updates as more information is available.

Similar variants have been emerging since April 2026, with 15 instances identified so far. The DLL includes the PDB path: C:\Users\Administrator\Desktop\084049\crashreport_new\Release\crashreport_new.pdb. Additionally, infection cases have been reported within our systems in Germany.