apt_report_2019.pdf (11 MB)

Tencent’s 2019 global APT report is a broad landscape review, but its DPRK-relevant sections describe East Asian activity from DarkHotel, Higaisa, Lazarus, Group123/APT37, and related Korean Peninsula-linked actors. The report says Lazarus pursued economically motivated operations against banks, financial institutions, and cryptocurrency exchanges worldwide and that Tencent observed code features tying attacks on Chinese virtual-currency platforms to Lazarus. It distinguishes Group123/APT37 as more active against China and Korea-focused targets such as trade companies, foreign-company executives in China, government departments, and consulates, with custom RAT modules for shell execution, file download, execution, and upload. The report also notes overlap in victim targeting among Group123 and DarkHotel and describes the broader regional context of phishing, watering-hole, zero-day, and file-infection activity.