FSI_Intelligence_Report_Campaign_Dark_Prism_KOR.pdf (25 MB)

The Financial Security Institute report analyzes LNK malware collected between January 2024 and September 2025 from state-sponsored hacking groups in a campaign it names Dark Prism. The excerpt says the research focuses on how attackers’ TTPs changed over time, what final malicious payloads were used to take control of systems, and how command-and-control server communications behaved. It frames LNK malware as a common initial technique that can split into multiple layered threat patterns, with emphasis on payload delivery and C2 traffic analysis rather than a single actor attribution in the provided text. For DPRK-focused monitoring, the value is that the excerpt describes state-sponsored LNK tradecraft and C2 behavior that may overlap with North Korea-linked intrusion patterns, but it does not itself attribute the campaign to Lazarus, Kimsuky, Andariel, or another DPRK actor.