5bAnalysis5dDefense_Industry_Threats.pdf (1 MB)

AhnLab examines sustained attacks against South Korean defense contractors and related political, diplomatic, energy, security, and large-enterprise targets from 2010 through 2017. The report separates activity into groups and malware families including Icefog-NG, Red Dot using Escad, Ghost Rifle using Rifdoor and Ghostrat, and Anonymous Phantom using Phandoor, while stating that state sponsorship was not confirmed. Observed infection routes include spearphishing with weaponized or disguised documents, watering-hole sites, and abuse of central management or asset-management systems to distribute malware. Escad infrastructure was spread across many countries, while Rifdoor and Phandoor command-and-control addresses were mostly in South Korea and often used university systems, giving defenders concrete infrastructure patterns to validate alongside malware counts and campaign timelines.