20230901_threat_inteligence_report_BitB.pdf (2 MB)

Genians identified a sophisticated Browser-in-the-Browser phishing operation targeting people involved in North Korea-related work in South Korea. The attackers impersonated Liberty in North Korea's Changemaker support program and copied real Facebook content to build a convincing credential-theft page around an active funding opportunity. The operation used a fake single sign-on flow and infrastructure links that Genians connected to APT37, indicating a cyber-espionage effort aimed at monitoring activists and stealing account details.