15GlobalThreatReport.pdf (18 MB)

CrowdStrike’s 2015 Global Threat Report assessed that DPRK-linked activity in 2015 shifted toward espionage rather than destructive operations, with most observed malware directed at Republic of Korea targets during periods of heightened inter-Korean tension. The North Korea section described suspected DPRK-associated malware families including Milmanbag, Hawup, and AIMRAT, linking samples to earlier Operation Troy/DarkSeoul-style activity and to campaigns using Hangul Word Processor exploit documents. Milmanbag was assessed as a likely first-stage RAT that transmitted system information and downloaded additional malware, while Hawup exploited CVE-2015-6585 through HWP documents and AIMRAT used the AOL Instant Messenger protocol for command and control. CrowdStrike tied the activity to intelligence collection against South Korean government, think-tank, energy, transportation, and logistics interests, and expected DPRK actors to remain active as tensions with the RoK persisted.