97 reports
Seongsu Park's presentation examines Lazarus C2 infrastructure and the Manuscrypt toolset associated with Bluenoroff and broader Lazarus activity. The slides describe multi-stage proxy architecture, first-stage and final C2 servers, frequent use of compro…
KakaoTalk phishing was being used in South Korea to target North Korean defectors by impersonating a familiar contact and persuading victims to open a URL or install an app package. The malicious app masqueraded as “North Korea Prayer” and, once installed…
Hauri reported Monero-mining malware distributed in Korea through socially engineered email lures using themes such as transactions, resumes, personal data leaks, and image theft. The malware runs when a user opens a shortcut file disguised with photo or …
DHS and the FBI analyzed seven malicious Windows executables attributed to HIDDEN COBRA activity and identified them as BANKSHOT malware variants. Five samples function as proxy applications that mask operator traffic with a shared cipher, while two are R…
DHS and the FBI identified BANKSHOT Trojan malware variants as tools used by the North Korean government. The advisory frames this activity under the U.S. Government name HIDDEN COBRA and points defenders to the related malware analysis report for technic…
RiskIQ analyzed infrastructure behind Lazarus Group cryptocurrency phishing described with Proofpoint, focusing on fake IDN domains impersonating Bitcoin Gold and Electrum wallet sites. The attackers cloned legitimate pages, reused links to the real sites…
Microsoft and Facebook worked with the security community to disrupt ZINC, also known as the Lazarus Group, after Microsoft concluded the actor was responsible for WannaCry. The response included disrupting malware used by the group, cleaning infected cus…
Proofpoint’s white paper describes financially motivated Lazarus Group activity around cryptocurrency, with analysis organized around PowerRatankba downloaders and related tooling. It covers multiple delivery formats including PowerSpritz, Windows shortcu…
Cybereason argued that North Korea was unlikely to have ordered the WannaCry campaign, challenging public attribution that relied on earlier government and industry claims without presenting new technical evidence. The analysis contrasts WannaCry’s broad,…
U.S. officials publicly attributed the global WannaCry ransomware attack to North Korea after an investigation supported by allied governments and private-sector analysis. The malware rapidly encrypted hundreds of thousands of computers across more than 1…
ESRC identified an operation it calls Coin Manager, in which malware disguised as personal financial software was used against people connected to a specific Korean cryptocurrency exchange. The installer begins infection during setup, hides malicious code…
Secureworks reports that Lazarus Group, tracked internally as NICKEL ACADEMY, targeted cryptocurrency-company financial executives with a spearphishing lure for a CFO role at a European-based cryptocurrency company. The phishing attachment was a Microsoft…
ESRC links several Korea-focused spear-phishing incidents through shared operational traces rather than naming a specific actor. In mid-2017, a malicious HWP document exploit targeted a South Korean person active in North Korea-related work, and the docum…
Intezer links Lazarus malware used in the Blockbuster campaign to a broader North Korea-attributed framework through repeated code reuse across samples compiled from 2014 to 2017. The analysis finds overlaps among RATs, Trojans, backdoors, and families su…
The presentation describes nation-state actors including Lazarus, Bluenoroff, and Andariel shifting into financially motivated operations against banks, ATM operators, and cryptocurrency exchanges. A March 2017 Bluenoroff case targeted employees of a top …