97 reports
The excerpt identifies an AhnLab presentation on targeted attacks against major industry sectors in South Korea and names Andariel as the group behind Operation Red Dot and Operation Bitter Biscuit. It frames the material as threat research by a senior ma…
Talos identified a November 2017 ROKRAT variant delivered through a malicious HWP document themed around a South Korean North Korean human rights and reunification group. The document dropped a ROKRAT loader as HncModuleUpdate.exe, decoded an embedded pay…
Fortinet analyzed FALLCHILL, a remote administration tool linked in the excerpt to HIDDEN COBRA through overlapping command-and-control infrastructure and a Korean locale artifact. The malware exists in 32-bit and 64-bit variants, decrypts Windows API nam…
McAfee analyzed a repackaged Korean Bible-reading Android APK that contained and executed a backdoor ELF from its assets, turning infected devices into bots. The implant stored encoded control-server IPs in /data/system/dnscd.db, randomly selected a serve…
Unit 42 identified a mobile-focused malware cluster tied by code, mutex, and infrastructure overlaps to Operation Blockbuster activity, with targeting evidence pointing to Korean language speakers using Samsung devices. A Windows PE server named JAVAC.EXE…
Boannews reports that the Hanatour personal data breach was linked to a specific vendor solution that appears to have served as an attack entry point. Malware found at Hanatour was described as a variant similar to samples seen in an SI vendor intrusion a…
Volgmer is a Windows backdoor attributed in the source to North Korea's Lazarus Group, also known as Hidden Cobra, and described as active from at least 2013-2014 through later campaigns. It installs as a legitimate-looking service with a random name, sto…
DHS and FBI attributed Volgmer backdoor activity to North Korean government-linked HIDDEN COBRA and distributed IP addresses, malware descriptions, signatures, and mitigation guidance for defenders. The alert says FBI had high confidence the listed IPs we…
DHS and FBI reported FALLCHILL as a remote administration tool used by HIDDEN COBRA, the U.S. Government name for North Korean government malicious cyber activity. The alert says FALLCHILL had likely been used since 2016 against aerospace, telecommunicati…
The excerpt describes North Korea’s Kwangmyong intranet as an internally accessible network paired with Red Star OS and the Naenara browser, with access restricted to users inside the country. It notes that Naenara reaches an internal address at 10.76.1.1…
WannaCry disrupted NHS services in England from 12 to 19 May 2017 after a global ransomware outbreak affected more than 200,000 computers in at least 100 countries. NHS England said at least 80 of 236 trusts were infected or disrupted by precautionary shu…
Magniber samples examined by Mandiant targeted Korean systems and would not continue execution when the system language was not Korean. The analyzed campaign used ransomware payloads with the same behavior and infection vector as samples reported by Trend…
Magnitude exploit kit resurfaced with Magniber, a previously unknown ransomware family that was observed being dropped only through that exploit kit at the time of analysis. The ransomware applied multiple South Korea-specific checks, including public IP …
BAE Systems linked the Far Eastern International Bank intrusion to a cyber-enabled heist in which attackers abused systems connected to the SWIFT network and moved funds to overseas beneficiaries. Malware samples uploaded after the incident included known…