97 reports
KISA’s WannaCry material outlines the incident timeline, infection spread, domestic response, and observable infection symptoms. The technical sections focus on WannaCry’s components, operating logic, and exploitation of the SMB vulnerability CVE-2017-014…
AhnLab analyzes Operation Bitter Biscuit as a long-running APT campaign observed from 2011 through 2017 against major South Korean organizations, with additional earlier activity affecting Japan, India, and possibly Russian-language users. The campaign us…
McAfee described the Far Eastern International Bank attack as a targeted bank heist in which criminals attempted to wire about US$60 million to destinations including Sri Lanka, Cambodia, and the United States. Initial intelligence indicated spear phishin…
Intezer found that WannaCry and Joanap samples associated in the report with North Korean activity shared an encryption implementation that also appeared in Magic Hound malware. The shared code was traced to a 2002 CodeProject example, suggesting the over…
Unit 42 documented FreeMilk, a limited spear-phishing campaign that used hijacked email conversations and tailored decoy documents to exploit CVE-2017-0199. Successful exploitation downloaded PoohMilk as a first-stage loader and Freenki as a second-stage …
South Korean authorities said an investigation confirmed North Korea was behind attempted attacks on domestic bitcoin exchanges between July and August 2017. The attackers sent ten spear-phishing emails with malicious attachments to 25 people connected to…
The Korean malware analysis excerpt describes a document-based infection involving embedded EPS/PostScript content and GhostScript. The extracted artifact creates a startup-path executable named SMHost.exe under the Windows roaming profile, indicating per…
Trend Micro reports that malicious Hangul Word Processor attachments abused improperly restricted Encapsulated PostScript handling in older HWP versions to gain a foothold on victim systems. The activity did not rely on a conventional exploit; instead, Po…
Mandiant reported suspected North Korean actors targeting South Korean cryptocurrency exchanges in 2017 as part of a broader shift from traditional espionage toward financially motivated cyber operations. The observed activity included spearphishing again…
A Korean government press release states that a card-cloning fraud operation used copied payment cards to withdraw cash and make purchases totaling 102.64 million won. The usable excerpt supports only a high-level finding about financially motivated cyber…
Hauri reported a targeted malware campaign aimed at a university political science professor using a lure document tailored to the recipient. The attacker sent a large-file transfer link rather than a normal attachment, causing the victim to download a ma…
Guerrero-Saade and Raiu examine how fourth-party collection complicates cyber-espionage attribution when one intelligence or threat actor compromises another and reuses its access, tools, or infrastructure. The excerpt describes attacker-on-attacker opera…
Ashley Shen and Moonbeom Park's HITB slide deck surveys North Korean cyber operations across Lazarus, Bluenoroff, and Andariel, framing DPRK activity around social disruption, financial theft, and intelligence collection. It highlights reused malware “leg…
US-CERT analyzed three files associated with DeltaCharlie attack malware that combine backdoor command-and-control capability with DDoS attack functions. One Windows executable installs a packet driver and a service named netplug, uses the mutex \Global\N…
FortiGuard Labs analyzed a new KONNI RAT variant delivered by a malicious Word document using a decoy article about North Korea, while noting that the actual victim relationship to North Korea was unclear. The document’s VB macro drops an Aspack-packed in…