171 reports
South Korea's Unification Ministry said a Gyeongbuk Hana Center employee's PC was infected through a malicious email, exposing files with personal information for 997 North Korean defectors. The leaked data included names, birth dates, and addresses, whil…
The analysis examines a malicious Word document macro that the author says was associated with Lazarus tooling by archive context and flagged by Thor's APT_MalDoc_SharpShooter_Lazarus_Campaign_Dec18_1 YARA rule. The macro was slightly obfuscated and defin…
Tencent’s threat-intelligence report disclosed Hermit, a spear-phishing campaign against Korean Peninsula-related targets that the researchers linked to the same organization behind SYSCON/SANNY and KONNI activity. The malicious documents required macro e…
McAfee documented Operation Sharpshooter, a global campaign against nuclear, defense, energy, financial, defense, and government related organizations. Malicious job description documents with Korean-language metadata used macros and embedded shellcode to…
ESRC attributes Operation Blackbird activity to the suspected Geumseong 121 group and shows the operation expanding from earlier server and PC targeting into Android mobile espionage. The campaign targeted North Korean defectors and related individuals by…
McAfee reported Operation Sharpshooter as a global campaign against nuclear, defense, energy, and financial organizations, with many observed Rising Sun infections in the United States and defense or government-related targets. The activity masqueraded as…
Hidden Cobra, also known as Lazarus or APT38, is tied in the PDF to FASTCash activity against banking payment-switch infrastructure. The recovered analysis describes a 2018 incident where attackers manipulated transaction response messages on an IBM AIX P…
FireEye and Mandiant researchers introduce APT38 as a North Korea-linked financial intrusion group that operates separately from ordinary espionage clusters. The talk explains how the group targets banks and financial infrastructure, combines long dwell t…
NETSCOUT ASERT described STOLEN PENCIL as an APT campaign, possibly originating from DPRK, that had targeted academic institutions since at least May 2018. Victims received spear-phishing emails linking to actor-controlled sites that displayed lure docume…
Unit 42 identified the Fractured Block campaign using CARROTBAT, a previously unreported dropper that delivered decoy documents themed around South Korea, North Korea, cryptocurrency, exchanges, and political events. The activity included a December 2017 …
ESRC links Operation Black Limousine to ongoing Kimsuky activity targeting South Korean political, social, security, diplomacy, and unification-related interests. The analyzed lure used a malicious HWP document themed around a personal-information consent…
A malicious HWP document themed as a National Security Council Policy Advisory Committee plenary meeting plan was found after likely use in attacks, with metadata showing author and last-saved values of yoonjh337 and cha0520. The document contains an embe…
Trend Micro observed Lazarus, particularly the Bluenoroff subgroup, planting backdoors on machines at financial institutions in Latin America in September 2018. The attack reused a modularized backdoor approach resembling earlier Lazarus activity, with se…
ESRC attributes Operation Korean Sword to Geumseong121, also tracked as APT37, Group123, RedEyes, and ScarCruft, and describes spear-phishing attacks against South Korean activists and organizations connected to North Korea issues. The campaign relied hea…
ESRC reports a Lazarus-linked APT operation using malicious Microsoft Word documents disguised as cryptocurrency and fintech investment proposals. The documents prompt victims to enable macros, then connect to a website to install additional malware; ESRC…