171 reports
Talos attributed in-the-wild exploitation of Adobe Flash CVE-2018-4878 to Group 123, using a malicious Microsoft Excel document with an embedded Flash ActiveX object. Opening the spreadsheet triggered a use-after-free exploit that downloaded shellcode fro…
ESRC described activity by a presumed state-sponsored attacker that moved from Korean cryptocurrency-exchange targeting to broader overseas attacks using malicious Microsoft Word documents. A January 2018 DOC file found in Vietnam used social engineering …
Errata Security critiques the U.S. government’s public attribution of WannaCry to North Korea, arguing that the evidence and policy framing left key attribution questions unresolved. The article distinguishes North Korea as a state from external hacking a…
Coincheck published a running incident notice after restricting NEM deposits and later suspending NEM trading and withdrawals. The exchange also paused withdrawals for all handled currencies including JPY, halted altcoin trading other than BTC, and stoppe…
AhnLab analyzed attacks abusing central management systems used by organizations to distribute policies and files to internal endpoint agents. The excerpt describes two main intrusion paths: stealing or abusing management-server administrator access to pu…
Trend Micro links the 2014 Sony compromise, the 2016 Bangladesh Bank theft, and later cryptocurrency targeting to Lazarus Group activity, showing a shift across disruption, sabotage, financial theft, and espionage. The excerpt describes Lazarus and subgro…
Trend Micro analyzed a Lazarus RATANKBA variant discovered in June 2017 that moved from a traditional PE executable form to PowerShell while retaining its HTTP-based command protocol. Backend access showed victim data, with roughly 55% of observed RATANKB…
Metrolinx confirmed that a cyberattack traced to a North Korean source breached a firewall but affected a system not tied to customer data, employee data, or safety systems. The transit agency said its joint security operation with the province detected a…
AhnLab analyzed a Windows Script File received from a customer that behaved like an APT delivery chain by displaying a decoy Korean HWP document while downloading and executing a malicious DLL. The WSF file embedded a normal HWP file, fetched a password-p…
ESTsecurity describes Venus Locker operators distributing email lures framed as copyright-law complaints to push malware with Monero mining functionality. The attached EGG archive contained shortcut files and an executable; running a shortcut launched the…
Younglimwon Soft Lab reported that an external developer server was compromised after attackers abused a file-upload vulnerability to create a web shell and modify an update module. Devices that accessed devout.ksystem.co.kr between December 19 and Decemb…
Recorded Future assesses that North Korean government actors, specifically Lazarus Group, targeted South Korean cryptocurrency users, exchanges, and foreign-affairs students in late 2017. The campaign used spear-phishing lures delivered as Hangul Word Pro…
Talos links six 2017-to-early-2018 campaigns to Group 123, with shared code and PDB artifacts tying activity such as Golden Time, Evil New Year, North Korean Human Rights, FreeMilk, and Are You Happy? together. Several campaigns targeted South Korean user…
Trend Micro found a new KillDisk variant targeting financial organizations in Latin America, but the excerpt does not attribute the activity to a named threat actor. The malware appears to be intentionally dropped by another process or used as part of a l…
ESRC reports that the operators behind Venus Locker shifted from ransomware activity seen in Korea since late 2016 to distributing malware that secretly mines Monero. The campaign used fluent Korean spear-phishing emails, including lures sent to nurse rec…