171 reports
QiAnXin/360 analyzes a suspected Group 123 APT attack sample targeting Hancom Office HWP users in South Korea. The report says the HWP sample exploited an undisclosed Hancom Office issue related to Ghostscript sandbox handling to execute malicious code, w…
Symantec details Lazarus/Hidden Cobra FASTCash attacks against banks in Asia and Africa, where attackers breached financial networks and compromised switch application servers that process ATM transactions. The key malware, Trojan.Fastcash, is an AIX exec…
Attackers compromised StatCounter's web analytics script and used the trusted counter.js inclusion to target Gate.io's Bitcoin withdrawal page. The injected JavaScript checked for the /myaccount/withdraw/BTC URI, loaded a second-stage script from the look…
ESRC describes Operation Mystery Baby malware built in a concentrated window on 31 October 2018, with separate 32-bit and 64-bit variants disguised as a Korean security product. The malware collects system information, user accounts, keystrokes, and files…
Zaif reported a breach in which attackers stole cryptocurrency from both user hot wallets and the exchange’s own assets, with losses described as about US$59 million. Sentinel Protocol’s investigation centered on three reported attacker-controlled wallet …
BAE Systems' presentation surveys destructive wiper malware used in high-impact operations and explains how wipers complicate response, attribution, and recovery. Although the talk is broader than DPRK activity alone, it gives context for destructive trad…
BAE Systems examines wiper malware as an increasingly common tactic in state-sponsored operations and classifies its use into espionage, sabotage, and diversion. The DPRK-relevant sections cite DarkSeoul as a sabotage example and note that wipers appeared…
Virus Bulletin analyzes Lazarus-linked activity after Sony Pictures, connecting the 2014 destructive intrusion to earlier Korean bank and media attacks through shared malware code and tool features. The paper describes continued targeted attacks on Korean…
SomanSA analyzed an October 2018 Lazarus APT operation against specific South Korean targets that used emails impersonating a lawyer and attached a malicious HWP document disguised as a normal file. The HWP contained a malicious PostScript component with …
Intezer traces part of Lazarus malware lineage to CasperPhpTrojan, an open-source RAT published on a Chinese project site, after VirusTotal samples from 2016 matched Lazarus-related code signatures. The analysis found overlap with RedGambler code genes, a…
FDD frames North Korean cyber operations as a tool for economic warfare, espionage, coercion, and revenue generation under sanctions. The excerpt cites DOJ allegations against Park Jin Hyok linking North Korean government-backed activity to the Sony Pictu…
Recorded Future analyzed North Korean senior leadership internet activity from March to August 2018 using third-party data, geolocation, BGP routing, and OSINT to understand how the ruling elite use global connectivity. The excerpt identifies three main a…
The excerpt describes a malicious HWP/EPS document saved in October 2018 that used shellcode encoded with a 16-byte XOR key to download additional payloads. The delivery chain retrieved follow-on malicious code from WordPress plugin-themed paths on flydas…
trade.io detailed its plan to fork TIO into Trade Token X after a contained security breach involving TIO tokens traded across multiple exchanges. The company set a snapshot time aligned with KuCoin’s closure of deposits and withdrawals, then used that sn…
trade.io reported that 50 million Trade Tokens reserved for its liquidity pool were moved from a wallet, followed by abnormal TIO trading on external exchanges. The company said the incident was limited to one hardware wallet and that the exchange, liquid…