171 reports
McAfee Advanced Threat Research describes Operation Oceansalt as five adapted attack waves against victims primarily in South Korea, with additional activity in the United States and Canada. The malware reused large portions of code from the older Seasalt…
McAfee analyzed Operation Oceansalt, a reconnaissance implant campaign that began with Korean-language spear phishing documents and later affected South Korea, the United States, and Canada. Oceansalt reused portions of Seasalt code associated with Commen…
ESRC identified a new KONNI campaign on 18 October 2018 and named it Operation Happy Virus based on the malware developer path and final filename, including `F:\0_work\planes\2018\forvirus\happy\Release\happy.pdb` and `happy.exe`. The activity follows ear…
AhnLab profiles Andariel as a Lazarus subgroup active since at least 2015, with historical links to Operation Black Mine, DarkSeoul-era activity, and earlier attacks affecting South Korean military, banking, and broadcaster targets. The report says Andari…
BAE Systems' BSides Belfast talk reviews Lazarus activity in SWIFT-related bank heists, including how financially motivated intrusions evolved into large-scale theft attempts against financial institutions. The presentation discusses the group's backdoors…
Hauri analyzed resume-themed malicious Hangul Word Processor documents used in Korean-targeted spear-phishing campaigns, noting similarities to activity publicly associated with groups such as BlueNoroff, APT37, ScarCruft, RedEyes, Group123, and Geumsong1…
The article reports that hacking incidents against South Korean cryptocurrency exchanges continued to occur and that losses from unauthorized withdrawals were increasing. It says police investigations remained unresolved while authorities cited internatio…
FireEye profiles APT38 as a financially motivated North Korean regime backed group specializing in bank intrusions and destructive operations. The report says the group has attempted to steal more than $1.1 billion, compromised more than 16 organizations …
Intezer linked Final1stspy activity to APT37/Group123 by analyzing code reuse across NOKKI, KONNI, KimJongRAT, DOGCALL/ROKRAT, and FreeMilk-related samples. The reported NOKKI-associated malicious document used VBScript to download Final1stspy, whose `Loa…
Igloo analyzes a collected HIDDEN COBRA java.exe malware sample that connects to hardcoded command-and-control servers and executes attacker commands when a connection succeeds. The sample is reported to be created by a 64-bit malicious DLL and stores req…
U.S. government agencies attributed the FASTCash ATM cash-out campaign to HIDDEN COBRA, describing North Korean government activity against banks in Africa and Asia since at least late 2016. The campaign compromised retail payment switch application serve…
A suspicious HWP/OLE file contained shellcode that decoded an embedded payload and downloaded additional malware from a server at 211.218.126.236. The downloaded component was identified as a hwdoor downloader that saved svrc.exe under a temporary path an…
Unit 42 linked NOKKI-related delivery activity to Reaper Group tradecraft by identifying a World Cup lure document that ultimately executed DOGCALL, a RAT publicly associated with North Korea-linked Reaper activity. The malicious Word macro used a distinc…
Intezer's North Korea Cyber Campaign Timeline presents code-reuse analysis across malware and cyber campaigns affiliated with North Korea from 2007 through 2018. The source frames the timeline as a way to inspect named attacks by campaign name and first-o…
Unit 42 identified NOKKI, a malware family closely related to KONNI through code and infrastructure overlap, in attacks observed from early 2018 through at least July 2018. The activity likely targeted politically motivated victims in Eurasia and possibly…