171 reports
360 attributes a cryptocurrency-focused intrusion to APT-C-26, described as Lazarus, targeting digital currency organizations and related personnel. The attackers allegedly imitated the open-source Qt Bitcoin Trader application with a Windows and macOS tr…
360 Core Security attributed a cryptocurrency-sector attack, tracked as APT-C-26 and suspected to involve Lazarus, to trojanized digital currency trading software named Celas Trade Pro. The attackers modified the open source Qt Bitcoin Trader application …
AhnLab links Red Eyes to Geumseong121, Group 123, ScarCruft, APT37, Reaper, and Ricochet Chollima, with repeated targeting of people and organizations working on North Korea. The activity focused on North Korean defectors, human rights activists, research…
ESRC observed a spear-phishing campaign in South Korea that sent malware disguised as a company transaction-history Excel document. The executable used a double-extension filename and an Excel-style icon to hide its .exe nature, then displayed a decoy spr…
DHS and FBI analyze KEYMARBLE, a 32-bit Windows Remote Access Trojan attributed by the U.S. Government to HIDDEN COBRA, the label used for North Korean government malicious cyber activity. The malware de-obfuscates APIs, uses port 443 to connect to hard-c…
McAfee and Intezer analyzed code reuse among malware families and campaigns publicly associated with North Korea, including Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, and 10 Days of Rain. The excerpt says th…
A malicious HWP document disguised as a Korea Financial Supervisory Service notice used encrypted shellcode similar to a previously observed HWP sample. The excerpt notes 16-byte XOR keys, extraction of PostScript code and shellcode, and a malware-structu…
RSupport disclosed signs that one internal PC had been infected with malware and that a code-signing certificate used for file integrity verification may have been exposed. The company said it worked with KISA, revoked the existing certificate, replaced i…
Intezer and McAfee link multiple malware families attributed to North Korean operations through reused code, shared infrastructure, and artifacts embedded in binaries. The research maps overlaps across campaigns and tools including Brambul, Fallchill, Wan…
Igloo analyzes HIDDEN COBRA malware built around a dropper that installs Joanap, a remote access backdoor, and Brambul, an SMB-based worm component. After checking for the SCardPrv service to determine whether a host is already infected, the dropper creat…
The excerpt describes North Korea's cyber capability as a state-backed force built from selected technical students and organized around offensive, intelligence, and revenue-generating missions. It cites claims from defectors and researchers that DPRK cyb…
FSI analyzed known malicious Korean HWP documents from 2015 through the first half of 2018 and grouped related activity into Campaign DOKKAEBI. The excerpt identifies three threat groups using malicious HWP documents in cyberattacks: Bluenoroff, Kimsuky, …
Unit 42 identified a Bisonal campaign that targeted at least one Russian defense-related communications security company and one unidentified South Korean organization in early May 2018. The attackers used spear-phishing with a Windows executable disguise…
VNCERT issued urgent coordination warning 234/VNCERT-ĐPƯC after observing targeted APT-style malware attacks against Vietnamese banks and nationally important infrastructure organizations in late July 2018. The advisory said attackers used deceptive and a…