171 reports
ESRC described Operation Star Cruiser as an active spear-phishing campaign against South Korean cryptocurrency-related targets and assessed it as linked to the Lazarus group. The attack used malicious HWP documents tailored to Korean environments, with em…
McAfee attributed Operation GhostSecret with high confidence to Hidden Cobra and described a global data-reconnaissance campaign affecting sectors including critical infrastructure, entertainment, finance, health care, telecommunications, and higher educa…
Coinsecure began preparing a claims process after 438 BTC was stolen from the Indian exchange's wallet, affecting about 11,000 customers. The incident was tied in the article to the extraction of private keys from a cold wallet while CSO Amitabh Saxena wa…
ESRC links Operation Baby Coin to a suspected state-sponsored group targeting Korean individuals with spear-phishing emails carrying a malicious RTF/DOC file named “Coin Information.” The document abused CVE-2017-11882 through the Microsoft Equation Edito…
APT37 is identified by MITRE as a North Korean state-sponsored cyber espionage group active since at least 2012. The group has primarily targeted South Korea, with additional victim activity reported in Japan, Vietnam, Russia, Nepal, China, India, Romania…
Coinsecure disclosed the theft of 438 BTC from its main wallet and said its system had not been compromised, instead linking the loss to a Bitcoin Gold extraction process. The exchange's CEO accused CSO Amitabh Saxena of fabricating a story about an exter…
ESRC links Operation BattleCruiser to Lazarus activity using malicious HWP documents and exploit-delivered payloads against Korean and overseas targets, including defense, North Korea-related, security, public-sector, academic, financial, and cryptocurren…
OPCDE 2018 researchers Jaewon Min and Inhee Han analyzed Lazarus-linked Android backdoors and a separate mobile-focused cluster they named Sun Team targeting North Korean defectors and related support groups. The Lazarus section described repackaged Korea…
CrowdStrike profiles STARDUST CHOLLIMA as a targeted intrusion adversary with a likely DPRK nexus and a primary focus on generating funds through operations against financial institutions. The activity includes past campaigns abusing SWIFT systems and int…
Unit 42 links an expanded Android spyware set to the North Korean Reaper group, also known as APT37, Scarcruft, Group 123, or Red Eyes. The activity includes trojanized versions of a Bitcoin Ticker Widget and a PyeongChang Winter Games application that pr…
AhnLab profiles the Red Eyes group, also known as Geumseong121, Group 123, ScarCruft, APT37, Reaper, and Ricochet Chollima, as a cluster targeting defectors, North Korean human-rights activists, North Korea researchers, journalists, and some military-them…
ESET attributes attacks against a Central American online casino and other late-2017 targets to Lazarus based on overlapping toolsets, telemetry, Lazarus-linked malware, and shared static characteristics. The intrusions used Windows service-oriented NukeS…
Cisco Talos investigated KevDroid after a reported possible Group 123 connection, but concluded the observed overlaps were too weak to establish a real link. The Android RAT variants stole device data such as contacts, SMS, call history, location, and pho…
DHS and FBI attributed SHARPKNOT to HIDDEN COBRA, the U.S. government's label for North Korean state cyber activity. The MAR analyzes a 32-bit Windows executable that must be launched with a command-line argument, disables selected Windows services, overw…
Intezer reported a March 2018 Lazarus Group campaign targeting cryptocurrency exchanges, FinTech firms, financial companies, and other cryptocurrency-related organizations with a malicious `Investment Proposal.doc` lure impersonating the Australian law fi…