171 reports
The Black Hat presentation links Lazarus, Bluenoroff, Andariel, and Reaper/APT37 to financially motivated and espionage-focused attacks against banks, cryptocurrency exchanges, ATM operators, defense, government, and South Korean users. It describes a Mar…
AhnLab examined malicious Hangul Word Processor files used against South Korean organizations from September 2016 through December 2017. The targets were mainly employees of North Korea related businesses and virtual currency businesses, with delivery thr…
The excerpt reviews several high-risk intrusion cases that had initially appeared to be separate incidents but were later assessed as the work of the same attacker. It says the actor found remaining vulnerabilities inside companies, penetrated internal en…
The excerpt analyzes malware used in multiple corporate intrusions and says variants built around June and August 2017 reused code, encoded internal data, and shared routines for collecting host information. The malware gathered items such as OS, IP addre…
Malwarebytes observed Hermes ransomware being delivered to South Korean users through a compromised Korean website and the Magnitude exploit kit using the Flash zero-day CVE-2018-4878. The infection chain used malicious redirection hidden in page source c…
38 North argues that North Korea may use clandestine offensive cyber operations as pressure continues around sanctions and negotiations, with likely interest in financial, media, government, defense, and possibly critical infrastructure targets. The artic…
Kaspersky analyzed OlympicDestroyer as a destructive worm used against Pyeongchang Winter Olympics infrastructure and related organizations, disrupting Wi-Fi, ticketing, displays, and other IT systems. The malware combined credential theft, PsExec-based p…
McAfee attributed a campaign against Turkish financial and government-linked finance organizations to Hidden Cobra based on Bankshot code similarity, victim sector, and control-server strings. Spear-phishing emails carried malicious Word documents with em…
Tencent Yujian Threat Intelligence Center reported Lazarus (T-APT-15) activity exploiting Flash `CVE-2018-4878` through spear-phishing documents aimed at targets including cryptocurrency exchanges. The captured `.docx` lures embedded a malicious `.doc` wi…
A briefing titled North Korea's foreign-currency earning and financial hacking activity in cyberspace frames DPRK cyber operations as a revenue-generation problem. The archived title points to financially motivated hacking and cryptocurrency-related activ…
AhnLab analyzed 135 malicious Hangul Word Processor documents collected from September 2016 through December 2017 and found that North Korea-related workers and cryptocurrency-related workers were major targets. The DPRK-relevant activity includes Group A…
Morphisec analyzed a Word document named AGREEMENT.docx that exploited Flash vulnerability CVE-2018-4878 to execute code and download a DLL payload from a likely compromised domain. The exploit included both 32-bit and 64-bit implementations, unlike a pri…
McAfee ATR identified Operation Honeybee as a malicious-document campaign targeting humanitarian aid organizations with North Korea-themed lures, later shifting to Word compatibility-message decoys submitted largely from South Korea. The documents used VB…
Kaspersky's 2018 Kimsuky presentation tracks the group's return in the 2016 to 2017 Fairy Tale activity against South Korean companies, government targets, and individuals. The deck describes a GoldDragon-centered malware cluster that collects system info…
Carbon Black examined ROKRAT, also known as DOGcall, a remote access trojan used by attackers originating from North Korea. The malware is commonly delivered by loaders or carrier files such as macro-enabled Office documents, injects shellcode into proces…