183 reports
The Lazarus downloader analysis builds on previously identified January 2019 samples and derives a YARA detection for a related payload. Sandbox behavior showed the malware beaconing to a control server with an HTTP request for an info.asp path, providing…
A Korean Android app developer described a compromise in which an attacker took over the developer's Google account, accessed Bitbucket through that login, and obtained source code. The attacker was able to distribute a malicious APK because the Android S…
The Korean analysis describes an HWP malware document disguised as weekly international security and military information. The file used a PostScript vulnerability to load shellcode, perform staged decryption, inject code into iexplorer.exe, download an a…
McAfee reported that malicious Android code was delivered through a plugin masquerading as part of a long-running South Korean bus app series. The apps had been available through Google Play for years before removal, giving the attacker a trusted distribu…
ESTsecurity ESRC reports a Lazarus campaign it names Operation Extreme Job, using a malicious DOC lure with macro code techniques reused from earlier intrusions. The document name and code style overlap with prior ESRC reporting on Operation Arabian Night…
VNCERT warned in late July 2018 that targeted malware attacks had been observed against information systems at several Vietnamese banks and national critical-infrastructure organizations. On 23 July 2018, the center issued coordination warning 234/VNCERT-…
SectorA05 used Operation Kitty Phishing to target 77 reporters covering South Korea’s Unification Ministry with malware-laden email in January 2019, while also running credential-phishing campaigns against South Korean central government, unification, dip…
Cisco Talos observed a targeted malware campaign using a Microsoft Word document disguised as a Cisco Korea job posting. The lure reused legitimate job-posting content and appeared to start a multi-stage infection process aimed at specific organizations. …
MITRE ATT&CK profiles APT38, also tracked as NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima, Sapphire Sleet, COPERNICIUM, and Group G0082. The entry describes financially motivated North Korea-linked activity including fake financial or ventu…
NSHC frames its SectorA01 custom proxy utility analysis around the difficulty of moving from threat-group attribution to nation-state attribution. The excerpt warns that custom malware, stolen code, repackaging, recreated functions, and false-flag strings…
ESRC identified a January 2019 Operation Rocket Man variant that shifted from earlier HWP exploit delivery to a malicious XLS file themed around red ginseng pricing for South Korea’s Lunar New Year season. The document lured users into enabling content wi…
The source analyzes PSLogger, a keylogging and screen-grabbing utility connected to attempted intrusions against financial organizations in Vietnam. Two observed versions include a DLL injected through a modified PowerSploit framework and a standalone exe…
Elementus analyzed blockchain activity after the Cryptopia hack to provide transparency while the exchange released few details. The source focused on how much value was taken, where funds moved, and whether exchanges had frozen any stolen assets. The ana…
QuoScient reported evidence that a Lazarus-linked tool seen in the Chilean Redbanc intrusion also matched activity against a Pakistani financial services employee. The analysis compares tactics and technical artifacts from the Redbanc case with malware an…
ESRC described Operation Fake Capsule as a January 2019 government-backed APT variant that reused the double-extension document-disguise technique seen in Operation Cobra Venom, but delivered an SCR file masquerading as an HWP research document. The dropp…