183 reports
Objective-See analyzed a Lazarus-linked macOS implant delivered through a trojanized UnionCryptoTrader application, continuing the group’s pattern of targeting cryptocurrency exchange users and administrators with fake trading software. The infection chai…
The FreeBuf article profiles Lazarus as a North Korea-linked group also known as APT38 or Guardians of Peace, summarizing activity from early political attacks against the United States and South Korea through later financial, ransomware, cryptocurrency, …
The Upbit breach transaction analysis examines the theft of 342,000 ETH from a hot wallet and identifies several abnormal transaction fields that may reflect attacker tooling rather than routine wallet operation. The source highlights a notable nonce, an …
Upbit disclosed that at 13:06 KST on 27 November 2019, 342,000 ETH, worth about 58 billion won, was transferred from its Ethereum hot wallet to an unknown wallet. The exchange said customer assets would not be affected because it would cover the loss with…
AhnLab ASEC observed malicious HWP documents that create script files in the Windows Startup folder so payload activity runs after reboot rather than immediately on document execution. One lure used a Korean National Intelligence Studies Association chair…
While the DPRK case itself may be unique, as a CNO framework it could serve as model and even driver for future state CNO programs in similar regime-driven countries seeking similar high-payoff objectives with limited resources. This talk will first look …
Lazarus activity is reflected in reporting about threats to financial sector, software developers. The clean source body emphasizes remote access tooling, developer-platform abuse as the most relevant defensive themes. Infrastructure references such as se…
Trend Micro describes a Lazarus-attributed macOS NUKESPED campaign targeting Korean users through a macro-enabled Excel lure and a separate malicious Flash Player app bundle. The macro contacted crabbedly[.]club, craypot[.]live, and indagator[.]club, whil…
AhnLab ASEC analyzed HWP malware using CVE-2017-8291 and found a recurring coding mistake in the shellcode preparation stage. The error affected a VirtualProtect call but did not prevent execution because the vulnerable Ghostscript processes had DEP disab…
AhnLab reported state-sponsored APT activity using phishing pages that imitate a well-known Korean portal site. The page changed behavior based on the visitor's user agent and offered either a PC security-program download or a mobile app lure to steal vic…
AhnLab analyzed a malicious HWP document disguised as an election notice and candidate application for the Korean Society for National Informatics chair. The document placed an embedded EPS object on the first page; after execution, a VBS startup entry in…
The analysis examines two suspicious HWP samples found on VirusTotal that used different filenames but shared the same embedded PostScript component. One lure posed as a new coin listing application and created an executable in the Windows Startup folder …
Strangereal Intel reviewed October 2019 Lazarus activity involving multiple document-based intrusions. One HWP lure targeted South Korean CES 2020 exhibitors through CVE-2017-8291/EPS execution, collected host, disk, process, and file information, and con…
ESTsecurity ESRC reports Operation Dragon Messenger, attributed to the Geumseong121 APT cluster, using a website disguised as a North Korean defector fundraising project. The operation promoted Android apps through email, social media, and comments on Nor…
AhnLab observed increased use of password-protected HWP documents in targeted attacks against selected people or organizations. The attackers delivered the document password by email so only intended recipients could open the file, and malicious behavior …