183 reports
Telsy TRT analyzed a likely Lazarus operation that began from a spoofed email delivering a malicious document to an Italian banking and financial institution. The document carried architecture-specific first-stage payloads and dropped a library under a Mi…
QiAnXin’s threat intelligence team found Lazarus-linked attack samples for both Windows and macOS, including a Windows lure built around a psychological test that prompted users to enable macros. The Windows sample released and executed a PowerShell backd…
Marco Ramilli analyzed a Windows PE sample publicly linked to the 2019 Kudankulam Nuclear Power Plant incident and assessed it as a targeted information-gathering implant with DTrack/Lazarus similarities. The malware collected local IP, task, routing, int…
IssueMakersLab reported that a North Korean hacker group, labeled group B in the post, was linked to the Kudankulam Nuclear Power Plant compromise in India. The post says the shared image showed malware history and identified a 16-character password, dkwe…
Kaspersky reported Operation WizardOpium, a Chrome zero-day exploitation campaign using CVE-2019-13720 before Google patched it in Chrome 78.0.3904.87. The attack profiled browsers, pulled exploit chunks from attacker infrastructure, used an image-deliver…
QiAnXin analyzes DTrack samples tied in public reporting to the Kudankulam nuclear plant intrusion in India, including a sample disclosed on VirusTotal with an embedded KKNPP-related username. The report describes an MFC dropper that extracts shellcode, D…
CISA’s MAR-10135536-8 analyzes `HOPLIGHT`, a set of Trojan malware variants used by the North Korean government and tracked by the U.S. Government as `HIDDEN COBRA`. The report covers twenty malicious executables, including sixteen proxy applications that…
NPCIL confirmed that malware was found on a Kudankulam Nuclear Power Plant administrative-network PC after CERT-In reported the issue on September 4, 2019. The affected user machine was on an Internet-connected administrative network that NPCIL said was i…
Kaspersky's ScarCruft presentation profiles the Korean-speaking actor also tracked as Reaper, Group123, and APT37, focusing on organizations and individuals tied to Korean Peninsula affairs. The slides describe spearphishing, malicious HWP documents, DDE …
Tencent Yujian reports a suspected Group123/APT37 phishing campaign observed from late August to mid-September 2019 against people likely connected to China-South Korea trade. The attack used RAR archive lures with Korean-themed filenames and executables …
Sooho traced Ether stolen in the January 2019 Cryptopia exchange hack and found that part of the funds moved into Russian exchange Yobit on September 22 and 23. The excerpt states that 30,788.732011 ETH was stolen, with large portions later deposited into…
Alyac reported a targeted email attack that impersonated a CES 2020 delegation participation application, using a malicious HWP attachment sent to selected recipients. When opened, shellcode embedded in the Hangul document executed and was described as in…
FortiGuard Labs analyzed NukeSped RAT samples linked to North Korea’s HIDDEN COBRA activity and compared them with known FALLCHILL tooling. The samples used encrypted strings, dynamic API resolution, persistence through Run keys or services, and a remote-…
The source analyzes a Kimsuky-style malicious HWP document disguised as a KINU expert consultation request on Korea-related policy issues. Embedded exploit and shellcode content decrypted a payload, injected code into HimTrayIcon.exe and userinit.exe, and…
A spear-phishing email impersonated the Korea Institute for National Unification and delivered a malicious HWP document disguised as an expert consultation request on the U.S.–ROK alliance and Korea-China relations. If opened, the document infected the sy…