183 reports
Emanuele De Lucia analyzes an APT37, also known as Group123 or ScarCruft, campaign focused on South Korean targets. The activity used Korean-language spear-phishing, Hanmail addresses, payloads masquerading as JPEG files, and cloud services for command-an…
ESRC reported a Geumseong121 operation targeting people connected to North Korean defector support, using a two-stage spear-phishing approach rather than a direct malicious attachment. The lure delivered a text file with a shortened URL that led to Dropbo…
ESRC described Operation Imitation Game as a Geumseong121 spear-phishing campaign that deliberately mimicked Lazarus HWP malware traits as a false-flag technique. The malicious HWP attachment used PostScript and shellcode patterns resembling Lazarus sampl…
ESRC warned that malware was distributed with a valid digital signature from a Korean DRM and document-security vendor, increasing the chance of bypassing trust-based defenses. After infection, the malware registered itself in Task Scheduler as “Jav Maint…
The Lazarus Injector analysis covers a DPRK SWIFT-heist-related tool used to load a supplied payload into explorer.exe. The injector validates command-line parameters and payload file access, enumerates processes to locate Explorer, allocates remote memor…
SupplyChain is described as a cyber threat report requiring defender review of the published evidence. The source discusses attacker tradecraft, victim targeting, malware or infrastructure references, and operational context that may affect detection engi…
Bitpoint halted services after detecting suspicious Ripple remittance activity and later determined that attackers had stolen about 3.5 billion yen, roughly $32 million, in cryptocurrency. The theft affected customer and company holdings across assets inc…
ESRC analyzed a Lazarus-linked malicious HWP document disguised as an outsourced employee personal-information form for a finance-related organization. The document used embedded PostScript, XOR-encrypted shellcode, and an added obfuscation layer while sh…
ESRC reported that a Lazarus APT intrusion used a malicious HWP document named “System Porting Specification” that exploited a Ghostscript module vulnerability and closely resembled the earlier Operation MovieCoin activity. The decoy document was crafted …
JPCERT/CC observed targeted phishing emails against Japanese organizations, especially cryptocurrency-related entities, that delivered a ZIP file containing a password-protected decoy document and a malicious shortcut named “Password.txt.lnk.” The shortcu…
AhnLab analyzed a long-running wave of malicious HWP files that abused the Ghostscript CVE-2017-8291 “GhostButt” vulnerability embedded in EPS content. The report explains that HWP attacks against Korean users have often been targeted, with decoys crafted…
ESRC observed a spear-phishing attack impersonating a South Korean security and unification research center and delivering a ZIP archive with three HWP documents, one of which was malicious. The malicious HWP, themed around North Korean political operatio…
ESRC reports a run of APT activity against South Korea involving Lazarus, Kimsuky, and Geumseong121, with the highlighted Lazarus case targeting cryptocurrency-related individuals through a malicious HWP document disguised as a student project report. The…
ESRC attributed a Telegram-delivered malicious Excel workbook to Lazarus APT activity after finding it under a victim’s Telegram Desktop download path. The file used an Auto_Open macro built from old sample code to create and run a PowerShell script inten…