183 reports
ESRC describes a Kimsuky-attributed APT attack that impersonated an ELYSIA token sale winner notification and targeted cryptocurrency users with a malicious HWP consent form. The document required the password “daybit” and contained an obfuscated EPS/Post…
ESRC reported a Lazarus operation using a Korean cryptocurrency investment-contract HWP lure, with the malicious document dated June 2019 and built to exploit HWP processing. Embedded PostScript code used XOR encoding and shellcode to hide C2 logic, then …
Bithumb’s notice addresses the 2017 exposure of about 30,000 users’ personal information, including names, email addresses, and phone numbers, while stating that account IDs and passwords were not leaked. The company says it reported the incident to Korea…
LAC profiled HYDSEVEN as a cryptocurrency-theft threat group active from 2016 through 2019 against targets in multiple countries, including Japan and Poland. The report describes spear-phishing as a common entry point, with Office VBA macros, Office/Windo…
ESRC attributed a malicious HWP document disguised as a 17th North Korea Mission School application form to the Geumseong121 threat group. The file contained embedded PostScript in its BinData stream and XOR-encrypted shellcode that loaded a final binary …
Adapt Forward argues that DPRK cyber operators, commonly tracked as Lazarus Group, evolved from regional espionage and destructive activity into revenue-generating operations driven by sanctions pressure. The source cites earlier South Korea banking and b…
ESRC links Konni activity to Thallium/Kimsuky and describes spear-phishing campaigns that used North Korea-themed lures before expanding into cryptocurrency-related targeting. One malicious document masqueraded as a Huobi Research Weekly file, prompted ma…
ESET's Virus Bulletin presentation reviews Lazarus Group operations through malware overlaps, code reuse, and operational artifacts found across several campaigns. The speakers describe North Korean malware activity, changing toolsets, and how different L…
ESET reviewed major Lazarus operations and the technical fingerprints used to connect newer activity to the group, including Operation Troy, DarkSeoul, Operation Blockbuster, the Bangladesh SWIFT theft, FASTCash-related banking attacks, WannaCryptor, cryp…
360 Beacon Lab reported a suspected APT-C-28 campaign against South Korea's electronics manufacturing sector using Android malware. The malware was described as capable of stealing user privacy data and executing remote commands. The source identifies APT…
ESRC attributes a May 2019 spear-phishing attack against users of a major South Korean cryptocurrency exchange to Kimsuky. The lure impersonated an exchange event prize notice and delivered a password-protected malicious HWP file named as a personal-infor…
ESRC reports a spear-phishing attack impersonating South Korea's cyber police and assesses that Kimsuky was involved. The email was crafted to resemble a civil complaint response and attempted to convince the recipient that police were sending a computer …
The excerpt presents Tencent iOA as an enterprise endpoint, zero-trust access, and data-loss prevention platform rather than a specific threat report. It describes capabilities for endpoint antivirus, EDR, vulnerability repair, process and file control, d…
ESRC reports active Kimsuky spear-phishing against people in South Korean diplomacy, security, defense, unification, and North Korea-related fields. The Operation Fake Striker lure impersonated a Ministry of Unification sender and used deadline pressure p…
ESRC ties Operation Blue Sky to a Korean-speaking Konni cluster after repeated malicious DOC variants reused the “BlueSky” author account and cryptocurrency-themed decoys. The documents urged macro execution, then contacted spoofed portal-like or 1apps-ho…