197 reports
AhnLab described malware disguised as a messenger installer and distributed through phishing pages or supply-chain compromise by a government-backed hacking group active in South Korea. The NSIS installer was signed as “Uclick” and had its script modified…
IssueMakersLab attributed Operation Penta Storm to North Korea RGB-D5, also known as Kimsuky. The operation was described as spear phishing against more than 40 South Korean organizations. Reported targets included South Korean companies, universities, fi…
The article surveys major online thefts against financial institutions and cryptocurrency exchanges over the previous decade, estimating that attackers targeted more than $1 billion. It notes that most incidents remain unattributed, but says a significant…
Kaspersky reported two Lazarus-linked intrusions against COVID-19-related targets: a government health ministry compromised in October 2020 and a pharmaceutical company breached in September 2020. The ministry case used the wAgent malware cluster, includi…
ThreatBook describes Lazarus using Dtrack RAT in an intrusion that exposed large volumes of medical files and affected servers or PCs across multiple countries and regions. The operators compromised public-facing servers and reused them as Dtrack C2 infra…
ESRC analyzed a malicious DOC lure impersonating a wage-arrears confirmation document for a South Korean blockchain company and assessed it as part of Thallium’s Smoke Screen APT campaign. Enabling macros caused the document to contact www.hahae.co[.]kr v…
ESRC documented a Geumseong121/Kimsuky-linked HWP spear-phishing case that shifted from PostScript-style HWP exploitation to abuse of embedded OLE objects. The lure email carried an HWP participation-application form; clicking the transparent full-page ob…
AhnLab reported malicious Korean Hangul documents themed around COVID-19 small-business relief funds and procurement lures. The documents used malicious PostScript or embedded OLE objects to download or drop DLL payloads, including wscapi.dll and mss.dat.…
HvS-Consulting described multiple 2020 intrusions against European manufacturing and electrical-industry customers that it attributed with high confidence to Lazarus/APT37 based on overlapping TTPs and IOCs. Patient-zero users were approached via LinkedIn…
ESRC reported two North Korea-linked APT operations attributed respectively to Thallium and Geumseong121: a Ministry of Unification-themed phishing email and a malicious HWP document posing as a Peace and Unification story contest application. The email u…
ASEC reported a malicious HWP file disguised as a 2021 Peace and Unification Story Contest application from a local-government-themed document. When opened, the document dropped an embedded PE file as HncApp.exe under the user’s temp directory and used a …
Macnica analyzed a ransomware intrusion at an overseas site of a Japanese company where attackers encrypted dozens of servers and backups after gaining domain administrator access. The initial compromise abused CVE-2020-10189 in an internet-exposed Zoho M…
ASEC observed an HWP attack that embedded a Flash vulnerability object for CVE-2018-15982, using a lure titled Unification Korea Forum participant honorarium profile form. The document was believed to download and run a Flash file from sjem.co.kr inside t…
ESRC reported a malicious HWP document disguised as a private rumor sheet using political, diplomatic and social gossip to entice Korean users. The activity was assessed as likely Thallium based on the document’s tactics and characteristics, including abu…