197 reports
ESRC reported a rise in Lazarus-attributed APT activity in April 2020, including spear-phishing that impersonated a blockchain software development contract and targeted people connected to cryptocurrency trading. The same activity set also included COVID…
Tencent’s 2020 analysis describes Hermit, a Tencent-named cluster linked through correlation to KONNI/SYSCON/SANNY activity, continuing operations against Korean Peninsula-related NGOs, government bodies, trade companies, and media. The group used malicio…
StrangerealIntel analyzed an APT37-themed malicious document that uses an auto-open macro to decode an embedded next-stage payload with XOR 0xFF, save it in the user profile, and launch it with a C2 URL. The second stage is a UPX-packed PE loader that che…
ESRC attributed an April 2020 APT attack to the Konni group, using a Korean-language MS Word lure themed around COVID-19 mask demand. The document prompted users to enable content; its macro then downloaded additional files from attacker infrastructure an…
VMware Carbon Black TAU traces DHS-reported HotCroissant, attributed by DHS to North Korea's Hidden Cobra/Lazarus Group, and compares it with the earlier Rifdoor RAT used in attacks dating back to 2015. HotCroissant decodes its C2 address at startup, send…
NSHC ThreatRecon found COVID-19-themed APT activity across multiple regions, with the DPRK-relevant section describing SectorA05 and SectorA07 activity against organizations affiliated with South Korea's Ministry of Foreign Affairs. The attackers used Kor…
A joint U.S. advisory from State, Treasury, Homeland Security, and the FBI described the DPRK cyber threat, which the U.S. government refers to as HIDDEN COBRA, as a risk to the international financial system and global network defenders. The advisory say…
QiAnXin RedDrip analyzed Lazarus-attributed targeting of South Korea that used COVID-19 emergency-response lures and HWP attachments impersonating regional disease-control notices. The malicious HWP files contained EPS/PostScript content that executed Pow…
AhnLab linked an election-period malicious document campaign to Kimsuky, centered on Word documents that contacted saemaeul.mireene[.]com infrastructure previously associated with the group. The initial document contained election-related content but did …
ESRC reported another Kimsuky “Smoke Screen” campaign using malicious DOCX files disguised as South Korean National Assembly election and diplomacy-related documents. The documents referenced an external template at saemaeul.mireene[.]com in settings.xml.…
McAfee found a new MalBus Android variant inserted into a South Korean education app distributed through ONE Store after earlier MalBus activity had used Google Play. The malicious versions loaded an encrypted native payload after a 10-hour delay to evade…
IssueMakersLab described Operation Daily Coffee as daily spear phishing activity by North Korea's RGB-D5. The post says the group sends attacks to dozens or hundreds of South Korean key figures every day and presents the shared image as a small sample fro…
AhnLab's Operation Ghost Union report profiles Kimsuky activity against South Korean institutions and companies. The report says Kimsuky, active since at least 2013, has expanded targeting from military-related areas into political, economic, and social s…
The Dangerous Password analysis describes a malicious self-extracting RAR and LNK chain that launches mshta through a Bitly redirect to attacker-controlled infrastructure. The HTA displays a decoy password file while installing persistence through a start…
ASEC reported malicious HWP documents disguised as urgent COVID-19 response inquiries from Korean regional infection-control organizations, including Jeollanam-do and Incheon. Unlike common Office macro lures, these Hangul files embedded EPS content that …