2020-04-01 •
KRCERT
#Whitepaper
#BookCodes
« 2020 »
197 reports
2020-03-31 •
Igloo
IGLOO profiles Kimsuky as a suspected North Korean group focused on domestic Korean targets for information collection and social disruption, citing the 2014 KHNP incident and continued use of social-engineering themes tied to Korean and North Korea-relat…
2020-03-30 •
ESTSecurity
ESRC attributed Operation Spy Cloud to the Geumseong121 APT group after observing spear-phishing emails that lured South Korean targets with fake evidence of North Korean defection. The emails linked to downloadable archives containing a malicious Word do…
2020-03-25 •
NSFOCUS
NSFOCUS describes APT37 as a North Korea-linked actor whose delivery tradecraft is shaped by its focus on South Korea, defectors and political targets. The report details repeated use of spear-phishing with malicious Hangul Word Processor documents, inclu…
2020-03-25 •
NSFOCUS
NSFOCUS profiles APT37, also known as Group123, Venus 121 and Reaper, as a North Korea-linked actor active since 2012 and focused on neighboring countries, especially South Korea. The tool review highlights PoorWeb, RokRat, NavRat, KevDroid and PubNub, de…
2020-03-21 •
ESTSecurity
ESRC reports that Kimsuky reused COVID-19 themes in a Smoke Screen-linked spear-phishing campaign distributing a Word document named “COVID-19 and North Korea.docx.” When macros are enabled, the document contacts attacker-controlled C2 and uses PowerShell…
2020-03-20 •
Strangereal Intel
StrangerealIntel analyzes a Kimsuky intrusion chain that begins with a malicious Office document using remote template injection to fetch a second-stage macro from crphone.mireene.com. On macOS, the macro uses Office's bundled Python 2.7 support to execut…
2020-03-12 •
NSHC
NSHC’s 2019 SectorA overview tracks North Korea-linked subgroups, with SectorA01, SectorA02 and SectorA05 the most active in the excerpted period. SectorA01 focused on financially motivated intrusions against banks, ATMs, cryptocurrency exchanges and targ…
2020-03-09 •
Lexfo
Lexfo’s Lazarus Constellation white paper summarizes Lazarus as a North Korea-linked APT whose activity has been traced back to 2007 and formally clustered in the 2016 Operation Blockbuster research. The excerpt emphasizes the group’s reuse of large code …
2020-03-09 •
PWC
PwC describes Black Banshee, also known as Kimsuky, as a North Korea-based espionage actor whose 2019 activity can be grouped into interlinked clusters tied by infrastructure, tradecraft, shared indicators, and targeting. The WildCommand cluster connected…
2020-03-05 •
Tencent
Tencent’s 2019 global APT report is a broad landscape review, but its DPRK-relevant sections describe East Asian activity from DarkHotel, Higaisa, Lazarus, Group123/APT37, and related Korean Peninsula-linked actors. The report says Lazarus pursued economi…
2020-03-04 •
Igloo
Igloo summarizes Lazarus as a suspected North Korean state-backed group active against domestic Korean targets, with historical links cited to Operation Troy, Sony Pictures, Hidden Cobra, Andariel, and BlueNoroff. The analyzed cases center on malicious Ha…
2020-03-04 •
Tay
A malware analysis write-up describes a Kimsuky variant targeting South Korea with a resume-themed executable named like an HWP document, “resume form.hwp.scr,” built on 27 February 2020. Execution replaces the initial SCR with a decoy HWP resume form whi…
2020-03-03 •
Crowd Strike
VP of Counter Adversary Operations, CrowdStrike AI-Accelerated Threat Landscape: AI-Accelerated Threat Landscape: CrowdStrike's experts reveal how threat actors are evading traditional defenses by weaponizing AI, exploiting cross-domain blind spots, and t…
2020-03-03 •
PWC
PwC’s 2019 retrospective includes several North Korea-linked developments within a broader threat landscape review. PwC tied the customized DTrack/Preft backdoor used in the Kudankulam Nuclear Power Plant incident to Black Artemis, its name for Lazarus, a…