197 reports
ESRC identified a new Smoke Screen APT spear-phishing attack using a malicious Word document named as a letter from U.S. Deputy Secretary Biegun and assessed it as the same Kimsuky-linked activity seen in earlier lures. The document reuses a macro-enable …
Yoroi analyzed a Kimsuky-attributed infection chain that began with a Windows screensaver-style .scr loader and delivered a second-stage DLL disguised with a .tmp.db extension. The malware copied itself as AutoUpdate.dll under a Windows Defender-themed pa…
The 2020 UN Panel of Experts report says North Korea maintained and expanded nuclear and missile programs while evading sanctions through petroleum imports, maritime coal and sand exports, luxury goods procurement, and foreign trade networks. Its finance …
The U.S. Justice Department charged Tian Yinyin and Li Jiadong with laundering more than $100 million in cryptocurrency tied to exchange hacks attributed in court filings to North Korean actors. The complaint says North Korean co-conspirators stole nearly…
ESRC observed a February 2020 APT attack using a screensaver executable named like a Korean HWP resume form to trick victims into launching malware. The activity is linked by ESRC with high confidence to Kimsuky and is described as a continuation of the O…
ESRC reports a Korean-language COVID-19 lure attributed as likely Kimsuky activity and analyzed as part of the group's SmokeScreen campaign. The spear-phishing targeted an international exchange and diplomacy-related organization with a malicious Word doc…
The Brambul follow-up analysis describes Lazarus-linked worm behavior associated with the pre-WannaCry malware family, focusing on the second routine that creates and runs lsasvc.exe. The malware adds a WindowsUpdate Run registry value for persistence, at…
The report reviews a set of US-CERT Malware Analysis Reports covering newly identified or updated North Korean implants attributed to Lazarus Group and HIDDEN COBRA. It summarizes tools such as SLICKSHOES and HOTCROISSANT as RAT or beacon-style implants u…
The source analyzes Brambul, a Lazarus-linked worm that predates WannaCry and shares interest in SMB-based propagation. It describes how the malware generates IP addresses, attempts connections to TCP port 445, and uses IPC and service-control activity wh…
Objective-See examined how a Lazarus AppleJeus macOS loader could be repurposed for red-team or offensive use. The source explains that the Lazarus malware’s first-stage loader beacons to a remote server and can execute second-stage payloads directly from…
PwC describes Black Banshee, also known as Kimsuky, as a North Korea-based espionage actor that ran multiple 2019 campaigns spanning broad credential harvesting, spear-phishing, targeted espionage, and data exfiltration. The report focuses on infrastructu…
CISA, FBI, and DoD analyzed BUFFETLINE, a Trojan malware variant attributed to North Korean government activity tracked as HIDDEN COBRA. The report describes a full-featured beaconing implant that uses PolarSSL for session authentication and a FakeTLS sch…
CISA, FBI, and DoD identify BISTROMATH as a North Korean government-linked HIDDEN COBRA Trojan family with multiple RAT implant versions and CAgent11 GUI controller and builder components. The implants can survey systems, upload and download files, execut…
CISA, FBI, and DoD identify SLICKSHOES as a North Korean government-linked HIDDEN COBRA Trojan built as a Themida-packed dropper and beaconing implant. The dropper decodes and writes taskenc.exe under C:\Windows\Web but does not execute it or create persi…
CISA, FBI, and DoD analyzed CROWDEDFLOUNDER, a North Korean government-linked Trojan associated with HIDDEN COBRA activity. The malware is a Themida-packed 32-bit Windows executable designed to unpack and execute a remote-access Trojan. Its command-line h…