197 reports
CISA, FBI, and DoD analyzed HOTCROISSANT as a full-featured beaconing implant identified with North Korean government activity tracked as HIDDEN COBRA. The sample attempts to connect to a hardcoded C2 IP, immediately sends victim information, and then wai…
CISA, FBI, and DoD analyzed ARTFULPIE as a North Korean government-linked Trojan variant associated with HIDDEN COBRA activity. The implant functions as a downloader and in-memory loader, retrieving a DLL from a hardcoded URL and manually loading it into …
CISA, FBI, and DoD analyzed HOPLIGHT, a North Korean government-linked malware set associated with HIDDEN COBRA. The report covers twenty malicious executables, including proxy applications that mask traffic between infected hosts and remote operators. Se…
The recoverable excerpt does not include the Recorded Future report’s threat intelligence findings. It contains current Recorded Future marketing and platform copy about threat intelligence capabilities, autonomous threat operations, customers, and compan…
The source provides a narrative history of Lazarus Group operations, including the Bangladesh Bank SWIFT theft attempt and WannaCry ransomware activity. It describes the Bangladesh Bank case as a phishing-enabled intrusion that reached systems used for SW…
ESTsecurity reported a February 2020 Operation Blue Estimate variant that masqueraded as a scanned resident-registration PDF tied to a former education-sector official. The malware used a double-extension SCR executable, displayed a decoy image, and dropp…
Seongsu Park’s K-CTI 2020 Lazarus slides emphasize that threat intelligence is broader than IOC lists alone. The extracted slide text shows a loader and C2 chain involving update.exe, a .NET loader, injection into iexplorer.exe, a tainted loader, and encr…
Unit 42 described a campaign using malicious documents with North Korea-themed Russian-language lures to target a U.S. government agency and foreign nationals associated with North Korea. The malware set included CARROTBAT downloaders, a newer CARROTBALL …
The Korean malware analysis links a Lunar New Year-themed sample to activity resembling an earlier Vietnamese event estimate lure associated with Kimsuky reporting. The executable contains a PDF decoy instead of an HWP document, drops and runs a malicious…
Chainalysis analyzed Lazarus Group cryptocurrency theft and laundering behavior in 2019, noting greater use of mixers and CoinJoin wallets to obscure stolen funds. The report describes the DragonEx intrusion as an unusually elaborate phishing operation in…
Chainalysis’ Crypto Crime Report excerpt says 2019 saw more cryptocurrency exchange attacks than any prior year, but total confirmed exchange-theft losses fell to about $283 million because no single incident matched earlier mega-heists. The source explai…
ESTsecurity observed Konni APT spear-phishing documents disguised as North Korea Central Committee plenary meeting material and Tokyo Paralympics-related content. The malicious documents used social or geopolitical lures, Korean code page characteristics,…
ThreatBook reported a cluster it named DangerousPassword after finding compressed trojan packages built around cryptocurrency-themed lures such as monthly business reports, job descriptions, project risk briefs, and salary guidance. The activity targeted …
Kaspersky reported continued Lazarus Group operations against cryptocurrency businesses after Operation AppleJeus. The actor used fake companies and manipulated applications to gain trust, then delivered macOS and Windows malware through multi-stage infec…
The report tracks Konni malware campaigns that used malicious macro-enabled Word documents with Korean Peninsula and DPRK foreign-affairs themes. One observed lure targeted Russian-language speakers interested in dialogue between the United States and Nor…