197 reports
This academic article assesses North Korea's cyber strategy as a low-cost asymmetric capability used alongside nuclear and missile programs to gather intelligence, coerce rivals, and generate revenue. It describes DPRK operators and state-sponsored groups…
ASEC reports that Kimsuky activity used files masquerading as normal documents by appending document-related extensions such as DOCX, PDF, and TXT to executable malware. The malware dropped and opened decoy files, stole information from infected PCs, and …
The source warns that the Thallium threat group used spear-phishing themes related to Kaesong Industrial Complex worker research and Asia-Pacific research paper submissions. The activity relied on social engineering, malicious document attachments, script…
Operation PowerFall chained an Internet Explorer 11 remote-code-execution zero-day with CVE-2020-0986, an arbitrary pointer dereference in the Windows GDI Print/Print Spooler API, to escape the IE sandbox. The exploit manipulated splwow64.exe, a medium-in…
JPCERT/CC reports Lazarus activity against organizations in Japan where different malware was used during initial network intrusion and after compromise. The post-intrusion malware downloaded and executed modules, used service-based persistence from Windo…
The Panel of Experts concluded that North Korea’s “cyberattacks on [South Korean] targets have been increasing in number, sophistication and scope since 2008, including a clear shift in 2016 to attacks focused on generating financial revenue. In or about …
CISA, Treasury, FBI, and USCYBERCOM attributed FASTCash 2.0 ATM cash-out activity to North Korea’s BeagleBoyz, a HIDDEN COBRA subset overlapping with Lazarus, APT38, Bluenoroff, and Stardust Chollima. The advisory says the group has targeted financial ins…
The source analyzes phishing email attack cases from initial email delivery through credential theft and attacker mail-sending infrastructure. It describes document-themed lures using PDF, PowerPoint, Word, and HWP files, password-processing behavior in w…
This campaign utilized compromised infrastructure from multiple countries to host its command and control (C2) infrastructure and distribute implants to a victim's system. Government partners, DHS and FBI identified Remote Access Trojan (RAT) malware vari…
F-Secure investigated a Lazarus Group intrusion against an organization in the cryptocurrency sector and tied it to a broader phishing campaign active since at least January 2018. Initial access came through a LinkedIn-delivered job advert lure that used …
CISA observed phishing emails carrying Microsoft Word documents with malicious VBA macros that deploy KONNI, a RAT capable of file theft, keylogging, screenshots, and arbitrary code execution. The macro tries to trick users into enabling content by changi…
ClearSky attributes Operation Dream Job with high probability to North Korea-linked Lazarus, also known as Hidden Cobra, and describes a 2020 espionage campaign against defense, government, and related organizations in Israel and globally. The attackers u…
The FASTCash paper explains how a DPRK-nexus group abused ISO 8583 payment-switch messaging to force approval of fraudulent ATM withdrawals. FASTCash malware is injected into a bank payment switch process and hooks send and recv so attacker-controlled car…
McAfee ATR observed a 2020 Operation North Star activity set using malicious job-offer documents to target aerospace and defense interests and install data-gathering implants. The activity used legitimate defense-contractor job postings as lures, template…
McAfee’s defensive guidance ties Operation North Star to targeted malicious job-posting documents against aerospace and defense interests during 2020. The excerpt says the campaign used spear-phishing attachments or vulnerability exploitation for initial …