197 reports
Kaspersky linked VHD ransomware operations to Lazarus after incident-response evidence showed a MATA framework backdoor in the same victim environment and no sign of another actor during the intrusion. One European incident used a victim-specific spreadin…
SentinelOne describes four macOS malware families likely tied to the same North Korean-backed Lazarus operators behind AppleJeus activity. The excerpt highlights DaclsRAT in a trojanized TinkaOTP one-time-password app, which used LaunchAgents or LaunchDae…
ESRC assesses that a year-long sequence of Korean spear-phishing activity is likely directly or indirectly connected to the Thallium group, which Microsoft had linked to targeting government, think-tank, university, human-rights, and related victims. The …
ASEC reporting describes a malicious HWP document containing EPS/PostScript content that executes shellcode and CMD commands. The lure appears to abuse a legitimate origin self-check form from a government legal-information source, while related activity …
Reporting on Dacls describes a remote access trojan attributed by researchers to the Lazarus Group, also known as Hidden Cobra. The malware can affect Windows and Linux systems and is discussed in the context of data theft and ransomware-enabled intrusion…
AhnLab ASEC found malware distributed through a Korean community download board as a trojanized utility rather than a document lure. The attacker modified a legitimate utility executable by adding an executable .ireloc section with shellcode and changing …
Kaspersky describes MATA as a multi-platform malware framework used since at least April 2018 to infiltrate corporate environments across Windows, Linux, and macOS systems. The Windows toolchain includes a loader that decrypts a next-stage payload, an orc…
Bitquery traces the November 2019 Upbit breach in which 342,000 ETH, then valued at about $48.1 million, was moved from the Korean exchange to attacker-controlled wallets. The laundering pattern used multiple intermediate wallets and layered transactions …
ESET found malicious macOS cryptocurrency trading applications that copied or rebranded the legitimate Kattana app under names such as Licatrade and Cointrazer, continuing GMERA-style activity previously reported by Trend Micro. The trojanized bundles tar…
AhnLab observed COVID-19 prediction-themed phishing distributing malicious Excel documents that entice users to enable macros with a “Predict” calculation button. The macro contains obfuscated downloader commands that use curl and certutil -decode to fetc…
AhnLab analyzed a malicious HWP document impersonating a cryptocurrency company policy update and using a linked object/OLE executable named hanwordupdate.exe to trick users into launching it. The embedded EXE contains a Base64-encoded PowerShell script t…
Sansec attributed a set of Magecart-style digital skimming operations against US and European online stores to HIDDEN COBRA based on reused infrastructure and distinctive malware code patterns tied to prior North Korean activity. The actor gained unauthor…
AhnLab observed a malicious HWP lure titled “North Korea’s Gray-Zone Strategy and Countermeasures” that used an embedded EPS exploit for CVE-2017-8291. The EPS runs via gbb.exe, executes shellcode, and injects into HimTray.exe or HncCommTCP.exe, falling b…
The source compares a Kimsuky HWP malware case with the earlier “KINU Expert Advisory Request.hwp” activity and shows that the exploit and shellcode remain largely the same while keys, C2, filenames, and mutexes changed. Shellcode injected into HimTrayIco…
AhnLab analyzed a malicious Excel campaign whose court-judgment lure used macros to download and launch a second Excel document, then chained batch, VBS, and encoded CAB content from view-naver.com. The activity is described as sharing KONNI/Operation Mon…