197 reports
ESRC observed Kimsuky activity using a malicious Microsoft Word document themed around North Korean defector information, with the lure containing an English-language defector interview and prompting the user to enable content. The document used VBA macro…
AhnLab ASEC reported malicious HWP documents tailored to South Korea’s domestic academic conference season, likely exploiting the summer paper-submission period and reusing behavior seen in earlier HWP/EPS malware. The documents displayed little or no nor…
ESRC links a Kimsuky "Smoke Screen" APT campaign to malicious DOC, HWP, and EXE lures aimed at South Korean defense, diplomacy, security, and North Korea-related organizations. The DOC lures users to enable macros, the HWP file uses PostScript and encoded…
ASEC observed a malicious Korean HWP document themed around drone and unmanned-aerial-vehicle status information. When opened, the document runs embedded malicious EPS content that abuses CVE-2017-8291 to decode and execute shellcode, checks for AhnLab V3…
The source analyzes PebbleDash, described as a Lazarus/Hidden Cobra RAT, using sample MD5 d2de01858417fa3b580b3a95857847d5. Static and dynamic analysis found strings beginning with "Zip-bug," runtime loading of libraries including wsock32.dll, and use of …
However, while COVELLITE is also linked to broader Lazarus activity, this group leveraged substantially different capabilities and infrastructure to pursue a target set that does not overlap with observed WASSONITE activity. WASSONITE Since 2018 Dragos id…
ESRC attributed a malicious Word document named "My Interview on COVID-19 with NCNK.doc" to Kimsuky based on techniques and characteristics matching the Smoke Screen campaign. The lure copied content from the National Committee on North Korea about COVID-…
ASEC correlates several malicious Hangul document clusters using COVID-19, real estate, and renewable-energy themes and concludes they likely came from the same maker group based on overlapping EPS and payload characteristics. The documents abuse Encapsul…
AsiaInfo Security analyzed a suspected Kimsuky backdoor masquerading as an ESET software updater during COVID-19-themed targeting of South Korea. The malware created a GoogleUpdate_01 mutex, encrypted strings for functions, files, paths, and registry name…
Cylynx traces the November 2019 Upbit theft in which 342,000 ETH was moved from the South Korean exchange’s hot wallet to an attacker-controlled wallet later referenced in a U.S. Justice Department case involving Chinese money launderers and North Korean …
ASEC tracked a continued wave of malicious HWP documents whose filenames were crafted around current events and sector-specific lures, including COVID-19 notices, real estate listings, maritime research, recruitment, and recipient-specific email addresses…
A Konni-style spearphishing operation used a malicious document impersonating Stanford CISAC discussions on cyber and nuclear issues, likely aiming at researchers or professionals working on nuclear and international security topics. The lure pushed users…
ESRC analyzed a spear-phishing attack against a South Korean securities-company employee and attributed the operation to Lazarus. The email carried many HWP, XLSX, JPEG, and large attachments as decoys, with the first HWP file containing malicious PostScr…
McAfee ATR's Speakerdeck abstract frames Hidden Cobra, also known as Lazarus, as a North Korea-linked actor active since at least 2007. The talk focuses on 2018 research into campaigns using complex implants for intelligence collection, operational disrup…
ASEC reports malicious HWP documents distributed by email under real-estate investment themes, with plausible message and document content used to lure Korean-speaking recipients into opening attachments. The malicious HWP contains an EPS object that expl…