197 reports
IssueMakersLab reported observations from North Korean attacks on the defense contractor sector. The post separates targeting by RGB unit, saying RGB-D3 mainly focused on aerospace and defense companies while RGB-D5 mainly targeted artillery ammunition an…
PebbleDash is described as a North Korea-linked Hidden Cobra/APT38/Lazarus remote access tool whose FakeTLS mechanism hides command-and-control traffic inside traffic that resembles a normal TLS handshake. The analyzed sample used dynamic library loading …
Alyac reports continued Lazarus activity against overseas defense companies, including new malicious Word documents named LM_IFG_536R.docx, BAE_JD_2020.docx, and Boeing_AERO_GS.docx. The documents use an external template relationship to retrieve attacker…
MalwareLab analyzed a Lazarus-attributed validator from malicious Word documents impersonating Lockheed Martin and linked the samples to a broader campaign probably aimed at military contractors doing business with South Korea. The documents embedded two …
CISA, the FBI, and the Department of Defense reported three malware variants used by the North Korean government, which the U.S. Government tracks as HIDDEN COBRA activity. U.S. Cyber Command released samples for the variants to VirusTotal so defenders co…
The excerpt describes a Lazarus campaign using a COVID-themed HWP document targeting South Korea, including a Jeollanam-do coronavirus inquiry lure. OSINT analysis found the executable was downloaded from sofa.rs and matched detection logic for a reflecti…
AhnLab observed increased Lazarus activity against defense-related targets using Office Open XML Word documents themed around BAE Systems, Boeing, and U.S.-ROK diplomatic security. The documents reached external template URLs to download macro-enabled .do…
Alyac reports a Geumseong121 APT scenario built around long-running social engineering against South Korean figures connected to unification and North Korea policy. Operators first impersonated a newly appointed female senior researcher in the unification…
Malwarebytes analyzed a macOS variant of the Dacls RAT that it associates with Lazarus/Hidden Cobra/APT38 and detects as OSX-DaclsRAT. One observed variant downloaded a payload from loneeaglerecords[.]com into ~/Library/.mina, while related samples shared…
The Leery Turtle report profiles a financially motivated APT active since at least late 2017 against cryptocurrency exchange businesses worldwide. The group performs reconnaissance against technical and executive staff, sends decoy emails with benign atta…
Operation Flash Cobra is analyzed as Lazarus activity that begins with a malicious document using remote template injection to retrieve and execute the next-stage DOTM macro. The macro decodes embedded content, extracts an architecture-specific DLL and lu…
Objective-See analyzed a macOS variant of the Lazarus-linked Dacls RAT distributed as a TinkaOTP Apple disk image and application bundle. The initial remote infection path was unknown, but the packaging resembled earlier Lazarus activity that used trojani…
QiAnXin reported a Lazarus-attributed targeted campaign using diplomatic-relations themes and Western aerospace recruitment lures, including Boeing-themed documents, to attack specific countries. The samples used remote template injection to fetch macro-e…
IssueMakersLab reported that North Korea's RGB-D5, including Kimsuky, distributed Android APK malware to many South Korean users. The post says the malware was created with the open source AhMyth Android RAT, indicating reuse of commodity mobile RAT code …
ASEC warned that HWP malware using Encapsulated PostScript objects had increased in April 2020, including lures impersonating COVID-19 infection-control organizations and Korea Hydro & Nuclear Power recruitment notices. The attacker inserted malicious EPS…