211 reports
Lazarus targeted aviation organizations and security researchers with social engineering and trojanized tooling. MicroStep observed Lockheed Martin and Google recruitment lure documents using remote template injection to load DLL backdoors derived from Np…
A Korean malware-analysis post tracks ongoing Kimsuky/Thallium activity using the GoldDragon/BravePrince cluster, noting a newer sample that keeps the usual daum-mail information-theft behavior while adding encoded DLL and API-name resolution. The author …
Antiy CERT reports a Kimsuky spear-phishing campaign targeting an important figure in South Korea's news industry, including a Daily NK representative, by impersonating a Korea Internet and Security Agency researcher. The lure used a password-protected Wo…
AhnLab reports malicious Hangul Word Processor documents themed around North Korea-related construction activity that rely on embedded objects and a user-clicked hyperlink rather than an exploit. When the lure is opened and clicked, a legitimate OneDrive …
ThreatRay links malware samples from Malwarebytes, Kaspersky, and KrCERT reporting on South Korea-focused activity to shared TigerDownloader and TigerRAT families. The earlier reports attributed the activity to Lazarus or more specifically Andariel, a Laz…
AhnLab describes a Kimsuky spearphishing case in which a link presented as an attachment led victims to a ZIP file containing a PIF dropper for the PebbleDash backdoor. The dropper installs PebbleDash under C:\ProgramData, opens a decoy Korean PDF, and th…
This podcast episode features S2W CTI lead Kyoung-ju Kwak discussing North Korean cyber activity from a South Korean threat-intelligence perspective. The source highlights his prior work on “Campaign Rifle: Andariel, the Maiden of Anguish,” his views on L…
This Korean translation of a VB2021 paper explains how Lazarus activity fragmented after 2018 into multiple clusters that share roots in Manuscrypt but differ in delivery, tooling, and mission focus. It describes AppleJeus attacks against cryptocurrency t…
Kaspersky ICS CERT describes PseudoManuscrypt, spyware whose loader resembles Lazarus-associated Manuscrypt but whose distribution and scale do not match typical targeted Lazarus operations. The malware was spread through a MaaS ecosystem that bundled pay…
Microsoft observed broad exploitation of Apache Log4j 2 vulnerabilities, including mass scanning, coin mining, remote shells, Cobalt Strike deployment, credential theft, lateral movement, data exfiltration, and ransomware payloads. In the nation-state sec…
The INSS paper assesses that North Korea's cyber capabilities strengthened under Kim Jong Un and became an important asymmetric instrument for the regime. It argues that Pyongyang uses cyber operations for economic and political gains, including sanctions…
APT37 is reported targeting journalists and security researchers with malicious Hangul Word Processor documents themed around COVID-19 vaccine disinformation and Upbit policy changes. The analyzed HWP lures contain embedded files, shellcode, PE files, and…
SOCRadar profiles Lazarus Group as a DPRK Reconnaissance General Bureau-linked threat actor also tracked under names such as Hidden Cobra, Zinc, Guardians of Peace, and Stardust Chollima. The source emphasizes that Lazarus blends political, espionage, dis…
Kaspersky describes ScarCruft/APT37/Temp.Reaper activity against North Korean defectors, journalists covering North Korea, and Korean Peninsula-related organizations after assisting a compromised news organization. The investigation found a victim infecte…
CrowdStrike OverWatch observed SILENT CHOLLIMA activity inside a pharmaceutical organization after suspicious reconnaissance was launched through Smbexec under a Windows service account. The actor copied and executed low-prevalence binaries that CrowdStri…