211 reports
Google TAG says the North Korean government-backed actors targeting security researchers expanded their operation by creating a fake offensive-security company called SecuriElite on March 17. The site and associated LinkedIn and Twitter personas posed as …
AhnLab's Operation Dream Job report summarizes malicious activity against people interested in aerospace and defense-industry employment. The campaign used social-media recruiter personas and job-opportunity lures to deliver malware to targets in sensitiv…
AhnLab analyzed a malicious Word document disguised as a reward-payment request that combined an external template connection with embedded VBA macro code. The document contacted ftcpark59.getenjoyment.net over external and macro URLs, used a deliberately…
360’s retrospective report attributes a spear-phishing and server-compromise activity cluster to Kimsuky, also tracked as BabyShark, Thallium and Black Banshee. The activity used malicious macro documents, DLL hijacking files such as version.dll and wtsap…
The HHS briefing summarizes DPRK cyber activity as a state instrument for espionage, disruption and revenue generation, noting reported growth in North Korean network activity and a claimed cyber workforce of about 7,000 operators. It profiles HIDDEN COBR…
Carnegie's financial-sector incident timeline includes a DPRK-relevant entry stating that Lazarus used trojanized decentralized-finance applications in an April 2022 spearphishing campaign. The timeline labels the activity as a high-confidence state-spons…
Sygnia links a double-extortion ransomware intrusion to a new, undocumented variant of the Lazarus-associated MATA malware framework that was used to deploy TFlower ransomware. The report says the relationship between Lazarus and TFlower requires further …
AhnLab reports malicious Word documents using North Korea-related lure content and external XML links, likely distributed by email to recipients working on DPRK-related issues. The documents connected to external URLs to download additional malicious Word…
JPCERT/CC describes Lazarus activity against Japanese organizations using the VSingle and ValeforBeta HTTP bot families. VSingle runs through Explorer DLL injection in some samples, decodes obfuscated strings with a fixed XOR key, communicates with C2 ove…
ENKI and S2W describe Lazarus operations against domestic and foreign security researchers that used social media contact and zero-day browser exploit delivery. The actors posed as vulnerability researchers on Twitter, LinkedIn, Telegram, Discord, and rel…
ESTsecurity warned of a surge in Thallium-linked spear-phishing against South Korean diplomacy, security, unification and defense-policy experts. The attackers impersonated media outlets, policy institutes, academic societies and North Korea-policy forums…
presentation/K-CTI2021_Lazarus.pdf at main · theseongsu/presentation · GitHub You signed in with another tab or window. You must be signed in to change notification settings Files Expand file tree / K-CTI2021_Lazarus.pdf File metadata and controls Edit an…
The 2021 UN Panel of Experts report says North Korea maintained and developed nuclear and ballistic missile programs while seeking overseas material and technology despite COVID border controls. The Panel investigated malicious cyber activity attributed t…
PwC’s 2020 retrospective notes North Korea-based Black Banshee, also known as Kimsuky, registering domains that impersonated healthcare and pharmaceutical organizations involved in COVID-19 vaccine and treatment research. The observed targeting covered en…
Kaspersky reports that Lazarus used the ThreatNeedle malware cluster, an advanced Manuscrypt/NukeSped variant, in attacks against defense-industry organizations in more than a dozen countries. The campaign began with carefully tailored COVID-19-themed spe…