211 reports
The JSAC presentation explains hunting methods for threat intelligence related to cryptocurrency-business targeting campaigns, including activity affecting Japanese cryptocurrency operators. It references campaigns publicly reported by JPCERT/CC, ClearSky…
Malware mentioned in “North Korean hackers have targeted security researchers via social media report” published by Google Threat Analysis Group (TAG) is considered to be a ThreatNeedle which is dubbed by Kaspersky. In addition, the malware and C2 communi…
JPCERT/CC’s English Operation Dream Job report analyzes Torisma and LCPDot malware used by Lazarus/Hidden Cobra. Torisma is a rundll32-executed downloader that loads C2 configuration from a signed local file, uses the VEST-32 algorithm and a repeated encr…
JPCERT/CC describes two Lazarus/Hidden Cobra malware families, Torisma and LCPDot, used during intrusion and post-intrusion operations. Torisma is a rundll32-launched downloader that reads configuration files, uses a fixed signature and VEST-32 encryption…
360 attributed “Operation Breaking the Shell” to Lazarus/APT-C-26 and described it as a long-prepared campaign against security researchers. The operators built credibility by registering social-media personas, running the blog blog.br0vvnn[.]io, publishi…
Cisco Talos reported that multiple Talos researchers received messages linked to the same security-researcher targeting campaign described by Google TAG. One researcher was contacted on January 11 with the same lure seen in public reporting, and the attac…
The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. To date, we have only seen these actors targeting Windows systems as…
ESTsecurity ESRC reported a Thallium spear-phishing campaign timed around Korean year-end tax settlement activity and disguised as a 2021 COVID-19 donation-certificate request. The lure email delivered a ZIP containing a benign-looking PDF and an Excel bi…
NCC Group RIFT analyzed Lazarus-linked macro documents that execute shellcode without the more commonly detected WriteProcessMemory or CreateThread APIs. The macros trigger through a Microsoft Forms ActiveX control, allocate an executable heap, decode she…
JPCERT documented commonly available tools observed in Lazarus intrusions, emphasizing that the group supplements malware with legitimate utilities after gaining access. For lateral movement and network discovery, the excerpt names AdFind for Active Direc…
ESRC reported a Thallium/Kimsuky-attributed campaign using a malicious DOC disguised as a survey about the incoming Biden administration and U.S. foreign and security policy. The document displayed a fake Office update prompt to induce macro enablement; o…
The JSAC presentation analyzes Operation Bitter Biscuit, a targeted attack campaign reported by multiple security vendors against government, military, defense, and some IT targets. The observed intrusion began with a compressed file attached to a targete…
NTT Security’s VB2020 presentation analyzed CryptoMimic, also known as Dangerous Password, an APT actor observed since around March 2018 targeting companies worldwide with emphasis on cryptocurrency organizations. The source describes initial LNK and macr…
K7 Labs' Ghost Mach-O talk analyzes Lazarus macOS malware used in cryptocurrency exchange targeting. The transcript describes AppleJeus style spear phishing in which a victim is directed to a fake trading application site, downloads a signed package, and …
Malwarebytes analyzed a malicious Office document, likely aimed at South Korean government-related targets, that it associates with APT37/ScarCruft based on the injected RokRat payload. The macro used a VBA self-decoding technique to unpack and execute ma…