211 reports
JPCERT/CC's Anatomy of COBRA presentation reviews Lazarus Group campaigns and recent TTPs, emphasizing that Lazarus activity spans many countries and targets. The slides discuss how Lazarus-related categorizations overlap across names such as Bluenoroff, …
Most recently, our team has responded to cryptocurrency mining abuse, phishing campaigns, and ransomware. APT28/Fancy Bear launched Gmail phishing campaign Based on research from TAG, the Russian government-backed attackers APT28 / Fancy Bear, which more …
CrowdStrike told The Daily Beast that North Korea-linked Stardust Chollima, also tracked by some researchers as Lazarus Group, targeted Chinese security researchers to obtain hacking techniques and possibly zero-day research. The campaign used Chinese-lan…
Proofpoint profiles TA406, a North Korea-aligned actor associated with the broader Kimsuky, Thallium, and Konni activity sets, as running persistent credential-theft and espionage campaigns through 2021. From January to June, Proofpoint observed almost we…
360 Advanced Threat Research Institute reports suspected APT-C-55/Kimsuky testing malware that repurposes the commercial Web Browser Password Viewer tool to collect browser credentials. The captured sample differs from recent Hancom-themed Kimsuky payload…
NSHC’s September 2021 monthly threat-actor roundup reports four SectorA groups active between August 21 and September 20, with operations observed in the United States, Turkey, Taiwan, the United Kingdom, Japan, South Korea, and other locations. The Secto…
AhnLab ASEC reports malicious Office documents using CVE-2021-40444 with North Korea-related lure filenames, showing attackers quickly adopting the MSHTML remote-code-execution vulnerability after its disclosure. The documents used external links and the …
AhnLab analyzes Kimsuky APT attacks that use spear-phishing and social-engineering attachments disguised as documents related to North Korea and diplomacy. The report says victims are often individual users, but infection logs also show targeting of publi…
AhnLab’s report analyzes Kimsuky malware and C2 infrastructure grouped as Operation Light Shell, a campaign named for a recurring light-shell file found on command-and-control servers. The source says Kimsuky conducts financially motivated and intelligenc…
DBAPPSecurity summarized ESET’s disclosure that Lazarus targeted security researchers by distributing a trojanized IDA Pro 7.5 installer. The installer included modified `idahelper.dll` and `win_fw.dll` components; `win_fw.dll` created a scheduled task th…
ESRC reports a North Korea-linked spear-phishing case impersonating the president of Pyongyang University of Science and Technology and exploiting CVE-2021-40444 in a malicious DOCX document. If opened on an unpatched Microsoft Office system, the document…
AhnLab analyzes Lazarus Group attacks observed from around 2020 onward that used the NukeSped backdoor. The report traces distribution through malicious email attachments and watering-hole activity, then describes NukeSped modules such as update, file man…
Cisco Talos attributes a campaign active since at least June 2021 to Kimsuky, targeting South Korean geopolitical, diplomatic, military, and aerospace research organizations. The attackers used malicious Blogspot pages reached from Office maldocs to stage…
ESRC describes a spear-phishing campaign impersonating a South Korean think-tank workshop to target defense and national-security experts with a malicious DOCX file. The lure exploited MSHTML remote-code-execution vulnerability CVE-2021-40444, allowing an…
bZx reported that a developer received a phishing email with a malicious Word macro, leading to compromise of the developer's personal mnemonic wallet phrase. Because that externally owned account controlled bZx deployments on Polygon and BSC, the attacke…