211 reports
NSFOCUS profiles Kimsuky, also known as Thallium, CloudDragon, Velvet Chollima, and BabyShark, as a North Korea-linked APT active since at least 2012–2013 and primarily focused on South Korean government, military, think-tank, academic, media, human-right…
Kimsuky group installs AppleSeed backdoor on the target system after the initial compromise, then additionally installs VNC malware via AppleSeed to ultimately control the target system in a graphical environment. As introduced in the previous blog post, …
ASEC analyzed a malicious HWP document disguised as a COVID-19 emergency relief personal-information consent form, apparently edited from a legitimate document and last modified in early October. The file contains an encoded EPS/PostScript object that dec…
Lazarus-research/slides/CODEBLUE2021_The-Lazarus-Groups-Attack-Operations-Targeting-Japan.pdf at main · JPCERTCC/Lazarus-research · GitHub You signed in with another tab or window. Lazarus-research / slides / CODEBLUE2021_The-Lazarus-Groups-Attack-Operati…
ASEC reported targeted malicious Word documents using defense and policy-themed academic lures, including a document based on a real paper about defense reform and military force-structure modernization. The embedded macro matches earlier samples distribu…
Twitter suspended @lagal1990 and @shiftrows13 after Google TAG linked them to a North Korean cyber-espionage campaign targeting security researchers. The operation built fake researcher personas across social platforms, posted exploit and infosec content …
MGNR disclosed that an October 2021 targeted attack likely began with a phishing email impersonating a recognized contact and carrying a fake DOCX tied to a Pantera-themed term sheet. The intrusion probably installed a keylogger and stole password manager…
ASEC analyzed an RTF malware sample disguised as an airline cover-letter or resume document and created in early October 2021. The file exploited the Microsoft Equation Editor vulnerability CVE-2017-11882 and, if triggered, attempted to download additiona…
QiAnXin analyzed a Kimsuky-attributed attack against South Korean targets that used COVID-19 response material tied to a local land-management office as the lure. The malware arrived as a PIF executable masquerading as a PDF, acting as a loader that decry…
Telsy analyzed Lazarus Group samples tied to the AppleJeus operation, again using a trojanized cryptocurrency trading application as the initial lure. The campaign packaged a malicious version of QtBitcoinTrader in an MSI installer that dropped files unde…
In this VB2021 talk, Seongsu Park explains why Lazarus should not be treated as one simple cluster and walks through multiple Lazarus-related malware clusters and their connections. The transcript discusses activity from Manuscrypt after Sony Pictures thr…
Microsoft’s 2021 Digital Defense Report identifies North Korea as one of the largest sources of observed nation-state attack volume after Russia, alongside Iran and China. The DPRK-relevant finding is that North Korean activity targeted cryptocurrency com…
In general, it targets bulletin boards on vulnerable websites, uploads web shells, and takes control by exploiting the host server's local privilege escalation. During the analysis, we further examined the commands (packets) and command structures used by…
Kyoung-ju is the main author of the threat intelligence report “Campaign Rifle: Andariel, the Maiden of Anguish”, published in 2017. Sojun worked at KrCERT/CC for seven years, analysing malware and responding to incidents, and is one of the authors of "Op…
Given that Lazarus continues to be one the most prolific and destructive APTs groups, tracking and grouping their various campaigns is particularly important. For example, AppleJeus has continued to attack only the cryptocurrency industry, but ThreatNeedl…