211 reports
AhnLab describes a targeted malicious Word-document campaign that continued using the same external-template macro pattern seen in earlier Korean political and policy-advisory lures. Recent DOCX files used biography, inter-Korean summit, and U.S.-Korea di…
S2W analyzes a December 2020 watering-hole attack tied to ScarCruft/APT37 that delivered Matryoshka, an evolved ROKRAT variant, to visitors of a North Korea-related website using a vulnerable Internet Explorer browser. The infection chain used a malicious…
S2W analyzes a Lazarus-linked signed DLL disguised as the open-source Notepad++ ComparePlus plugin and apparently tailored to systems with a South Korean Non-ActiveX security component installed. The malware checked for INITECH/INISAFE Web EX Client files…
360 reports a suspected Kimsuky operation aimed at South Korean military or defense-related targets, using a PE sample disguised with a Microsoft-style icon and a Korean HWP procurement-plan lure. The first-stage malware displayed the decoy document, crea…
AT&T Alien Labs reports Lazarus-attributed malicious document activity in spring 2021 that targeted engineering job candidates or employees in classified engineering and defense-related roles in the United States and Europe. The lures impersonated Rheinme…
AhnLab reports continued distribution of targeted malicious Word documents using Korean political, diplomatic, academic-conference, and policy-advisory biography lures. The DOCX files fetched external DOTM templates such as InterKoreanSummit.dotm and Semi…
Korea Aerospace Industries reportedly suffered two hacking attempts in 2021 that exposed KF-21 Boramae fighter design drawings and related technical information. Sources cited in the article said hacking attempts may have affected most of KAI’s defense pr…
ESRC reports a surge of Kimsuky/Thallium activity against South Korean public-sector, diplomacy, security, unification, and defense-related targets using Google Blogspot as part of the command infrastructure. The June 28 attack used a password-protected M…
Korea Aerospace Industries said it asked police to investigate a suspected hacking incident on June 28 after media reporting raised questions about a possible compromise involving KF-21 design material. The company said it would cooperate with investigato…
TeamT5 identified two installers for a newly named backdoor, MemzipRAT, in activity linked to CloudDragon and likely aimed at a South Korean aerospace-sector company. The target belonged to a major South Korean conglomerate with business across aerospace,…
ASEC observed a targeted malicious Word document campaign that impersonated a Korean summer conference administrator and used a bio-template lure delivered by email. The document contained a macro that did not trigger on open, but executed after the user …
ESRC reported North Korea-linked Thallium/Kimsuky phishing waves that impersonated South Korea’s Ministry of Unification and Korea Institute for National Unification around 22-24 June 2021. The emails spoofed official-looking sender addresses and used lur…
ThreatBook described Kimsuky activity targeting South Korean defense and security-related organizations over roughly six months with lures themed around the U.S.-South Korea summit, Ministry of National Defense bidding documents, and a fake KISA mobile se…
BBC’s account of the 2016 Bangladesh Bank heist describes investigators attributing a nearly $1 billion fraudulent-transfer attempt to North Korean operators known as Lazarus Group. The attackers had reportedly been inside Bangladesh Bank’s systems for ab…
BBC’s Lazarus Heist episode “Kill switch” describes a frightening global attack that caused hospital disruption and involved an accidental hero with a secret. The source excerpt is an episode listing and does not include code, infrastructure, or IOC-level…