211 reports
The Korea Atomic Energy Research Institute confirmed that an unidentified external actor accessed some systems through a VPN vulnerability after a media report alleged a breach and possible North Korean hacking. KAERI said it blocked the attacker IP addre…
Fluid Attacks links Lazarus to North Korea’s Reconnaissance General Bureau and describes the group as a state-sponsored operation active since at least 2009. The article says recent North Korean campaigns targeted South Korean government officials, financ…
A campaign in 2022, named TraderTraitor, involved a set of malicious cryptocurrency trading applications that targeted employees of organizations engaged in blockchain research. NICKEL GLADSTONE has also increasingly targeted cryptocurrency exchanges and …
Kaspersky attributed a 2021 South Korea-focused campaign to Andariel, a Lazarus sub-group, based on code overlap with earlier Andariel malware and distinctive post-exploitation command usage. The activity used weaponized Korean Word documents and PDF-like…
BBC’s Lazarus Heist episode “The Macau connection” points to the Macau-linked aftermath of the heist, describing “dark arts,” murders, and a murky setting with an unexpected interview. The available source is a BBC Sounds episode listing and does not prov…
NiceHash reported that a U.S. federal indictment charged three North Korean RGB-linked programmers over a broad hacking conspiracy involving destructive attacks, theft, and extortion exceeding $1.3 billion. The article ties the indictment to the 2017 Nice…
AhnLab analyzed a renewed targeted malicious Word document campaign using a Korean “payment request” lure that had also appeared in earlier activity. The document’s VBA macro was stored with an HTML extension and only executed after the user typed in the …
BBC’s Lazarus Heist episode “The multimillion mistake” covers the Bangladesh Bank theft narrative through a costly spelling error, a mysterious middleman, and a dispute inside the bank. The source excerpt provides episode-level evidence only, without malw…
This Korean malware analysis covers a malicious document named as an International Constitution Day forum file that likely used phishing to reach a broad target set. Enabling content runs obfuscated macros that contact rukagu.mypressonline.com, fetch /le/…
Cyble reported that Kimsuky, also known as Black Banshee, Thallium, and Velvet Chollima, distributed a fake Korean Internet and Security Agency mobile security app through malicious emails. The APK used package name com.kisa.mobile_security and was detect…
Malwarebytes tracked Kimsuky, also known as Thallium, Black Banshee, and Velvet Chollima, using phishing sites, malicious documents, and scripts against high-profile South Korean government targets. One lure translated as “Ministry of Foreign Affairs Edit…
BBC’s Lazarus Heist episode “Korean roulette” follows the money trail around the Lazarus-linked heist through cash movements, fake millionaires, and threats. The archived source is a BBC Sounds listing rather than a technical malware report, so the reliab…
TeamT5’s HITB slides dissect CloudDragon “Phisherman” tradecraft, focusing on phishing infrastructure rather than a single intrusion victim. The material shows email delivery tooling, including PHPMailer on compromised C2 sites, target-account lists, and …
ESRC reports a surge in Thallium/Kimsuky spear-phishing activity that abuses financial-transaction and honorarium-payment themes to lure Korean targets into opening malicious Office documents. The campaign impersonated domestic banks or payment-related co…
AhnLab describes malicious Excel and Word documents disguised as normal Korean business or event files, including card-company themed spreadsheets and forum-related documents that prompt users to enable macros. Once macros run, the samples fetch additiona…