296 reports
AhnLab ASEC identified two CHM malware variants circulating in South Korea: one using anti-sandbox checks and another designed to avoid execution on consumer V3Lite systems while targeting enterprise environments. The anti-sandbox variant drops a maliciou…
Reuters found that Lazarus used Binance accounts to launder part of the roughly $5.4 million stolen from the Slovakian exchange Eterbase in September 2020. Account records shared with Slovak police reportedly showed the hackers created at least two dozen …
Cyber and Ramen analyzes an AppleSeed dropper tied to Kimsuky activity and distributed as a fake router firmware upgrade installer. The sample shows a decoy upgrade prompt and opens iptime.com while creating files under AppData and ProgramData, silently i…
NSHC’s April 2022 threat actor intelligence report lists four SectorA groups and says their activity was observed in Brazil, Germany, the United States, South Korea, Japan, China, Austria, the United Kingdom and Canada. SectorA01 impersonated corporate re…
AhnLab assessed Andariel as a suspected North Korea-backed group and possible Lazarus collaborator or subgroup that has operated primarily against South Korean targets since 2008. The 2020-2021 activity focused on defense, shipbuilding, telecommunications…
Anheng’s Hunting Shadow Lab reported suspected Lazarus activity, likely associated with the BlueNorOff subgroup, targeting venture capital and cryptocurrency themes through encrypted document lures. The samples used ZIP files containing protected PDFs and…
WannaCry is described as an APT38-themed chain that spread in May 2017 by using EternalBlue and DoublePulsar against unpatched Windows systems. The excerpt highlights WannaCry’s kill-switch domain check, where successful resolution caused the ransomware t…
Anheng CERT attributed a renewed Dream Job-style operation to Lazarus after observing Binance developer recruitment lures aimed at job seekers, with the suspected objective of cryptocurrency theft. The delivery chain used password-protected PDF decoys alo…
Somansa reported continued North Korea-attributed abuse of HWP OLE objects against South Korean users even after Microsoft patched CVE-2022-30190. The analyzed lures included broadcast invitation requests, surveys for North Korean defector advisers, inter…
ESET reports that Lazarus targeted aerospace and defense contractors between late 2021 and March 2022, with victims observed across Europe, the Middle East, and Latin America. The activity used fake recruiting lures on LinkedIn and then shifted communicat…
Thales' 2022 Cyber Threat Handbook profiles North Korea's cyber apparatus as a Bureau 121-centered ecosystem rather than a single monolithic Lazarus actor. The DPRK section links Lazarus to espionage and destabilization operations, cites the Sony Pictures…
Binance's blog argues that blockchain transparency helps identify and disrupt crypto money laundering, then uses North Korean Lazarus activity as a state-sponsored crime example. The source says Binance shares intelligence with law enforcement and blocks …
AhnLab observed AppleSeed malware, a backdoor associated with Kimsuky APT activity, distributed as an executable disguised as an internet router firmware upgrade installer. When run, the file showed a fake firmware-update prompt and opened iptime.com whil…
Japanese reporting and official disclosures linked a North Korean IT worker to subcontracted maintenance work on Hyogo Prefecture's disaster information app, Hyogo Bosai Net. The worker allegedly used another person's identity on freelance matching platfo…
Prelude's TTP Tuesday article uses the 2014 Sony Pictures compromise to model APT38/Guardians of Peace tradecraft. It summarizes the operation's political trigger around The Interview, the leaking of Sony emails, employee records and unreleased films, des…