296 reports
NSFOCUS attributed a targeted phishing activity to Kimsuky that used the malicious document TBS TV_Qs.doc and likely targeted military experts or commentators focused on Korean Peninsula issues. The lure contained interview questions on the Russia-Ukraine…
ASEC observed malicious CHM files distributed in South Korea with filenames tailored to national institution administrators and university professors, including electronic attendance and faculty workload manual themes. The CHM script decompiled and ran Im…
Trellix examines ransomware activity it attributes with high confidence to DPRK-affiliated hackers, framing it against North Korea’s financially motivated operations against banks, cryptocurrency targets, and APAC victims. The excerpt focuses on VHD ranso…
NSHC's March 2022 monthly actor report recorded five SectorA groups active in Korea, Macau, Hong Kong, Japan, France, Singapore, the United States, and the United Kingdom. The Korea-focused SectorA02 activity impersonated a South Korean central administra…
SECUI STIC observed a North Korea-backed APT campaign targeting South Korean security and unification-related organizations with spearphishing emails carrying a password-protected Word document named as a profile form. When the victim enabled macros, the …
PwC highlighted North Korea-based Black Artemis, also known as Lazarus Group, as continuing to use job-specification lure documents against targets in high-profile defense and engineering companies. The activity often followed social engineering in which …
AhnLab ASEC observed malicious Word document distribution using North Korea's April 25 military parade as lure content. The attacker uploaded the document to a suspected compromised South Korean web server alongside benign HWP documents that appeared rela…
QiAnXin RedDrip analyzed a set of PE samples attributed by code similarity to Lazarus APT's Andariel sub-group, with activity beginning at least in February 2022 based on VirusTotal submission times. The samples included loaders that decrypted and memory-…
South Korean military and police investigators said a North Korean hacker recruited a civilian cryptocurrency investment executive and an active-duty army captain through Telegram and Bitcoin payments. The suspects allegedly helped prepare an attempted co…
SlowMist’s MistTrack analysis covers the August 2021 Liquid Exchange breach, where attackers stole more than $90 million from the Japanese exchange’s hot wallet across BTC, ETH, ERC-20, TRX, TRC-20, XRP and other assets. The source tracks laundering acros…
SlowMist analyzed the March 2022 Ronin Bridge breach in which an attacker stole 173,600 ETH and 25.5 million USDC, more than $610 million, from the Axie Infinity sidechain. The source says compromised private keys allowed forged withdrawal signatures, wit…
AhnLab observed malicious Word documents using North Korea-related diplomatic and security themes, including filenames about North Korean foreign policy and military parade analysis. The documents contained obfuscated VBA macros that created a version.ini…
Symantec reported that the North Korea-linked Stonefly group continued espionage operations against high-value engineering targets, especially organizations holding intellectual property with civilian and military applications. In a February 2022 intrusio…
We have previously seen DustSquad use third-party post-exploitation tools, such as the password dumping utility fgdump; but we have now observed new custom C modules, a first for DustSquad, and Delphi downloaders acting as post-exploitation facilitators, …
Hauri reported an APT37 spear-phishing campaign targeting journalists who cover North Korea-related issues. The attack used a large LNK file named "Kang Min-chol Edits 2.lnk" that hid PowerShell commands behind junk data and extracted a decoy Word documen…