296 reports
North Korea-backed SectorA activity in 2021 targeted government bodies, public companies, North Korea defectors, related organizations, cryptocurrency exchanges, financial investment firms, medical institutions, and research organizations. The excerpt des…
ESRC reported malicious emails impersonating the Korea Internet Information Center (KRNIC) and using Internet address-policy notices to deliver password-protected Word documents with Korean-language customer-information lure names. The documents prompted …
Hauri reported phishing emails in South Korea disguised as requests for public input on internet address policy decisions. The emails encouraged recipients to open a password-protected document and enable macros after entering a password supplied in the m…
Google TAG reported two North Korean government-backed groups exploiting Chrome CVE-2022-0609 before and shortly after the February 2022 patch. One campaign aligned with Operation Dream Job targeted more than 250 people at U.S.-based news media, domain re…
Group123, also known as ScarCruft, Reaper, and APT37, is described as a suspected North Korea-origin espionage group active since at least January 2012. The profile says its targeting expanded from an early focus on South Korea to Japan, Vietnam, the Midd…
Qianxin profiles Kimsuky, also tracked as APT-Q-2, as a North Korea-linked threat group first publicly reported by Kaspersky in 2013 and active since at least 2012. The profile describes intelligence-collection operations focused primarily on South Korean…
AhnLab observed a suspected Kimsuky APT operation targeting a specific South Korean company, likely in precision manufacturing based on the decoy document. The lure used a VBS file named to appear as a PDF receipt for a SME technology innovation developme…
Mandiant assessed that North Korea’s cyber operations are largely run through the Reconnaissance General Bureau, with Lab 110 acting as the focal point for the Lazarus Group umbrella that includes TEMP.Hermit, APT38, and Andariel. The report maps DPRK cyb…
DeFiance Capital founder Arthur Cheong reported losing about $1.8 million in cryptocurrency and NFTs after a targeted social engineering attack compromised his hot wallet. Cheong said the likely entry point was a spear-phishing email that appeared to come…
ASEC confirmed that Kimsuky used coin-themed Word documents in an APT campaign observed on March 21, with three lures related to shareholder volume, asset-liability status, and a regular general meeting. The documents were based on legitimate Word files b…
An anonymous researcher scanned North Korea’s externally routed 175.45.176.0/22 address block after public discussion of P4x’s denial-of-service activity against DPRK internet assets. The scan found only 32 active IP addresses but identified exposed servi…
ESRC reported North Korean-linked phishing emails disguised as a Ministry of Unification inter-Korean relations daily log for February 2022. The campaign targeted North Korea-related experts and workers by spoofing official-looking sender identities and i…
ASEC observed an APT-style malicious Word document targeting a carbon-emissions specialist company on March 18, with the victim likely downloading a file named like a carbon-emissions research institute document through a web browser. The document was ass…
AhnLab observed malicious Windows Help files distributed to South Korean users inside compressed email attachments alongside document files, with CHM execution triggering hidden script creation and follow-on download activity. The CHM files displayed legi…