296 reports
South Korean government agencies issued a joint advisory warning companies to strengthen identity checks to avoid hiring North Korean IT workers using false nationality or identity claims. The source says these workers earn large overseas IT revenues, may…
ESRC analyzed Operation EvilPlane, a document-based APT campaign using files containing South Korean users’ personal information and attributed the activity to the Konni organization linked to North Korea’s Reconnaissance General Bureau. The malicious DOC…
Google TAG reported that North Korean government-backed APT37 exploited CVE-2022-41128, an Internet Explorer JScript zero-day, through malicious Office documents targeting users in South Korea. The campaign used an Itaewon tragedy-themed document that fet…
KBS reported that malicious mobile apps used in voice-phishing schemes against South Koreans were linked by government authorities to a North Korean IT organization member selling the tools to Chinese criminal groups. The demonstration video showed an ope…
Microsoft investigated DEV-0139 activity targeting cryptocurrency investment companies through carefully prepared Telegram social engineering. The actor joined VIP cryptocurrency exchange communication groups, impersonated OKX-linked contacts, and moved e…
KISA/KrCERT lists TTPs #9, a report on ScarCruft attack strategies for monitoring individuals’ daily lives. The web page itself mainly provides metadata and a link to the full Notion-hosted report rather than detailed technical content in the archived tex…
Malwarebytes summarized Volexity’s reporting on a Lazarus Group AppleJeus campaign targeting cryptocurrency users and organizations. The activity used the fake BloxHolder cryptocurrency application and a cloned HaasOnline-themed website at bloxholder[.]co…
ESRC reports a North Korea-linked spear-phishing operation targeting diplomacy, security, and unification specialists with academic-conference discussion and paper-request lures. The operators first sent benign-looking emails, then followed up only with r…
Volexity analyzed Lazarus Group activity targeting cryptocurrency users and organizations with a new AppleJeus variant. The campaign used the registered domain bloxholder[.]com to host a HaasOnline clone branded as BloxHolder and distributed BloxHolder_v1…
ESET identified Dolphin, a previously undocumented ScarCruft/APT37 backdoor deployed only to selected victims after earlier-stage compromise. The 2021 attack chain used a watering-hole compromise of a South Korean online newspaper, an Internet Explorer ex…
360 Threat Intelligence Center attributes an attack to APT-C-55, also known as Kimsuky, that used IBM Security Trusteer Rapport as a lure to deliver BabyShark-related components. The malicious ISO contained a BAT script and a legitimate-looking installer;…
QiAnXin RedDrip reports a Lazarus campaign using a VHD disk image themed around Japanese Mizuho Bank recruitment information. The lure presents a Job Description PDF while a loader executes from the disk image, copies and decrypts a DLL payload, loads it …
TeamT5's talk describes CloudDragon as a North Korean Kimsuky subgroup that runs espionage and cybercrime operations against policymakers and related organizations. The transcript focuses on a credential factory workflow built around phishing, proxy mirro…
The INSS report describes North Korea’s shift since the mid-2010s toward financially motivated cyber operations against banks, cryptocurrency exchanges, wallets, and related services to generate foreign currency under sanctions. It cites ransomware, bank …
AhnLab ASEC analyzed a password-protected Word document named CNA[Q].doc, disguised as a Singapore CNA news survey and themed around North Korea-related content. The document relied on a malicious VBA macro that prompted the user to enable content, then d…