296 reports
ASEC observed malicious OOXML Word documents distributed through channels such as KakaoTalk group chats, with filenames themed around North Korea, China, surveys, and diplomatic security specialists. The documents used template injection to fetch external…
Pylos documents a domain-hunting pivot from suspicious mail-themed infrastructure into a broader set of domains assessed as possibly linked to an in-progress Kimsuky campaign. The activity centered on East Asian, especially South Korean, hosting and spoof…
When social engineering is combined with highly targeted spear phishing, it can be difficult to spot. Tactics & Techniques ZINC (a sub-group of Lazarus) spent a lot of time during 2020 establishing a research blog and several Twitter profiles to interact …
NSHC’s September 2022 monthly threat-actor report summarizes multiple tracked clusters, including DPRK-relevant SectorA activity. SectorA01 targeted news and media workers with spear-phishing and messenger-delivered malware capable of system information c…
AhnLab reports malicious Word documents distributed through channels such as group chats and crafted to resemble legitimate Microsoft Office URLs. The documents used OOXML external template injection, with domains visually close to openxmlformats.org, ms-…
DBAPPSecurity analyzes Konni activity targeting Eastern Europe and East Asia in mid-2022, including samples submitted from South Korea and Russia. The report links the activity through traffic patterns, targeting, and later-stage payloads, and notes that …
AhnLab analyzes a malicious Word document disguised as a CNA news questionnaire and related to earlier North Korea-themed Word lures. The password-protected document contains obfuscated VBA macros that create and execute VBScript, BAT, LNK, and PowerShell…
Kaspersky reported that Lazarus continued using the DTrack backdoor three years after its 2019 discovery, with telemetry showing activity in Europe, Latin America, the Middle East, Asia, and the United States. DTrack supports file upload, download, execut…
ESET’s T2 2022 APT Activity Report is a broad multi-actor survey that includes continued North Korea-aligned activity during the May–August 2022 reporting period. The report frames DPRK-linked operations alongside Russia-, China-, and Iran-aligned activit…
Microsoft’s CyberWarCon 2022 recap summarizes several threat-intelligence presentations, including a Microsoft and LinkedIn session on ZINC weaponizing open-source software. The source identifies ZINC as a North Korea-based actor and places the session wi…
CNAS frames North Korea as the leading state-sponsored cyber threat to the global financial sector, citing more than $1 billion in stolen digital assets from 2021 through June 2022. The report says Pyongyang's cybercrime shifted after 2015 toward cryptocu…
QuillAudits analyzed Deribit’s November 2022 hot-wallet compromise, in which attackers drained about $28 million from BTC, ETH, and USDC hot wallets. Deribit paused withdrawals, said client assets and cold-storage addresses were unaffected, and covered th…
Microsoft’s 2022 Digital Defense Report includes a North Korea-focused nation-state section that frames DPRK cyber capabilities around three regime goals. The report highlights North Korea-aligned interest in aerospace and defense targets, financial servi…
REKT covered Deribit’s $28 million hot-wallet theft from Ethereum and Bitcoin networks, including 6,968 ETH, 3.4 million USDC, and 691 BTC. Deribit said the loss would be covered by reserves, that most user funds were in cold storage, and that withdrawals…
NSHC’s September 2022 Threat Actor Group Intelligence Report summarizes activity from late August to late September, with SectorA groups prominent among observed operations. The report notes that SectorA01 targeted news and media personnel through spear p…