296 reports
VirusTotal expanded on Mandiant’s reporting about UNC4034, activity assessed as likely related to a North Korean actor and possibly an extension of Operation Dream Job. The campaign used job-offer social engineering, beginning with an Amazon-themed email …
AhnLab describes Gwisin ransomware intrusions in which attackers compromised externally exposed servers and used them as footholds to distribute ransomware inside victim networks. The report says the actors appeared to scan exposed web servers and attempt…
Kaspersky confirmed a 2022 Maui ransomware incident and expanded the known timeline to April 15, 2021, with targets in Japan and India. The excerpt says CISA attributed Maui activity to North Korean state-sponsored actors, while Kaspersky found no useful …
QiAnXin’s mid-year 2022 APT report reviews global state-linked cyber activity, including Chinese-language coverage of Korean Peninsula-related actors, Russia-Ukraine cyber operations, and vulnerability exploitation trends. The report notes that 2022 activ…
FDD’s monograph analyzes how North Korea has developed cyber operations as Kim Jong Un’s “all-purpose sword” for regime survival, revenue, espionage, and coercion. It describes financially motivated cybercrime against banks and cryptocurrency exchanges, r…
AhnLab reports AppleSeed malware distribution against organizations related to nuclear power plants. The attack used spear-phishing and document-themed lures to deliver malware associated with Kimsuky-style operations, with AppleSeed functioning as a back…
ESRC reports a North Korea-linked phishing campaign that impersonated South Korea’s Korea National Diplomatic Academy and abused Google Forms as a lure. The attackers used diplomatic or policy-themed content to persuade targets to open a fake survey or do…
AhnLab ASEC analyzed Magniber ransomware’s rapid evolution across May–September 2022 as the operators changed file formats, execution flows, injection behavior, and UAC-bypass techniques to evade detection. Samples were distributed as MSI, CPL, JSE, JS, a…
S2W Talon identified three Android malware families—FastFire, FastViewer, and FastSpy—while tracking Kimsuky mobile operations. The APKs disguise themselves as Google Security Plugin or Hancom Office Viewer; FastFire uses Firebase Cloud Messaging for comm…
AhnLab describes a Lazarus intrusion case in which the actor used a Bring Your Own Vulnerable Driver technique to disable security products before deploying malware. The activity is connected to earlier Lazarus malware abusing INITECH-related processes, b…
The laundered assets include over $450 million stolen by North Korea based 'Lazarus Group' that was sanctioned by the US government in 2019. Tornado Cash is an open-source, non-custodial, decentralized cryptocurrency mixer that runs on the Ethereum blockc…
ESRC analyzes Trojan.Android.AgentNK, a malicious Android app believed to have been produced by the Konni group and used for cryptocurrency-focused espionage and theft. The app reuses code, strings, C2 command-handling logic, and data-storage filenames se…
AhnLab analyzes Amadey Bot malware distributed as a fake KakaoTalk update during public concern over Kakao service disruptions. The initial executable used the messenger program’s name and icon, recursively relaunched itself, injected into its own process…
Japan's National Police Agency warned that the Lazarus cyber-attack group, assessed as subordinate to North Korean authorities, had been targeting cryptocurrency-related businesses and exchanges. The advisory cites UN, FBI, CISA, and Treasury reporting an…
ESRC warns of a North Korea-linked campaign targeting professors in aviation, diplomacy, security, and defense with lures disguised as thesis-review requests and honorarium payments. The attackers first approached victims with benign-looking emails, then …