296 reports
AhnLab explains how attackers use Windows Remote Desktop Protocol for initial access, lateral movement, and persistence after obtaining credentials or enabling remote desktop services. The report cites ransomware and APT cases where attackers used RDP dir…
AhnLab reviews how attackers abuse legitimate remote administration tools and malicious RATs to take control of infected systems. The report distinguishes backdoors, remote shells, Remote Access Trojans, and normal tools such as AnyDesk and TeamViewer tha…
BBC’s “Lazarus Heist live” is a special episode of the Lazarus Heist series recorded with an audience in New York. The source excerpt supplies only the event-style episode description and surrounding series listings, not a technical case study or indicato…
IGLOO analyzed non-document-based malware used by North Korean attack groups in the first half of 2022, focusing on NukeSped and attacks abusing INITECH processes. The excerpt describes NukeSped as a Lazarus backdoor installed against domestic companies, …
AhnLab observed Lazarus using DLL side-loading during early intrusion activity to run malicious code through legitimate Microsoft binaries, including wsmprovhost.exe and dfrgui.exe. The intrusion chain involved an older INITECH process distributing the sc…
NSHC observed five SectorA groups active in August 2022, with activity seen across East Asia, Europe, the United States, India, Singapore, Russia, Korea, and other regions. SectorA01 distributed malware disguised as cryptocurrency exchange engineering rec…
ESET’s T2 2022 threat report flags Lazarus activity within a broader threat landscape review, including an Operation In(ter)ception campaign against macOS users. The DPRK-linked section says the malware was disguised as a Coinbase cryptocurrency-platform …
ESET attributes 2021 attacks in the Netherlands and Belgium to Lazarus with high confidence, citing malware modules, a code-signing certificate, and overlap with Operation In(ter)ception and Operation DreamJob tradecraft. The campaign used Amazon-themed f…
ESET documents FudModule, an 88,064-byte user-mode DLL used in a Lazarus attack on a corporate endpoint in the Netherlands in October 2021. The module was delivered alongside other Lazarus-attributed tools such as HTTP(S) backdoors, downloaders, and uploa…
When compared to other APTs using BYOVD, this Lazarus case is unique as it possesses a complex bundle of ways to disable monitoring interfaces that was so far never seen in the wild. In our session we dive into a deep technical analysis of a malicious com…
Microsoft attributed a 2022 social-engineering campaign to ZINC, a North Korea-based group now tracked as Diamond Sleet, targeting employees in media, defense and aerospace, and IT services organizations in the US, UK, India, and Russia. The operators bui…
The Belfer Center's 2022 National Cyber Power Index evaluates how thirty states demonstrate cyber capability and intent across national objectives. Its framework treats cyber power as broader than destructive operations, including espionage, resilience, s…
A network of fake LinkedIn profiles impersonated CISO roles at major companies including Chevron, ExxonMobil and Biogen, causing search engines and downstream data brokers to surface fabricated security-leadership identities as if they were real. The repo…
ESRC reported a Konni-attributed campaign using a malicious Word document disguised as cryptocurrency partnership news about Coinone and KakaoBank. The lure reused a real September 2022 article and applied remote template injection to contact word2022.c1.…
Unit 42 used unsigned-DLL hunting to surface APT activity, including a North Korean cluster it tracks as Selective Pisces, also known as Lazarus Group, ZINC, or APT-C-26. In the DPRK-linked case, MagicLine4NX.exe from DreamSecurity dropped unsigned module…