296 reports
Lazarus continued Operation In(ter)ception against cryptocurrency-sector targets by shifting macOS job-lure decoys from Coinbase-themed vacancies to Crypto.com positions. The Crypto.com variant used a Mach-O first-stage dropper that created a WifiPreferen…
Trellix describes an experimental malware-comparison method that converts binaries into audio and frequency spectra, then checks whether the sound profile reflects code similarities seen in traditional reversing. The DPRK-relevant section applies the meth…
AhnLab's report analyzes Lazarus rootkit malware that uses a bring-your-own-vulnerable-driver technique to obtain kernel-level capabilities. The PDF frames the case as part of Lazarus activity tracked by ASEC against South Korean defense, satellite, softw…
NSHC ThreatRecon's July 2022 monthly report observed four SectorA groups active during the collection period, with activity in South Korea, Japan, England, the United States, Austria, Russia, Malaysia, Poland, Czech Republic, and Israel. The DPRK-relevant…
Mandiant identified UNC4034 using a fake Amazon job opportunity to move a media-industry victim from email to WhatsApp and deliver a malicious ISO named amazon_assessment.iso. The ISO contained a trojanized PuTTY executable and a Readme with connection de…
Kimsuky targeted South Korean entities during a period of U.S.-South Korea military exercises, using PIF, HWP, DOC and macro-enabled lure files to deliver malware. The activity used PIF executables disguised with PDF icons, Korean DRM-encrypted decoy docu…
We estimate that so far in 2022, North Korea-linked groups have stolen approximately $1 billion of cryptocurrency from DeFi protocols. This marks the first time ever that cryptocurrency stolen by a North Korean hacking group has been seized, and we’re con…
Cisco Talos observed Lazarus Group activity from February to July 2022 against energy providers in the United States, Canada, Japan and other regions, assessing the campaign as North Korean state-sponsored espionage aimed at long-term access and data thef…
GERA reported that its token security was compromised after a private key leak allowed attackers to transfer ownership of the token smart contract deployer to another address. The attackers created two additional smart contracts, minted 2,179,340,915.1246…
This attribution is based on tactics, techniques and procedures (TTPs), malware implants and infrastructure overlap with known Lazarus campaigns. Cisco Talos has discovered a new remote access trojan (RAT), which we are calling "MagicRAT," that we are att…
The UN Panel of Experts midterm report said North Korea accelerated missile activity in the first half of 2022, including 31 launches that combined ballistic and guidance technologies and six ICBM tests. It also reported continued sanctions evasion throug…
NSHC’s July 2022 ThreatRecon report summarizes activity from 31 threat actor groups observed between June 21 and July 20, with SectorJ, SectorA, and SectorE accounting for prominent portions of the activity. The SectorA section reports four groups: Sector…
IGLOO analyzes document-based malware activity linked in the source to North Korean attack groups active in the first half of 2022, including Kimsuky and Lazarus. The activity used spear-phishing themes such as defector-related surveys, disaster donation …
Avertium describes sustained 2022 North Korean threat activity involving Lazarus/APT38, H0ly Gh0st, PLUTONIUM and Kimsuky across cryptocurrency, ransomware and espionage operations. Lazarus activity cited from CISA used social engineering and trojanized c…
A malicious Hangul document disguised as a profile or personal-information form used embedded OLE objects and hidden hyperlinks to launch copied Windows binaries from the Temp directory. Clicking form fields executed a local LNK that ran a renamed mshta b…