296 reports
The CSW2022 Kimsuky presentation outlines the actor also known as Thallium and describes its targeting of South Korea, Japan, the United States, China, and sectors including government, diplomacy, defense, think tanks, NGOs, journalists, defectors, academ…
Kimsuky activity targeted the Russian Ministry of Foreign Affairs through email, using what ESRC assessed as a previously stolen Russian consulate account in Shenyang to attack the Russian consulate in Japan. The lure impersonated an embassy accounting de…
Appleseed v2.1 was delivered through a JavaScript loader disguised with a decoy document, double Base64-encoded payloads, and string-splitting obfuscation to evade detection. The loader drops an encoded Appleseed DLL under ProgramData, decodes it with cer…
Kaspersky describes a Kimsuky GoldDragon cluster campaign against South Korean media and think-tank targets, using spear-phishing emails that led victims to macro-enabled Word documents or Hangeul decoys tied to Korean Peninsula geopolitical themes. The i…
ESRC reported multiple attacks against South Korean defense-industry organizations during the ROK-U.S. joint military exercises that began on August 22, 2022. The activity used executable lures disguised as IP and MAC address lookup tools, double-extensio…
CyberOne analyzed the Linux version of Gwisin ransomware, a ransomware family reported to target Korean companies and to include victim-specific ransom notes warning against reporting to KISA. The sample stores RC4-encrypted JSON configuration that define…
SK Shieldus analyzes the Gwisin ransomware group as a Korea-focused operation that has targeted domestic medical, pharmaceutical, financial, and other enterprises since 2021, with no confirmed foreign victims at the time of reporting. The report maps the …
IronNet’s Black Hat NOC hunters observed numerous callouts from four unique hosts to three domains associated with SHARPEXT, malware that Volexity had linked to the North Korean APT Kimsuky, also tracked as SharpTongue. The finding occurred in a noisy con…
AhnLab analyzed a malicious Hangul document chain that uses VBScript downloaders and OLE-linked execution to stage additional files under %APPDATA% and Windows theme paths. The initial scripts retrieve content from datkka.atwebpages[.]com, datarium.epizy[…
ESRC reports a North Korea-linked hacking operation targeting PC users of KakaoTalk by impersonating KakaoPay with a lookalike account name. The attacker lowers suspicion with periodic event and service messages before sending a ZIP archive disguised as a…
SlowMist analyzed the Ronin Network exploit and the laundering of stolen funds from the March 2022 Axie Infinity sidechain breach. The attacker stole 173,600 ETH and 25.5 million USDC, worth about $610 million, by using compromised private keys to authori…
AhnLab reports malicious Word documents targeting individuals connected to North Korea and security affairs, with filenames crafted around unification, Korean Peninsula security, and named experts. The documents contain VBA macros matching a Kimsuky Word-…
Mandiant describes a method for clustering malicious Office Open XML documents by ZIP local-file-header metadata such as CRC-32 values, uncompressed sizes, and embedded file names. The DPRK-relevant example uses a YARA rule to detect OOXML documents carry…
DBAPPSecurity's Lieying Lab attributed a series of cryptocurrency-sector attacks to Lazarus, noting repeated activity against blockchain and cryptocurrency organizations and a recent attack on deBridge. The campaign used phishing emails with attachments o…
KISA/KrCERT’s Operation GWISIN report analyzes customized ransomware intrusions against Korean organizations through an ATT&CK-style TTP lens rather than simple IOC lists. The source describes GWISIN operators as showing strong knowledge of victim busines…