627 reports
The reverse-engineering write-up details the SuperBear RAT used in a campaign against civil society groups, focusing on the AutoIT stage and the injected Windows payload. The AutoIT script was compiled and packed, then used process hollowing to inject a d…
ReversingLabs identified three malicious PyPI packages, tablediter, request-plus, and requestspro, as a continuation of the VMConnect supply-chain campaign with links to Labyrinth Chollima, a Lazarus Group offshoot. The packages impersonated popular Pytho…
AhnLab describes recent attacks assessed as linked to Andariel, a Lazarus-affiliated group that has targeted Korean corporations, universities, logistics, ICT, defense, political, shipbuilding, energy, and communications organizations. The 2023 activity i…
ScarCruft targeted South Korean financial institutions, universities, and individual users with ZIP/RAR lures that delivered Chinotto PowerShell backdoors or an InfoStealer. The campaign used Korean financial and insurance themes, including encrypted deco…
Kaspersky observed the Gopuram backdoor in the 3CX supply-chain attack and connected the campaign to Lazarus with medium to high confidence after finding links to earlier AppleJeus and cryptocurrency-targeting activity. Gopuram was deployed to fewer than …
The KBS report examines how North Korean hacking and cryptocurrency theft fund weapons programs despite long-running international sanctions. It cites U.S. Senate and intelligence testimony that North Korean hackers stole about $3 billion in cryptocurrenc…
360 Threat Intelligence Center reports that APT-C-55/Kimsuky used Korean-language domains in a multi-stage malware campaign. The initial LNK payload decrypted and dropped a VBS script, which downloaded additional VBS code, created a scheduled task for per…
The HITB/KrCERT slide deck describes Lazarus large-scale infection operations in 2022-2023 that abused Korean financial-security software and compromised media infrastructure for drive-by compromise and malware propagation. The excerpt links initial acces…
The Korean analysis attributes a VBS malware sample named Consent Form_Princeton Study.vbs to Kimsuky and documents hashes for the script. The malware opens a Princeton-themed Google Drive lure while collecting battery and process information, checking fo…
Knownsec 404 analyzed malicious CHM samples using Korean-language decoys themed around insurance, securities, finance, and communications bills, with targeting directed at South Korea. The CHM attack chain decompiled itself, released files under a public …
Knownsec 404 analyzed Korean-language CHM samples themed around insurance, securities, finance, and communications bills and assessed that they targeted South Korea. The CHM chain decompiled itself, dropped and executed a JSE script, downloaded alg.exe, a…
Cisco Talos observed Lazarus Group compromising internet backbone infrastructure in Europe and targeting healthcare entities in the United States by exploiting CVE-2022-47966 in ManageEngine ServiceDesk. The attackers used the vulnerability shortly after …
Talos links Lazarus Group activity exploiting CVE-2022-47966 in ManageEngine ServiceDesk to the deployment of CollectionRAT, alongside QuiteRAT and other tools hosted on reused infrastructure. CollectionRAT is a Windows RAT that fingerprints infected syst…
OFAC sanctioned Tornado Cash co-founder Roman Semenov for allegedly providing material support to Tornado Cash and the DPRK-linked Lazarus Group, while DOJ unsealed related money-laundering and sanctions charges against Tornado Cash founders. Treasury sta…
NSHC ThreatRecon’s June 2023 intelligence report identifies SectorA activity as the most prominent threat-actor category in the collection period and describes five SectorA groups active across South Korea and other countries. SectorA01 abused remote-code…