627 reports
AhnLab reports that RedEyes, also known as APT37, ScarCruft, and Reaper, targeted individuals such as North Korean defectors, human-rights activists, and university professors in May 2023. The attack chain began with spear-phishing that paired a password-…
APT37/Reaper, also known as Group123, Inky Squid, RedEyes, ScarCruft and Ricochet Chollima, is described as using mfc100.dll malware in a May 2023 infection chain focused on South Korean political and organizational targets. The source says the campaign u…
ESTsecurity reported NCSC joint-analysis findings that a state-backed hacking organization was distributing malware disguised as legitimate installers, including a fake Korea Internet & Security Agency security update. The observed file used the name KISA…
AhnLab and South Korea’s National Cyber Security Center joint analysis group reported malware distributed as a fake security update installer by a state-backed hacking group. The malicious installer was built with Inno Setup and contained an install_scrip…
AhnLab’s April 2023 APT groups report is a broad monthly roundup, but its DPRK-relevant sections highlight Kimsuky, Lazarus, and RedEyes/APT37 activity rather than the unrelated Russian and other actor coverage. For Kimsuky, ASEC noted AppleSeed execution…
AhnLab’s April 2023 Kimsuky trend report says observed Kimsuky activity fell to less than half of March’s volume, but the group continued to show changes across FlowerPower, RandomQuery, and AppleSeed operations. FlowerPower continued using Korean-domain …
AhnLab observed RedEyes/APT37-linked activity compromising multiple South Korean websites built by the same web production company and using them to distribute malware or host web shells. The affected sites spanned sectors including manufacturing, trade, …
AhnLab summarizes the June 2023 Korea-US advisory on North Korea’s Kimsuky group and ties it to ASEC’s earlier response cases. The advisory from South Korean and US agencies warned that Kimsuky uses social engineering against global think tanks, academia,…
NSHC’s 2022 SectorA activity review describes seven subgroups conducting information-collection and financially motivated operations, with SectorA05, SectorA06, and SectorA01 appearing most active. The DPRK-relevant targeting centered heavily on South Kor…
NSHC’s April 2023 ThreatRecon report says SectorA remained the most active cluster set and documents five SectorA subgroups operating across South Korea, Ukraine, Europe, North America, and Asia. SectorA01 conducted a supply-chain attack against a VOIP pr…
NSHC’s March 2023 ThreatRecon report identifies SectorA as the most active cluster set and documents five SectorA subgroups operating during the month. SectorA01 used cryptocurrency-exchange VIP-fee promotion lures to deliver malicious Excel macros that d…
AhnLab reports that Lazarus exploited vulnerabilities in South Korean financial and enterprise security software, expanding beyond previously abused INISAFE CrossWeb EX and MagicLine4NX to VestCert and TCO!Stream zero-days. The group used watering-hole ac…
Plainbit analyzed two Bitcoin addresses publicly associated with Kimsuky in the June 2023 Korea-US joint advisory and traced their transaction behavior with QLUE. One address received small payments mostly from Upbit-linked sources and later sent change t…
South Korean police attributed a 2022 malicious email campaign against security, diplomacy, unification, and defense experts to a North Korean hacking organization commonly tracked as Kimsuky. The attackers impersonated unification and security experts du…