627 reports
IBM X-Force reports that ITG10, whose TTPs overlap APT37 and ScarCruft, likely ran an April 2023 phishing campaign against South Korean government, communications, education, think-tank, dissident, and foreign-policy targets. The campaign used ZIP attachm…
Elliptic assesses with high confidence that North Korea’s Lazarus Group was responsible for the theft of at least $35 million in cryptoassets from Atomic Wallet users. The attribution is based on laundering behavior that closely matches prior Lazarus thef…
Recorded Future’s Insikt Group identified a TAG-71 cluster from September 2022 to March 2023 that spoofed financial institutions and venture capital firms in Japan, Vietnam, and the United States. The activity closely overlaps public reporting on North Ko…
- SentinelLabs has been tracking a social engineering campaign by the North Korean APT group Kimsuky targeting experts in North Korean affairs, part of a broader campaign discussed in a recent NSA advisory. Kimsuky, a suspected North Korean advanced persi…
Elliptic’s Investigations Team has traced funds from the $35 million Atomic Wallet hack to Sinbad.io, a mixer used to launder over $100 million in cryptoassets stolen by North Korea’s Lazarus Group. Previous Elliptic research revealed that Sinbad has been…
360 attributes with medium confidence an APT-C-55/Kimsuky campaign that used Korean-language artifacts and a birthday-greeting CHM lure to target South Korea. Execution of the CHM loaded remote VBS and PowerShell stages, created a WindowsAppCertification …
South Korea’s Ministry of Foreign Affairs sanctioned the North Korea-based Kimsuky group on June 1, 2023 and listed two Bitcoin addresses as identifiers, alongside a joint advisory with South Korean and U.S. agencies on related cyber-espionage activity. C…
AhnLab summarizes the ROK-US joint cybersecurity advisory on Kimsuky spear-phishing and links it to ASEC-observed campaigns against researchers, think tanks, academia, media, journalists, North Korea policy specialists, and related targets. The source emp…
South Korea and the United States issued a joint advisory on Kimsuky and South Korea separately designated the group under its DPRK sanctions program. The release says Kimsuky has collected intelligence from diplomatic, security, defense, academic, media,…
NSA and U.S./ROK partners warn that DPRK state-sponsored actors tracked as Kimsuky, THALLIUM, or VELVETCHOLLIMA use social engineering and malware to collect intelligence from think tanks, academia, news media, and other targets. The advisory says the act…
AhnLab reports RedEyes/APT37-related malware distributed as a Hancom Office-like executable named “Who and What Threatens the World (Column).exe.” On execution it creates an AppData onedrivenew folder, copies itself as onedrivenew.exe, opens a decoy Hanco…
The Korean write-up analyzes a Konni-linked PowerPoint sample attributed by the source to a North Korean hacking group associated with Thallium/APT37 and possibly Kimsuky. The lure masquerades as a PPTX file but contains VBA that displays a fake PowerPoin…
ThreatMon analyzes RokRAT, a remote access trojan used in a recent attack attributed by the source to APT37, also known as Reaper or Group123. The malware begins by collecting victim-system data, uses IsDebuggerPresent and GetTickCount for anti-analysis c…
Sophos profiles NICKEL HYATT as a North Korea-linked subgroup of NICKEL ACADEMY active since at least 2009, associated with aliases such as Andariel, APT45, Onyx Sleet, Stonefly, Jumpy Pisces, and Silent Chollima. The group has targeted financial institut…
Sophos profiles NICKEL FOXCROFT as a North Korea-linked espionage group that targets South Korean individuals and organizations focused on North Korea reporting, Korean peninsula geopolitics, and defector support. The profile maps the group to aliases inc…