627 reports
ESTsecurity summarizes North Korean cyber activity as a mix of financially motivated theft and intelligence collection against global targets, with emphasis on healthcare, defense, national-security, and cryptocurrency-related sectors. The article cites m…
South Korea's National Intelligence Service warned that North Korean hacking groups were impersonating domestic portal sites such as Naver and Kakao/Daum in phishing emails. Based on 2020-2022 statistics, NIS said email-based attacks accounted for 74 perc…
AhnLab observed malware distributed as an executable disguised with a Hancom Office document icon and named like a Korean-language column file, linking the activity to RedEyes/APT37 infrastructure. When executed, the malware copies itself under AppData as…
AhnLab observed reduced Kimsuky activity in March 2023 compared with February, with RandomQuery becoming the most active type ahead of AppleSeed and FlowerPower. FlowerPower began using Korean-language Punycode domains and free Korean hosting domains such…
OFAC and South Korea’s MOFA sanctioned North Korean entities and individuals tied to hacking support and overseas IT-worker revenue schemes on May 23, 2023. The source says the Technical Reconnaissance Bureau and 110th Research Center support units such a…
The source compiles huntable procedures mapped to Lazarus Group references in MITRE ATT&CK, while explicitly warning that the hunts are not proof of compromise or independent attribution. It highlights initial-access tradecraft such as DOCX phishing, RAR-…
South Korea and the United States announced coordinated measures against North Korean IT-worker revenue activity used to fund the regime's nuclear and missile programs. South Korea designated three North Korean entities and seven individuals linked to ove…
The Lazarus Group was designated by OFAC on September 13, 2019, as an agency, instrumentality, or controlled entity of the Government of North Korea pursuant to E.O. The DPRK-based Technical Reconnaissance Bureau leads the DPRK’s development of offensive …
AhnLab reports Lazarus attacks against vulnerable Windows IIS web servers in which malicious activity is launched through the w3wp.exe IIS worker process. The actor places Wordconv.exe, msvcr100.dll, and msvcr100.dat on the server, then uses DLL side-load…
SentinelLabs attributes an ongoing campaign to Kimsuky targeting North Korea-focused information services, human rights activists, and DPRK-defector support organizations. The campaign uses Korean phishing emails from Daum accounts and password-protected …
Genians analyzed an APT37 campaign that impersonated a North Korean human-rights organization to target South Korean individuals and organizations. The report maps the attack scenario from spear-phishing through LNK-based delivery, follow-on payload execu…
Sekoia.io analyzes Bluenoroff’s RustBucket activity as North Korea-nexus, financially motivated targeting of cryptocurrency, venture-capital, and related entities. The macOS chain installs a backdoored but functional PDF reader and requires a matching key…
ASEC describes Kimsuky attacks against a Windows IIS web server at a Korean construction company, shifting from the group’s usual document-based spear phishing to exploitation of poorly managed or unpatched web servers. After breaching the IIS process, th…
ASEC reports that Kimsuky created a webmail phishing site impersonating national policy research institutes to target North Korea-related personnel and organization leaders. The fake login page reused tactics seen in earlier Kakao and Naver credential-har…
The source analyzes a Kimsuky-linked LNK malware sample named Questionnaire.doc.lnk that uses a large shortcut file to hide embedded content and launch PowerShell instead of relying on Office macros. The command line searches for the malicious LNK, extrac…