627 reports
Hauri warns that malicious emails impersonated a specific North Korean defector and targeted North Korean human-rights civic organizations. The lure used a ZIP attachment containing a Windows CHM help file about difficulties and activation measures for No…
360 attributed a Korea-targeted malicious document campaign to APT-C-28, also known as ScarCruft or APT37, based on its RokRat payload and similarity to earlier public reporting. The captured Korean-language lure masqueraded as a payment application form;…
Theori ChainLight analyzed the April 2023 GDAC exchange theft and assessed that the attacker may have compromised internal API infrastructure rather than simply stealing private keys. The report highlights unusual sweep transactions from many user deposit…
ESRC warned that a North Korea-sponsored hacking group was abusing oversized LNK files in Korean-themed attacks after earlier Fair Trade Commission impersonation activity. The lures used current political and social topics such as the Washington Declarati…
S2W TALON analyzed AlphaSeed, a suspected Kimsuky malware family found on VirusTotal in May 2023 and named from the internal path E:/Go_Project/src/alpha/naver_crawl_spy/. The sample is assessed with high confidence as a Go implementation related to Apple…
BoanNews reports a dispute between South Korea's National Election Commission and the National Intelligence Service over whether recent hacking emails, malware infection, and email compromise notifications were tied to North Korean activity. The NEC said …
AhnLab observed Lazarus targeting poorly managed or vulnerable Windows IIS web servers by using the IIS worker process w3wp.exe to stage Wordconv.exe with a malicious msvcr100.dll and msvcr100.dat in the same directory. The malicious DLL used DLL side-loa…
DCSO describes “Jupiter,” a previously little-documented PureBasic malware family it attributes to Andariel, a North Korean Lazarus subgroup. The malware has appeared sporadically since 2020, including an OSPREY-signed sample tied to an attempted attack o…
The Wezard4u analysis describes a Kimsuky-linked malicious Google Chrome extension used to steal email content from Gmail and potentially other Chromium-based browsers. The extension masquerades as “AF” or “Advanced Font,” requests broad permissions for t…
ASEC reports that Kimsuky built a phishing site copying the webmail portal of a South Korean government-funded research institute. As in earlier fake Naver and Kakao login pages targeting trade, media, and North Korea-related people and organizations, the…
Reaper, also known as APT37, used newer delivery TTPs to deploy RokRAT against South Korea-focused targets. The campaign delivered ZIP archives containing oversized LNK files masquerading as PDF documents, alongside benign files, through energy-sector and…
ASEC reports that Kimsuky attacked a South Korean architectural firm’s Windows IIS web server, likely exploiting an unpatched or poorly managed server to run PowerShell through w3wp.exe. The attacker downloaded a Metasploit Meterpreter backdoor from 45.58…
TeamT5’s Operation Clairvoyance presentation is primarily a broad study of APT espionage against media organizations, with detailed case material on Taiwan-focused and China-nexus activity. The DPRK-relevant evidence in the provided excerpt is limited to …
JPCERT/CC documents continued DangerousPassword, also known as CryptoMimic or SnatchCrypto, activity against cryptocurrency exchanges in Japan. Recent intrusion patterns include LinkedIn job-themed outreach delivering RAR-packed CHM files, OneNote attachm…
BlueNoroff used the multistage RustBucket malware to target macOS systems in financially motivated operations. The first stage is an unsigned Internal PDF Viewer.app AppleScript that requires the victim to override Gatekeeper, then retrieves a signed seco…