627 reports
DBAPPSecurity’s Lieying Lab analyzed an APT37, also known as Group123/RedEyes/ScarCruft, espionage campaign using RokRAT against South Korean foreign-affairs targets. The source says the attackers delivered an ISO containing two heavily padded LNK files t…
AhnLab reported follow-on EDR tracking for RedEyes, also known as APT37 or ScarCruft, after the group distributed CHM malware disguised as security mail from a domestic financial company. The source describes malicious LNK files that contain PowerShell co…
AhnLab analyzed the 3CX supply-chain compromise from endpoint telemetry and observed related malware installs in South Korea on March 9 and March 15. The source describes malicious DLLs, ffmpeg.dll and d3dcompiler_47.dll, being loaded by the legitimate 3C…
DBAPPSecurity reported APT37 activity against South Korea’s foreign-affairs sector using an ISO image that contained two large padded LNK files. When opened, the LNKs dropped HWP decoys and BAT scripts, then PowerShell downloaded and decrypted the next st…
The Korean analysis attributes the macOS malware sample “Internal PDF Viewer” to BlueNorOff under Lazarus and describes it as RustBucket-like malware that communicates with command-and-control infrastructure to download and run additional payloads. The so…
DTrack is a backdoor that has been used by Andariel (aka StonedFly and Silent Chollima), a subset of Lazarus, for almost a decade in a wide variety of attacks, including deploying ransomware as well as espionage malware. We observed a Lazarus campaign, ac…
DOJ indictments and OFAC sanctions detailed how North Korean Foreign Trade Bank representative Sim Hyon Sop allegedly helped launder stolen cryptocurrency and IT-worker earnings for the DPRK. The alleged scheme used OTC traders Wu Huihui and Cheng Hung Ma…
AttackIQ released emulations of Kimsuky reconnaissance and espionage operations, reflecting activity against South Korean political, government, military, reunification, security, and nuclear power-related targets. The emulated chains include CHM files de…
Sangfor analyzes a Linux sample it says shares code traits with malware discussed in the 3CX supply-chain investigation and Lazarus Operation DreamJob reporting. The source cites Mandiant’s assessment that UNC4736 was linked to a Northeast Asian state and…
OFAC sanctioned Wu Huihui, Cheng Hung Man, and Sim Hyon Sop for facilitating DPRK cryptocurrency money laundering, and DOJ charged Sim in connection with money-laundering conspiracies. Chainalysis says Wu converted millions of dollars in stolen cryptocurr…
BBC’s Lazarus Heist episode “Crypto comrades” documents North Korea’s first cryptocurrency conference as a case study in the regime’s engagement with outside technology expertise. The source says eight technology experts attended and later regretted going…
U.S. prosecutors unsealed indictments charging North Korean Foreign Trade Bank representative Sim Hyon Sop with cryptocurrency money-laundering conspiracies that generated revenue for the DPRK. The source says Sim worked with OTC traders, including Wu Hui…
OFAC sanctioned Wu Huihui, Cheng Hung Man, and Sim Hyon Sop for supporting DPRK illicit finance tied to stolen virtual currency, fraudulent IT-worker revenue, and access to the international financial system. The text links Wu to converting virtual curren…
South Korea and the United States jointly designated North Korean national Sim Hyon Sop for supporting illicit cyber-enabled revenue activity tied to Pyongyang’s nuclear and missile programs. The source says Sim, associated with the UN-sanctioned Korea Kw…
Mandiant described the 3CX compromise as a double supply-chain attack that began with North Korean actors compromising Trading Technologies’ X_Trader software before moving into 3CX. The attackers allegedly signed tainted X_Trader builds with a Trading Te…