627 reports
NSHC's September 2023 ThreatRecon report says SectorA activity was the most prominent in the collection period, with SectorA02, SectorA04, SectorA05, SectorA06, and SectorA07 observed. The SectorA section describes CHM files disguised with financial theme…
The write-up analyzes an APT37 CHM malware sample themed around South Korea's Armed Forces Financial Management Corps, suggesting a lure aimed at military finance personnel. The sample uses HTML Help content to invoke mshta.exe and contact attiferstudio.c…
360 Threat Intelligence Center analyzed APT-C-28, also known as ScarCruft, activity targeting South Korea with Chinotto components. The excerpt shows LNK based delivery commands that extract Korean-language decoy documents and batch scripts from oversized…
Kimsuky used spear phishing attachments and download links to deliver archive files containing decoy documents and malicious LNK shortcuts, then unpacked BAT and VBS scripts for collection, persistence, and payload download. ASEC analyzed 2023 activity wh…
Kimsuky primarily uses spear-phishing to target individuals employed by government, research centers, think tanks, academic institutions, and news media organizations, including entities in Europe, Japan, Russia, South Korea, and the United States. Althou…
Sinbad was a key money laundering tool used by Lazarus Group — a sanctioned, state-sponsored group of cyber hackers of the Democratic People’s Republic of North Korea (DPRK). Cryptocurrency stolen by DPRK sponsored groups has been used to ultimately fund …
Recorded Future's Insikt Group assesses that North Korea has treated cryptocurrency theft as a major revenue source since shifting from SWIFT-focused financial intrusions toward crypto targets during the 2017 market boom. The report estimates about $3 bil…
Genians describes a Korea-focused APT case in which attackers approached targets with a fake foreign news interview request and delivered an HWP document containing a malicious OLE object. The activity used the FlowerPower tool family associated with Kims…
ASEC reports that Kimsuky distributed a malicious JSE file disguised as an import declaration to South Korean research institutes. The dropper contains obfuscated PowerShell, a Base64-encoded Nikidoor backdoor, and a decoy PDF that displays victim-specifi…
Australia's DFAT warned that DPRK IT workers pose as non-DPRK freelancers to win remote work and route revenue back to North Korea's weapons programs. The advisory says they use fake personas, proxy accounts, stolen identities, and forged documents across…
The U.S. Treasury's OFAC sanctioned Sinbad.io, describing it as a virtual-currency mixer used by North Korea's Lazarus Group to launder stolen funds. The release says Sinbad processed millions of dollars from Lazarus heists, including the Horizon Bridge a…
The source analyzes a Korean-language CHM malware sample assessed by the author as likely Kimsuky activity, disguised as real-estate registration information and a registration completion notice. The CHM launches VBScript that starts a hidden batch file, …
SentinelOne links two 2023 DPRK-aligned macOS campaigns, RustBucket and KandyKorn, and reports that SwiftLoader droppers are being reused to deliver KandyKorn payloads. RustBucket used PDF viewer lures and SwiftLoader to fetch later-stage Rust malware, wh…
ASEC reports that Andariel is suspected of exploiting Apache ActiveMQ CVE-2023-46604 to install malware on targeted systems. The activity delivered NukeSped and TigerRat backdoors, with follow-on commands observed for downloading additional payloads and e…
SECUi describes 2023 Kimsuky attacks in South Korea that used ZIP archives containing a decoy document and an LNK file disguised as a document to start reconnaissance malware. The LNK embeds obfuscated PowerShell, a lure document, and script modules; exec…