627 reports
South Korean police accused a data-recovery company of colluding with suspected Lazarus operators under North Korea’s Reconnaissance General Bureau to profit from ransomware victims. Investigators said the company collected about 3.4 billion won from 778 …
AhnLab ASEC analyzed malicious Hangul documents aimed at people in defense, media, unification, education, and broadcasting related fields. One cluster used oversized embedded OLE objects to make nearly any click in the document trigger a connection to at…
Lazarus compromised a software vendor through unpatched legitimate software and continued exploiting that vendor’s software while targeting other software makers, suggesting interest in source code theft or supply-chain tampering. The campaign deployed SI…
The LASCON session abstract covers the 3CX software supply chain attack in which a VoIP vendor shipped malicious code to thousands of customers. Some affected customers later reported compromises inside their own environments. The abstract frames the inci…
The most active Lazarus scheme observed was Operation DreamJob, luring targets with fake job offers for lucrative positions. North Korea-aligned groups continued to focus on Japan, South Korea, and South Korea-focused entities, employing carefully crafted…
The presentation traces a North Korea-linked financially motivated intrusion against cryptocurrency targets, with Citrine Sleet activity used to show how attackers build trust through LinkedIn, Twitter, Telegram, and fake crypto organization sites. In the…
South Korea's National Intelligence Service warned that a North Korean hacking group was preparing to distribute a trojanized copy of a widely used domestic e-commerce app. The fake app closely matched the legitimate app's icon, functions, and file size, …
The VMConnect campaign used malicious PyPI packages that impersonated legitimate Python tools including vConnector, eth-tester, and databases. ReversingLabs found that VMConnect's __init__.py decoded and executed Base64 content, then entered a loop that c…
The activities of the Andariel and Lazarus groups, which are believed to be backed by North Korea, have been observed outside their traditional conflict region in Korea. The HuiLoader variant used in the attacks is also being used by other Chinese threat …
AhnLab's August 2023 Kimsuky trend report says BabyShark activity rose sharply while FlowerPower, RandomQuery, and AppleSeed activity remained low. The source notes phishing samples in infrastructure previously associated with FlowerPower, RandomQuery, an…
Zero Day details how North Korean IT workers allegedly hid their identities to win remote developer jobs at U.S. and foreign companies and route the earnings back to North Korea's weapons programs. The workers used fake web profiles, stolen identity docum…
The Justice Department announced the seizure of 17 domains used by DPRK IT workers to pose as legitimate U.S.-based technology companies and obtain remote freelance work. The operation follows earlier seizures of about $1.5 million in revenue from the sam…
Microsoft observed two North Korean nation-state actors, Diamond Sleet and Onyx Sleet, exploiting CVE-2023-42793 in JetBrains TeamCity servers from early October 2023. Diamond Sleet used compromised infrastructure and PowerShell to deploy ForestTiger, sta…
The attacker employed a combination of loader, main trojan, and stealer infection chains similar to those used by the previous MATA cluster and updated each malware’s capabilities. The actors behind the attack used spear-phishing mails to target several v…
Financial Security Institute material presents Lazarus as a broad DPRK threat-actor ecosystem rather than a single cluster, tying the name to major cyber incidents and North Korean state activity. The excerpt maps naming conventions and overlaps across pu…