627 reports
While tracking Dark Caracal’s activity, we discovered an ongoing campaign targeting public and private sector entities in multiple Spanish-speaking countries. We refer to the malicious campaign of attacks that leverage both Owowa and the email-based intru…
AhnLab details Kimsuky activity in which presumed spear phishing led to BabyShark installation and later deployment of RDP-control tooling on compromised Windows systems. The group used scripts and loaders such as hwp.bat, k.ps1, OneNote.vbs, pow.ps1, and…
AhnLab attributes Operation Dream Magic to Lazarus exploitation of a MagicLine vulnerability in a watering hole campaign. The group followed the same model AhnLab observed in earlier INISAFE activity: malicious links inserted into selected news articles, …
SentinelOne's macOS malware review includes DPRK-linked RustBucket as an example of targeted social engineering against organizations using Apple systems. The campaign used a business-deal pretext and "confidential" PDF documents that pushed victims to in…
Genians tracks Operation DarkHorse, a CHM-based phishing campaign distributed by email and followed under that operation name after repeated detections since the previous year. The activity initially used virtual-asset and game-server development themes i…
AhnLab describes Kimsuky intrusions that use presumed spear phishing to install BabyShark and then add RDP-focused tooling for hands-on control of infected Windows systems. The activity includes hwp.bat, PowerShell keylogging through k.ps1 and OneNote.vbs…
A Korean malware analysis links a Kakao Bank security mail themed LNK file to Konni, a cluster associated with Thallium/APT37 and possibly Kimsuky. The shortcut drops a fake security-mail HTML file into the user temp directory, extracts a ZIP into C:\User…
SharkTeam profiles Lazarus as a North Korean financial-threat actor with BlueNorOff/APT38 focused on SWIFT and cryptocurrency theft and Andariel focused on South Korean targets. The report reviews Lazarus tradecraft across spear-phishing, watering-hole co…
LABYRINTH CHOLLIMA is presented as a prolific DPRK threat group tied to intelligence collection, currency generation, and high profile state sponsored operations. The slides describe a custom implant set across Windows, Linux, macOS, and Android, includin…
Objective by the Sea material presents a macOS-focused RustBucket reversing case in the context of Lazarus and BlueNoroff activity. The talk describes Lazarus as a North Korean state-sponsored group active on macOS and BlueNoroff as a financially motivate…
AhnLab analyzes Lazarus-linked Volgmer backdoor activity and the later Scout downloader, showing how the group evolved tooling used for post-compromise control of infected systems. Volgmer was used from at least 2014 through around 2021, commonly installe…
AhnLab attributes Operation Dream Magic to Lazarus activity that abused a MagicLine software vulnerability in a watering hole campaign. The group reused a pattern seen in earlier INISAFE exploitation: malicious links placed in selected news articles, vuln…
ASEC reported that Magniber ransomware distribution stopped after August 25 following blocking rules for the malware's injection technique. The pause was unusual because Magniber had normally resumed distribution within two weeks to a month, often with a …
NSHC's August 2023 monthly threat actor report says SectorA activity was the most frequently observed in its collection period, with operations seen across government, finance, and East Asia-focused targeting. The DPRK-relevant SectorA section describes f…
Mandiant assesses that North Korea's cyber program has shifted toward a more flexible structure where DPRK-aligned groups share tooling, targeting, and personnel across espionage and financial operations. The report links this change to post-2020 pressure…