654 reports
ASEC observed attacks against Korean defense and manufacturing organizations in which a threat actor abused a Korean ERP solution and compromised Windows IIS web servers to deploy Xctdoor and XcLoader. The ERP case resembles earlier Andariel tradecraft fr…
Unit 42's actor reference identifies North Korean-attributed groups under the Pisces constellation, with activity spanning cyberespionage and financial crime across many industries. Jumpy Pisces is described as a Lazarus-linked DPRK nation-state actor tha…
An archived BLIN Analytics post links the DMM Bitcoin hack to hackers from the DPRK and says the same coinjoin service was used in the case. The post notes that the service did not fully obfuscate change outputs, which could leave useful traces for blockc…
Andariel, described as a Lazarus subgroup, is analyzed using vulnerabilities in centralized management solutions deployed by South Korean enterprises. The activity relied heavily on exposed administrator console ports and scanning for vulnerable software,…
A Kimsuky-attributed Windows LNK sample masqueraded as a lecture-request document for a Hanyang University professor, suggesting a social-engineering attempt against South Korean academic or policy-focused contacts. The shortcut executed hidden PowerShell…
Hauri reports Lazarus activity in which attackers posed as recruiters on LinkedIn and delivered malicious blockchain job-assignment projects through GitHub or Bitbucket to software developers. The NodeJS malware steals cryptocurrency wallets from browser …
Zscaler observed Kimsuky using a malicious Chrome extension named TRANSLATEXT for espionage against South Korean academia, especially researchers focused on North Korean political affairs. The campaign involved an archive lure translated as a review of a …
Nurilab analyzes Gomir, a Linux variant of the GoBear backdoor linked in the source to Kimsuky activity against South Korean organizations and companies. The malware checks for an "install" command-line argument and root privileges, then persists either a…
The North Korean cyber espionage group, Kimsuky, also known as APT43, has ramped up its cyber operations, targeting South Korean entities, government agencies, and think tanks. The group specifically targets individuals by distributing malware disguised a…
SentinelLabs and Recorded Future described a secondary ransomware activity cluster that abused Jetico BestCrypt and Microsoft BitLocker against 37 organizations between early 2021 and mid-2023, mostly in U.S. manufacturing but also in education, finance, …
AhnLab analyzed HappyDoor, a Kimsuky backdoor first collected in 2021 and still observed in 2024 with patched versions, hard-coded version data, and recent samples labeled “happy” 4.2. The malware is distributed through spear-phishing attachments containi…
ALEX said forensic tracing produced substantial evidence linking the May XLink/ALEX exploit to Lazarus Group. The update says the exploit address 0x418e337774d26365efeaa4700e889a9746330c4e sent funds to 0x639F61cA3E0e3fDCd654DC4A22579e7382dEBeA3, which us…
Hunt observed XenoRAT distribution using gaming-themed .gg domains, a GitHub account posing as Roblox scripting tools, and a likely linked YouTube channel that instructed users to disable Windows Defender. The report notes prior links between XenoRAT and …
The Lazarus Group is believed to be a state-sponsored hacking group notorious for carrying out massive crypto heists over the years, targeting cryptocurrency platforms. In late 2023, Recorded Future estimated that North Korean state-backed hackers had sto…
ASEC observed attacks against South Korean defense and manufacturing organizations involving Xctdoor malware and activity assessed as similar to earlier Andariel use of compromised ERP update mechanisms. In the 2024 cases, attackers appear to have abused …