654 reports
KrCERT published emergency threat mitigation guidance for OfficeKeeper servers after suspicious uploaded PHP files and abnormal storage behavior were identified. Administrators are advised to inspect /home/storage/ and OfficeKeeper storage paths for web s…
The article profiles Lazarus Group as a North Korean state-sponsored hacking organization linked to the Reconnaissance General Bureau and aliases such as APT38 and Hidden Cobra. It traces the group from early disruptive operations, including Sony Pictures…
A Black Hat Asia briefing abstract describes a recruiting-themed intrusion that delivered an ISO file through email attachments, malicious links, and WhatsApp Web messages after a victim received a job offer. The attack chain used undocumented loaders to …
Avast found a Lazarus campaign that targeted selected individuals in Asia through fabricated job offers, using rapport-building before delivering a malicious ISO disguised as a VNC tool. The ISO executed a legitimate Windows choice.exe binary to sideload …
ENKI says a North Korea-linked attempt against its security researcher used social engineering around Chrome exploit collaboration to deliver an MHTML lure named Chrome_85_RCE_Full_Exploit_Code.mht. The file was crafted to push the victim toward Internet …
Lazarus Group's Operation Sharpshooter targeted more than 80 organizations, especially in finance, energy, and defense, during activity reported between October and November 2018. The campaign used a malicious Microsoft Office document to deploy the Risin…
APT43 is reported using a multi-stage attack chain that abuses Dropbox cloud storage and deploys TutorialRAT as part of activity linked to the BabyShark campaign lineage. The source highlights lures impersonating policy meetings, advisory sessions, survey…
SlowMist summarizes how the March 2024 UN Security Council sanctions report used its AML analysis of DPRK-linked cryptocurrency thefts. The excerpt says North Korea's Reconnaissance General Bureau and actors including Kimsuky, Lazarus Group, Andariel, and…
Proofpoint describes TA427, also tracked as Emerald Sleet, APT43, THALLIUM, or Kimsuky, running information-gathering campaigns against experts on US and South Korean foreign policy. Since 2023 the group has used benign conversation starters about nuclear…
Konni is reported using a malicious LNK file disguised as a Hangul Word Processor document about North Korean internal market controls and price trends. The source says the file is designed to look like an HWP attachment, but execution launches PowerShell…
The macOS-focused analysis explains how adversaries can abuse Apple’s Transparency, Consent, and Control database, Full Disk Access, APFS snapshots, Finder permissions, and social engineering to weaken endpoint privacy protections. Its DPRK-relevant secti…
Kimsuky targeted the Embassy of the Republic of Korea in China with a malicious Windows shortcut disguised as a familiar document. The LNK runs hidden PowerShell, locates a hardcoded shortcut size, extracts embedded bytes, launches the dropped payload, an…
AttackIQ summarizes Lazarus Group Operation In(ter)ception as a 2019 campaign that used LinkedIn and email job lures from fake HR representatives at companies such as Collins Aerospace and General Dynamics. Victims received password-protected RAR archives…
The podcast describes ScarCruft as a North Korean state-backed hacking unit focused on espionage against journalists, dissidents, cybersecurity experts, and organizations that report on North Korea. Daily NK, a Seoul-based outlet with defectors on staff a…
Andariel activity is reported to involve abuse of MeshAgent as command-and-control tooling against South Korean companies. The source says the operators downloaded a MeshAgent C2 component named fav.ico from an external source and used lateral-movement ac…