654 reports
Reaper, also tracked as APT37, InkySquid, RedEyes, ScarCruft, and Group123, is described as using a malicious HWP-themed lure related to South Korea's twentieth presidential election and election-observer recruitment. The report frames the actor as a Nort…
Vedalia, also known as Konni, is described as using oversized LNK files in a malware campaign intended to hide the real shortcut extension and frustrate casual analysis. The report notes double extensions, excessive whitespace, and shortcut content design…
Plainbit analyzed a paymentconfirmation.chm sample that used a normal-looking help window to hide script execution through hh.exe, cscript, VBS, batch files, and PowerShell. The CHM unpacked files under C:\Users\Public\Libraries, registered emlmanager.vbs…
WIRED profiles Alejandro Caceres, also known as P4x, who says he disrupted North Korea’s public internet infrastructure in 2022 after North Korean operators targeted him and other U.S. security researchers. The article describes his use of custom programs…
While strategic spear-phishing campaigns targeting researchers who study the Korean Peninsula remained a constant trend, North Korean threat actors appeared to make greater use of legitimate software to compromise even more victims. Since our last report …
Moreover, the RAT’s command-and-control (C2) infrastructure serves as a conduit for hosting newer variants of known Lazarus implants, such as TigerRAT. In September 2022, cybersecurity researchers at Cisco Talos made a significant discovery: a new Remote …
Hauri reports a spear-phishing operation assessed as likely Kimsuky activity in which an attacker impersonated the South Korean Embassy in China to target a Seoul National University professor. The operator conducted natural back-and-forth email communica…
A North Korean npm supply chain campaign used Python post-infection scripts against developers instead of relying only on malicious DLL delivery. The malicious Frontend.zip package retrieved an obfuscated main script that created a .n2 directory, then dow…
NSHC's January 2024 ThreatRecon report lists SectorA as the most active DPRK-relevant group family in a broad monthly roundup of 26 hacking groups. SectorA01 used malware disguised as PuTTY against targets in countries including Spain, the United States, …
Plainbit analyzes a North Korea-linked RokRAT infection chain delivered in a ZIP archive containing a same-named LNK file disguised as an HWP document. The shortcut runs cmd.exe and PowerShell, hides the command window with user32.dll calls, splits embedd…
A Kimsuky-attributed RAR archive used a Korean Embassy in China policy-meeting theme to lure likely embassy or policy-related personnel into running a shortcut file disguised with an HWP-style document icon. The LNK launches hidden PowerShell, extracts em…
Cointelegraph reports that Solana-based Telegram trading bot Solareum shut down after a security breach, funding problems, and changing market conditions. The exploit enabled wallet drainers to steal more than 2,800 SOL, worth about $520,000, from more th…
KRCERT warns that hacking groups are abusing Microsoft Compiled HTML Help files in malicious email campaigns. The source says attackers use North Korea-related questionnaire themes to attract targets, then induce recipients to open attached CHM files. Whe…
The Chinese-language analysis attributes activity to Kimsuky and describes exploitation of ConnectWise ScreenConnect CVE-2024-1708 and CVE-2024-1709 to deploy ToddlerShark, a newer variant related to BabyShark and ReconShark. After gaining access to Scree…
NSHC's February 2024 ThreatRecon report identifies SectorA activity as the DPRK-relevant portion of a broader multi-actor monthly roundup. SectorA01 used malware disguised as UltraVNC in Vietnam, Germany, and the United States, while SectorA05 used a trad…