654 reports
Secui STIC reports an APT37-style LNK campaign that used a North Korea-themed contribution article lure to deliver RokRAT. The ZIP archive contained normal PDF decoys and a malicious LNK file; when opened, the shortcut launched hidden PowerShell, extracte…
Symantec attributes the DEEP#GOSU campaign to Springtail, also known as Kimsuky or Thallium. The attack chain uses .LNK files, embedded PowerShell, and VBScript stagers to download payloads hosted on Dropbox. The final malware combines infostealer and bac…
Rapid7 attributes a recent wave of activity with moderate confidence to Kimsuky, also known as Black Banshee or Thallium, and frames it as an updated espionage playbook. The activity uses CHM help files delivered in containers such as ISO, VHD, ZIP, or RA…
Andariel is described exploiting Korean asset management solutions during lateral movement to deploy AndarLoader and ModeLoader against Korean companies. The activity includes abuse of MeshAgent for remote control, Mshta-based retrieval of the JavaScript …
AhnLab reports that Kimsuky distributed a dropper disguised as a Korean public institution installer, signed with a valid domestic certificate, to deploy the Endoor backdoor. The dropper creates src.rar and unrar.exe, extracts the payload with the passwor…
Securonix tracks DEEP#GOSU as a multi-stage campaign likely associated with Kimsuky and aimed at South Korean victims. The infection chain begins with a ZIP-delivered PDF-themed LNK file that extracts and opens an embedded Korean PDF lure while running Po…
Cyberpoking publishes a YARA rule for the SiennaPurple variant of H0lyGh0st ransomware, an actor and malware family described as having ties to the DPRK-nexus Lazarus group. The rule matches strings from SiennaPurple binaries, including a PDB path, ransom…
360 Advanced Threat Research Institute analyzes a RandomQuery espionage campaign attributed to APT-C-55, also known as Kimsuky. The attack begins with phishing emails that deliver a fake HTML file and RAR archive containing an LNK shortcut and decoy docum…
A YARA rule identifies a Lazarus-linked malicious DLL sample shared in March 2024, keyed to SHA-256 5289529957d52c9d5fc2e47aa9924fd1de21b902509dee0241d5d6b056733a94. The rule looks for Windows internet settings strings, SeDebugPrivilege, AutoConfigURL, HT…
AhnLab describes browser credential theft behavior by infostealers and includes a DPRK-relevant Andariel example. The Andariel-built command line tool targeted Chrome, Firefox, Internet Explorer, Opera, and Naver Whale, printed extracted credentials to th…
Elliptic reports that more than $12 million in ETH from the November 2023 HTX and HECO Bridge theft moved through Tornado Cash on March 13 and 14, 2024, across more than 40 transactions. Elliptic and others attribute the $100 million theft to Lazarus Grou…
Genians analyzes a Konni APT campaign using Bitcoin market interest and virtual-asset exchange themes to deliver malware in South Korea. The attack distributes a ZIP containing a decoy PDF and a malicious LNK disguised as a DOCX personal-information conse…
The source analyzes a Kimsuky sample named like a Korean software security checklist for developers, using a double extension to make a VBScript look like an Excel macro file. The VBScript creates shell and file-system objects, writes large Base64 payload…
ESTsecurity ESRC reports a Kimsuky spear-phishing campaign that impersonated a private policy researcher in South Korea's diplomacy and security community. The email targeted a person at a national defense-related organization with a policy-advisory reque…
AhnLab ASEC reports that Andariel has continued attacks against South Korean companies by abusing domestic asset-management solutions to deploy malware. The campaign uses AndarLoader and ModeLoader, with this case adding MeshAgent as a newly observed remo…