654 reports
A Korean write-up analyzes malware attributed by the author to the North Korean Konni group and disguised as an Upbit-related document package. The attack uses a ZIP archive containing a malicious LNK named like a personal-information consent DOCX file an…
NSHC's January 2024 ThreatRecon report lists SectorA01, SectorA02, SectorA05, SectorA06, and SectorA07 activity across East Asia, Europe, the United States, and other regions. The SectorA entries describe malware disguised as PuTTY, a Korean unification-s…
ITG16 is described as a North Korean state-sponsored threat group active since at least 2012. The group has traditionally targeted South Korean diplomatic and national security personnel, human rights groups, media, utilities, and think tanks. Its operati…
The excerpt analyzes a PowerShell backdoor associated by the author with Kimsucky, a North Korea-based APT described as using malicious documents, social engineering, spear phishing, and watering-hole techniques against organizations in South Korea, Japan…
The GitHub analysis documents a Kimsuky PowerShell backdoor protocol with command opcodes for host check in, drive and path listing, file download and upload, deletion, rename, directory creation, execution, restart, removal, and ZIP creation. The client …
SBS reported that Kimsuky targeted a South Korean journalist who covers North Korea by impersonating a National Assembly Research Service official. The actor sent an invitation to a Korean Peninsula peace system meeting, used an email address differing by…
A U.S. District Court order granted default judgment and forfeiture of virtual-currency accounts tied to alleged North Korean exchange hacks and laundering. The court record describes North Korean operatives stealing nearly $250 million from one exchange …
This backdoor software shares multiple characteristics with historical attack samples from the Kimsuky organization, leading us to believe that both types of malicious software are associated with the Kimsuky group. These two points indicate that the back…
North Korean state hackers stole nearly $600 million in virtual currency from Axie Infinity in March 2022, according to Intel 471's podcast notes. The source frames the incident as a crypto-heist investigation, with Chainalysis and Intel 471 discussing ho…
Hunt investigated an open directory tied to a likely North Korean phishing campaign aimed at stealing Google and Naver credentials. The actor first hosted a Binance spoofing site, then shifted to custom phishing paths and iframe based credential theft aft…
Kroll observed a campaign that exploited ConnectWise ScreenConnect vulnerabilities CVE-2024-1709 and CVE-2024-1708 to deploy malware similar to BABYSHARK, previously associated with Kimsuky or KTA082. After gaining hands on keyboard access through an expo…
The post analyzes an APT37, also known as Reaper, malware package distributed as a ZIP archive with a Korean security commentary lure. The infection chain runs from ZIP to LNK to BAT to shellcode, with PowerShell hidden from the user, embedded HWP lure co…
DBAPPSecurity analyzed APT37 activity using North Korea related political themes to target South Korean users and researchers. The samples used compressed archives with Korean political lure documents, including commentary on anti state forces and other i…
South Korea's National Intelligence Service reportedly concluded after an onsite investigation that Lazarus compromised an Active Directory server used for the Supreme Court's internet virtualization system. The report says the attackers used administrato…