654 reports
SOCRadar profiles ScarCruft, also known as APT37 or Reaper, as a North Korea associated espionage group active since 2012 and primarily focused on South Korea and other Asian targets linked to Pyongyang's interests. The source describes spear phishing, wa…
AhnLab found that a South Korean construction association website was serving trojanized security installers during the login process, exposing users who installed NX_PRNMAN or earlier TrustPKI packages. The modified installers were signed with a valid D2…
SOMESING reported that an external hacking group stole foundation-held SSX tokens on January 27, 2024, then moved funds to exchange and non-exchange wallets. The team worked with Uppsala Security to trace the token flow and asked domestic and foreign exch…
AhnLab's K-CTI 2024 presentation emphasized that identifying threat actors and understanding their strategies are central to modern cyber threat intelligence. The talk explained that vendors use different naming and management systems, including MITRE ATT…
Chainalysis reported that illicit addresses sent $22.2 billion in cryptocurrency to services in 2023, with centralized exchanges still serving as the main fiat off-ramp and money laundering becoming less concentrated at the deposit-address level. The Laza…
Emerald Sleet’s use of LLMs has been in support of this activity and involved research into think tanks and experts on North Korea, as well as the generation of content likely to be used in spear-phishing campaigns. Their recent operations relied on spear…
South Korea's presidential office said a staff administrator's personal email account was hacked by an external actor suspected to be linked to North Korea before President Yoon Suk Yeol's November 2023 trip to the United Kingdom and France. The office sa…
South Korea's National Intelligence Service said it identified Kyonghung Information Technology Exchange, a North Korean foreign currency earning unit operating in Dandong, China, that built and sold thousands of illegal gambling sites to South Korean cri…
The Kimsuky group installs AppleSeed and AlphaSeed via spear phishing attacks, stealing user information by taking screenshots and keylogging, and using the malware to take control over the infected system. This article discusses the case in which the Kim…
S2W Talon analyzed Troll Stealer, a Go-based infostealer distributed from a Korean security program download flow that redirected users to installers for products such as TrustPKI and NX_PRNMAN. Only some installers on the site were modified, and the drop…
Kimsuky uses spear phishing emails with VBS or JavaScript files disguised as documents to install AppleSeed and, in the observed case, AlphaSeed on targeted systems. The lures vary by target, including government-style documents for diplomacy and defense,…
Wezard4u analyzes a Konni malware document disguised as a Korean HWP file about North Korean market prices in Hoeryeong, suggesting targeting of people who work on North Korea-related issues. The document does not exploit an HWP vulnerability; it embeds a…
S2W Talon assesses that Kimsuky or a closely related cluster distributed Troll Stealer through installers masquerading as SGA Solutions security software on a Korean download page. The dropper and decoy installer were signed with a valid D2innovation Co.,…
Knownsec's 2023 APT threat analysis report summarizes activity by Northeast Asian groups including Kimsuky, APT37, Lazarus, and Konni. The report says these actors share a strategic purpose of supporting North Korean objectives through cyber espionage and…
QiAnXin's 2023 APT annual-report page highlights the group's practice of publishing research based on internal security telemetry, operational cases, market research, and third-party cooperation. The excerpt introduces Caracal Kitten, a newly named APT-Q-…