654 reports
CrowdStrike frames North Korea as a long-running cyber threat whose operations evolved from destructive attacks into espionage and financially motivated activity. The episode focuses on how North Korea develops cyber talent, when its operators shifted tow…
The Andariel threat group primarily targets South Korean corporations and institutions and is known to collaborate with or operate as a subsidiary organization of the Lazarus threat group. This pertains to the Infostealer utilized in the APT attacks orche…
AttackIQ summarizes Lazarus Group's Operation Dream Job activity against defense and government targets using fake recruiting lures tied to major aerospace and defense companies. The excerpt describes reconnaissance, fictitious LinkedIn profiles, personal…
Sangfor links this Kimsuky activity to malicious LNK files disguised as Korean PDF or HWP documents for targets in cryptocurrency, government, diplomacy, media, and North Korea policy circles. One lure posed as a Korean cryptocurrency trading lecture and …
QiAnXin attributes a January 2024 intrusion set to Kimsuky/APT-Q-2 based on overlap with earlier Kimsuky malware and shared signing, packing, language, and victim-ID patterns. The activity used installers disguised as SGA Solutions products to drop normal…
360's 2023 APT review was a broad China-focused threat report, but its North Korea-relevant section singled out APT-C-06, also known as DarkHotel, as a supply chain actor using deceptive ZIP payloads. The report said APT-C-06 abused a domestic mail-system…
NSHC's November 2023 ThreatRecon report attributed the largest share of observed activity to SectorA, its North Korea tracking set, with five clusters active across South Korea, the United States, Russia, Israel, Mexico, Austria, China, and Japan. The Sec…
NCSC's discussion of South Korea, U.S., and Germany joint advisories describes North Korean hacking as a persistent threat to Korean public and private sectors. The transcript cites Kimsuky phishing with malicious OneNote survey lures, lookalike Naver dom…
Konni-related malware was distributed as NService_youngji057.rar and executed through a Windows CHM file that showed a Korean-language decoy requesting a seal certificate and stamped power of attorney. The CHM embedded HTML used the Windows Help ActiveX s…
Part II of the Lazarus File series continues a profile of North Korea's Lazarus Group, focusing on financial activity, intelligence tradecraft, and legal challenges rather than a single intrusion. The excerpt recaps the prior discussion of Lazarus origins…
The first part of the Lazarus File series profiles Lazarus Group as a North Korea-linked cyber actor rather than analyzing a single intrusion. The excerpt says the series will cover the group's origins, strategic goals, operational history, technical capa…
Orbit Bridge operator Ozys said an unknown attacker stole about $81.5 million from the Ethereum vault in six transactions on Jan. 1, 2024, taking ETH, WBTC, USDT, USDC, and DAI before swapping assets into ETH and DAI across eight wallets. The company said…
KISA and JPCERT/CC JSAC slides describe Lazarus operations against South Korea in 2023 that combined watering-hole activity with attacks involving financial security software. The excerpt links the activity to zero-day exploit code, targeted initial acces…
Microsoft's podcast notes cover North Korean cyber operations as a blend of state espionage and financially motivated activity. The discussion focuses on how North Korea adapts APT tradecraft for revenue generation, especially cryptocurrency theft, while …
AhnLab describes how credential-stealing malware abuses saved login data in browsers, email clients, FTP tools, VNC software, and Outlook, and how its MDS sandbox detects that behavior even when file signatures are unknown. The report covers commodity ste…