Threat Landscape Update: North Korean IT Workers, OSINT, and Remote Monitoring and Management Abuse

Microsoft Threat Intelligence Podcast guests discuss abuse of remote monitoring and management tools alongside North Korean IT worker fraud. The RMM section covers ScreenConnect-style access used by criminal and nation-state actors for malware delivery, A…

Monthly Threat Actor Group Intelligence Report, November 2024 (KOR)

NSHC's November 2024 Korean threat-actor intelligence report describes multiple observed intrusion patterns, including malicious LNK files themed around China-North Korea policy, VHDX lures disguised as Chinese embassy invitations, and backdoors that stea…

APT37 그룹의 신종 RokRAT 악성코드 분석 보고서

NuriLab analyzes a new RokRAT malware report associated with APT37, a North Korea-linked threat group also discussed alongside Kimsuky, Moonstone Sleet, and Lazarus in the source context. The report says APT37 impersonates North Korea-related experts and …

North Korea-Linked Konni APT Group – Active IOCs

This APT group was detected targeting the Russian diplomatic sector in January 2022, employing a spear phishing theme for New Year's Eve festivities as bait. The North Korean hacker group distributes Konni RAT via phishing messages or emails. KONNI has be…

Hangro: Investigating North Korean VPN Infrastructure Part 1

Hangro is presented as possible North Korean VPN or remote-access infrastructure linked to access into or around the DPRK-controlled network environment. The excerpt identifies four historical Hangro IPs in North Korea and Russia that shared a certificate…

북한 라자루스(Lazarus)에서 만든 브라우저 악성코드-11.js(2024.12.28)

The source analyzes a Lazarus-linked browser stealer identified as 11.js and provides hashes for the sample. After deobfuscation, the JavaScript is described as collecting browser logs and user-configuration files, packaging stolen data into ZIP archives,…

North Korea-nexus Golang Backdoor/Stealer from Contagious Interview campaign

The Contagious Interview sample analyzed by dmpdump used fake Willo candidate-screening sites to lure victims into running a copied shell command. The shared VCam_intel.zip artifact contained Windows, macOS and Linux material, with macOS scripts downloadi…

Blockchain Security and AML Annual Report 2024

SlowMist's 2024 Blockchain Security and AML report frames North Korean hackers as part of the year's cryptocurrency security and laundering landscape. The excerpt says the report includes statistical analysis of laundering methods and gains by North Korea…

Malware Analysis of Kimsuky's Attacks - chm

SecAI analyzes a malicious CHM sample linked to Kimsuky activity, showing how the file uses an embedded HTML page and script execution to launch VBS code. The infection chain runs a VBS script from the same directory, executes a second VBS payload stored …

AhnLab EDR을 활용한 Play 랜섬웨어 공격 사례 탐지

AhnLab describes detection of a Play ransomware intrusion using EDR telemetry and notes that Play, also known as Balloonfly or PlayCrypt, has attacked more than 300 organizations since 2022. The report highlights double-extortion behavior through data the…

The Mac Malware of 2024 👾

Objective-See's 2024 macOS malware review includes several DPRK-linked specimens, including BeaverTail, SpectralBlur, and the BlueNoroff Hidden Risk campaign. The BeaverTail section describes a fake MiroTalk meeting app distributed from mirotalk[.]net tha…

Play Ransomware Attack Cases Detected by AhnLab EDR

AhnLab describes Play ransomware intrusion tradecraft and notes Palo Alto Unit42 reporting that linked Play activity to Andariel through shared infrastructure after Andariel used Sliver and DTrack for information theft. The excerpt states that Play operat…

북한 APT 리퍼(Reaper)에서 만든 악성코드-동북공정(미국의회조사국(CRS Report).pdf.lnk(2024.4.3)

A Korean analysis attributes a malicious LNK file disguised as a CRS report PDF to North Korea's Reaper, also known as APT37. The shortcut searches for PowerShell, locates an embedded payload by file size, extracts and opens a decoy PDF, then writes panic…