APT43: An investigation into the North Korean group’s cybercrime operations

2023-04-20 • Virustotal •

https://blog.virustotal.com/2023/04/apt43-investigation-into-north-korean.html

#APT43 #T1082 #T1083 #T1071 #T1055 #T1129

Thumbnail for APT43: An investigation into the North Korean group’s cybercrime operations

During our analysis of the samples, we observed that several of them belonged to two different collections created by AlienVaultOTX: APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations and Analysis of Smoke Screen in APT campaign aimed at Korea and America. We hope that this post has provided some insights into the capabilities and techniques of APT43, and how VirusTotal can help to monitor and investigate such campaigns. We also found that most of these files used macros as their infection technique, while only a few of them exploited the CVE-2017-0199 vulnerability, which allows attackers to run malicious code on target systems by embedding malicious links in the docx file. This suggests that APT43 relies heavily on Microsoft Word documents as a vector for delivering malicious payloads or exploiting vulnerabilities.

Related Actors

APT43

Mandiant

Kimsuky

First seen: Mar 2023

Last seen: May 2026

Related Reports

2025-02-12 • 46% Match

APT PROFILE – APT43

Cyfirma

#APT43 #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1005 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1083 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1583.006 #T1518.001 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1552.001 #T1585.001 #T1105 #T1219 #T1055 #T1553.002 #T1562.001 #T1027.002 #T1133 #T1190 #T1098 #T1016 #T1074.001 #T1588.002 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1593.002 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1589.003 #T1594 #T1218.010 #T1557 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1021.001 #T1560.001 #T1176 #T1136.001 #T1543.003 #T1012 #T1534 #T1560.003 #T1007 #T1564.003 #T1114.003 #T1114.002 #T1564.002 #T1040 #T1546.001 #T1505.003

Shares tags: APT43, T1082, T1083

2023-04-20 • 46% Match

3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible

Mandiant

#YARA #SupplyChain #3CXDesktopApp #SmoothOperator #UNC4736 #X_Trader #UNC4469 #UNC3782 #T1082 #T1140 #T1070.004 #T1071.001 #T1195.002 #T1112 #T1083 #T1497 #T1036 #T1027 #T1071 #T1195 #T1497.001 #T1105 #T1055 #T1620 #T1574.002 #T1622 #T1190 #T1588 #T1574 #T1573.002 #T1614 #T1573 #T1608 #T1070 #T1614.001 #T1071.004 #T1012 #T1588.004 #T1565.001 #T1036.001 #T1070.001 #T1608.003 #T1565

Shares tags: T1082, T1083, T1071 • Published within a week

2023-03-28 • 46% Match

Threat Trends: How APT43 Targets Security Policy Experts Focused on North Korea

Mandiant

#Podcast #APT43

Shares tag: APT43 • Published within a month

2023-03-28 • 46% Match

APT43: North Korean Group Uses Cybercrime to Fund Espionage Operationsz

Mandiant

#Whitepaper #APT43 #UNC1758 #UNC2226 #UNC1873 #UNC785 #UNC786

Shares tag: APT43 • Published within a month

2023-04-26 • 33% Match

Emulating Kimsuky's Espionage Operations

Attack IQ

#Kimsuky #T1082 #T1140 #T1041 #T1071.001 #T1115 #T1083 #T1056.001 #T1057 #T1518.001 #T1547.001 #T1053.005 #T1105 #T1087 #T1016 #T1074.001 #T1218.011 #T1218.010 #T1047 #T1033 #T1048.002

Shares tags: T1082, T1083 • Published within a week

2023-04-14 • 33% Match

Response to Lazarus' 3CX Supply Chain Compromise

Attack IQ

#SupplyChain #3CXDesktopApp #SmoothOperator #T1082 #T1071.001 #T1057 #T1105 #T1055 #T1620 #T1049 #T1087.001 #T1070.006 #T1574.001 #T1543.003 #T1012 #T1069.001 #T1016.001 #T1547.002

Shares tags: T1082, T1055 • Published within a week

« Back