FSI_Threat_Intelligence_Report_-_Campaign_DOKKAEBI.pdf (30 MB)

FSI analyzed known malicious Korean HWP documents from 2015 through the first half of 2018 and grouped related activity into Campaign DOKKAEBI. The excerpt identifies three threat groups using malicious HWP documents in cyberattacks: Bluenoroff, Kimsuky, and Scarcruft. It notes that each group’s document features and follow-on malware differed, while similarities in background, objectives, and attack methods supported treating the activity as a connected set of intrusions. For DPRK-focused tracking, the value is the report’s comparative profiling of HWP-based activity tied to Bluenoroff and Kimsuky alongside Scarcruft.