#Trend #BlackBanshee #BlackAlicanto #T1082 #T1059.003 #T1090 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1112 #T1083 #T1204.001 #T1036 #T1027 #T1204.002 #T1071 #T1124 #T1204 #T1057 #T1059.005 #T1566.001 #T1547.001 #T1053.005 #T1132.001 #T1566 #T1059 #T1003 #T1105 #T1620 #T1486 #T1135 #T1078 #T1548 #T1190 #T1592 #T1049 #T1087 #T1589 #T1074.001 #T1591 #T1547 #T1068 #T1573 #T1095 #T1048 #T1608 #T1070 #T1056 #T1036.007 #T1614.001 #T1033 #T1110 #T1221 #T1132 #T1570 #T1021 #T1615 #T1482 #T1210 #T1069 #T1595 #T1039 #T1016.001

yir-cyber-threats-annex-download.pdf (14 MB)

PwC highlighted North Korea-based Black Artemis, also known as Lazarus Group, as continuing to use job-specification lure documents against targets in high-profile defense and engineering companies. The activity often followed social engineering in which the actor posed as a recruiter on platforms such as LinkedIn to build rapport before delivering malicious attachments. PwC also noted Black Banshee, also known as Kimsuky or Velvet Chollima, using lightly obfuscated PowerShell commands hidden in malicious macros to download payloads from a remote staging server and execute them. These examples show DPRK-linked actors continuing to rely on spearphishing, malicious documents, macros, and PowerShell execution within broader 2021 threat activity.