APT-C-03-en.pdf (2 MB)

Qihoo 360 described Operation OnionDog as a multi-year campaign observed from at least 2013 to 2015 against government entities, transportation companies, and energy industries, while stating it had not found a connection to Lazarus at that time. The activity used Hangul Word Processor lure documents or HWP exploits in spearphishing, with topics such as government information security, railway investigations, port VTS, and civil servant benefits matching South Korean target interests. The malware set included droppers, USB worm components for isolated networks, and ICEFOG-related backdoor activity, with command-and-control using both fixed Korean IP addresses and Onion.City domains. The report also argues the actor used techniques and resources associated with other known APTs as possible false flags, making attribution and incident triage more difficult.