mandiant_sossec_20230216_share.pdf (1 MB)

• The organizations targeted for employment align with previous efforts by DPRK operators to target cryptocurrency-related organizations as well as medical research companies. • The operation distributing the CUTELOOP dropper has been conducting a job-themed spear-phishing campaign enabled by social media since at least April 2020, although targeting of pharmaceuticals demonstrates a market expansion in targeting. COVID Kim targeted Healthcare during 2020 - 2022 • In November 2020, Mandiant Threat Intelligence reported that a cyber espionage campaign distributing the CUTELOOP downloader using employment-themed lure material since at least April 2020 had updated its tools marginally and expanded its targeting to include a U.S. • Malware is all tied to UNC614 and related to a single group publicly reported as Andariel and DarkSeoul.