{ "type": "bundle", "id": "bundle--4eebc266-508d-4beb-9e3c-ca0e608b80ce", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--3d3ee4be-17f5-408e-8932-cf4dc1ff6a0a", "created": "2023-03-08T12:52:00.683046Z", "modified": "2023-03-08T12:52:00.683127Z", "name": "Flashpoint-intel", "identity_class": "organization" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--39a1e565-3f71-40bc-9b53-66fed3603016", "value": "28.0.0.137" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f8b01d43-b302-4e09-be81-154628d6ec61", "created": "2026-06-25T01:31:51.463696Z", "modified": "2026-06-25T01:31:51.463696Z", "name": "YARA Rule", "pattern": "rule crime_ole_loadswf_cve_2018_4878\r\n{\r\nmeta:\r\n// DESCRIPTION\r\ndescription = \u201cDetects CVE-2018-4878\u201d\r\nvuln_type = \u201cRemote Code Execution\u201d\r\nvuln_impact = \u201cUse-after-free\u201d\r\naffected_versions = \u201cAdobe Flash 28.0.0.137 and earlier versions\u201d\r\nmitigation0 = \u201cImplement Protected View for Office documents\u201d\r\nmitigation1 = \u201cDisable Adobe Flash\u201d\r\nweaponization = \u201cEmbedded in Microsoft Office first payloads\u201d\r\nactor = \u201cPurported North Korean actors\u201d\r\nreference = \u201chttps://www.krcert.or[.kr/data/secNoticeView.do?bulletin_writing_sequence=26998\u201d\r\nauthor = \u201cVitali Kremez, Flashpoint\u201d\r\nversion = \u201c1.1\u2033\r\nstrings:\r\n// EMBEDDED FLASH OBJECT BIN HEADER\r\n$header = \u201crdf:RDF\u201d wide ascii\r\n// OBJECT APPLICATION TYPE TITLE\r\n$title = \u201cAdobe Flex\u201d wide ascii\r\n// PDB PATH\r\n$pdb = \u201cF:\\work\\flash\\obfuscation\\loadswf\\src\u201d wide ascii\r\n// LOADER STRINGS\r\n$s0 = \u201cURLRequest\u201d wide ascii\r\n$s1 = \u201cURLLoader\u201d wide ascii\r\n$s2 = \u201cloadswf\u201d wide ascii\r\n$s3 = \u201cmyUrlReqest\u201d wide ascii\r\ncondition:\r\nall of ($header*) and all of ($title*) and 3 of ($s*) or all of ($pdb*) and all of ($header*) and 1 of ($s*)\r\n}", "pattern_type": "yara", "valid_from": "2018-02-02T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--e6aaa8b2-3dc5-4647-9b48-b3f02a355b25", "hashes": { "MD5": "9593d277b42947ef28217325bcc1fe50" } }, { "type": "file", "spec_version": "2.1", "id": "file--8eca50d9-a55d-40a1-8cc7-224ca6d30ce5", "hashes": { "MD5": "4c1533cbfb693da14e54e5a92ce6faba" } }, { "type": "file", "spec_version": "2.1", "id": "file--35ca105a-e57d-4f95-8cb3-5910b4d880ef", "hashes": { "MD5": "5f97c5ea28c0401abc093069a50aa1f8" } }, { "type": "file", "spec_version": "2.1", "id": "file--53c08766-dd5a-45d9-a7e7-70eb2c356b93", "hashes": { "MD5": "1f93c09eed6bb17ec46e63f00bd40ebb" } }, { "type": "url", "spec_version": "2.1", "id": "url--56202c35-6002-4ba9-afba-1df4abe2bb2c", "value": "http://www.1588-2040.co.kr/design/m/images/image/image.php" }, { "type": "url", "spec_version": "2.1", "id": "url--95ab0c8f-fa23-4943-8580-37389ce64866", "value": "http://www.dylboiler.co.kr/admincenter/files/boad/4/manager.php" }, { "type": "report", "spec_version": "2.1", "id": "report--43a54460-bd0c-462b-81f3-09ef64d3c9d3", "created_by_ref": "identity--3d3ee4be-17f5-408e-8932-cf4dc1ff6a0a", "created": "2026-06-25T01:31:51.475624Z", "modified": "2026-06-25T01:31:51.475624Z", "name": "Targeted Attacks Against South Korean Entities May Have Been as Early as November 2017", "published": "2018-02-02T00:00:00Z", "object_refs": [ "identity--3d3ee4be-17f5-408e-8932-cf4dc1ff6a0a", "ipv4-addr--39a1e565-3f71-40bc-9b53-66fed3603016", "indicator--f8b01d43-b302-4e09-be81-154628d6ec61", "file--e6aaa8b2-3dc5-4647-9b48-b3f02a355b25", "file--8eca50d9-a55d-40a1-8cc7-224ca6d30ce5", "file--35ca105a-e57d-4f95-8cb3-5910b4d880ef", "file--53c08766-dd5a-45d9-a7e7-70eb2c356b93", "url--56202c35-6002-4ba9-afba-1df4abe2bb2c", "url--95ab0c8f-fa23-4943-8580-37389ce64866" ], "external_references": [ { "source_name": "source", "url": "https://www.flashpoint-intel.com/blog/targeted-attacks-south-korean-entities/" } ] } ] }