T1036.005 - DPRK Threat Intelligence

#T1036.005 Match Legitimate Resource Name or Location

Technique

Tactics: Defense Evasion
Description:
Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.

This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)
First Seen: Phishing Emails Used to Deploy KONNI Malware • 2020-08-14

MITRE ATT&CK

24

Tagged Reports
16

Unique Authors
2,073

Active Days

Tagged Reports

2026-04-17

Break Glass Intelligence

850 Hostnames, 6 Servers, 1 Kill Chain: Mapping Kimsuky's 2026 Korean Credential Harvesting Machine

#Kimsuky #Phishing #T1102.002 #T1059.005 #T1027 #T1583.006 #T1566.003 #T1567 #T1583.003 #T1204.004 #T1057 #T1082 #T1518.001 #T1568.001 #T1566.001 #T1547.001 #T1585.002 #T1140 #T1056.003 #T1204.001 #T1053.005 #T1539 #T1041 #T1113 #T1608.005 #T1608.001 #T1204.002 #T1598.003 #T1071.001 #T1590.005 #T1115 #T1083 #T1583.001 #T1059.001 #T1497 #T1056.001 #T1566.002 #T1036.005

2026-04-11

Break Glass Intelligence

We Dumped a Live Kimsuky C2 and Recovered Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger

#CHM #Kimsuky #T1518.001 #T1115 #T1566.001 #T1083 #T1041 #T1059.001 #T1053 #T1132.001 #T1059.005 #T1204.002 #T1036.005 #T1056.001 #T1071.001 #T1140 #T1057 #T1082

2026-04-07

Panther

Tracking an OtterCookie Infostealer Campaign Across npm

#ContagiousTrader #NPM #OtterCookie #T1005 #T1059.007 #T1083 #T1195.002 #T1041 #T1098.004 #T1059.004 #T1027 #T1036.005 #T1656 #T1071.001 #T1082

2026-04-01

Hunt.io

Breaking Down the Axios Supply Chain Attack: Dropper, Cross-Platform RATs, and BlueNoroff/TA444

#Axios #NPM #TA444 #Bluenoroff #T1055 #T1059.006 #T1070.004 #T1082 #T1553.002 #T1059.002 #T1059.001 #T1027 #T1036.005 #T1547.001 #T1071.001 #T1057 #T1195.002

2026-03-17

Break Glass Intelligence

When Nation-States Become Ransomware Affiliates: Lazarus Group Deploys Medusa via a Custom IME-Based Loader

#Lazarus #Medusa #Ransomware #T1574.002 #T1562.001 #T1059.001 #T1490 #T1555 #T1486 #T1547.014 #T1129 #T1036.005 #T1622 #T1135 #T1027.002 #T1546.015 #T1489 #T1082

2026-03-12

Break Glass Intelligence

Lazarus Group Caught Running Medusa Ransomware: XOR-Decoded Config Exposes Tor C2, IME-Based Loader, and a 7-Month Intrusion Timeline

#Lazarus #Medusa #Ransomware #T1574.002 #T1562.001 #T1059.001 #T1490 #T1555 #T1486 #T1547.014 #T1129 #T1036.005 #T1622 #T1135 #T1027.002 #T1546.015 #T1489 #T1082

2026-02-26

Zscaler

APT37 Adds New Tools For Air-Gapped Networks

#APT37 #LNK #T1125 #T1123 #T1027 #T1052.001 #T1132.002 #T1057 #T1082 #T1574 #T1620 #T1567.002 #T1204.001 #T1053.005 #T1564.001 #T1113 #T1092 #T1055 #T1083 #T1059.001 #T1036.005 #T1056.001

2026-01-20

Picus Security

BlueNoroff Group: The Financial Cybercrime Arm of Lazarus

#Bluenoroff #T1593 #T1589 #T1543.001 #T1562.001 #T1059.002 #T1016 #T1059.005 #T1018 #T1566.003 #T1552.001 #T1583.003 #T1027.002 #T1204.004 #T1082 #T1548.002 #T1598.001 #T1074.001 #T1087.001 #T1547.001 #T1588.002 #T1005 #T1059.007 #T1587.001 #T1056.002 #T1176.001 #T1071.001 #T1543.004 #T1055 #T1027.010 #T1583.001 #T1036.005 #T1566.002 #T1548.006 #T1657

2026-01-13

Cyfirma

APT PROFILE – KIMSUKI

#Kimsuky #T1593 #T1055.012 #T1102.002 #T1190 #T1587 #T1059.005 #T1027 #T1583.006 #T1078.003 #T1071.002 #T1027.002 #T1562.004 #T1205 #T1550.002 #T1059.003 #T1566.001 #T1566 #T1553.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1585 #T1593.002 #T1620 #T1567.002 #T1585.002 #T1598 #T1583 #T1585.001 #T1588.002 #T1586.002 #T1587.001 #T1059.007 #T1588.005 #T1053.005 #T1204.001 #T1070.004 #T1583.004 #T1036.004 #T1041 #T1588.003 #T1656 #T1608.001 #T1204.002 #T1598.003 #T1589.003 #T1102.001 #T1105 #T1071.001 #T1594 #T1055 #T1059.006 #T1112 #T1218.010 #T1557 #T1219.002 #T1583.001 #T1059.001 #T1593.001 #T1218.005 #T1589.002 #T1657 #T1555.003 #T1036.005 #T1133 #T1566.002 #T1056.001 #T1584.001 #T1070.006 #T1596

2026-01-12

Red Asgard

Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure

#ContagiousInterview #Lazarus #T1059.006 #T1059.007 #T1562.001 #T1053.005 #T1539 #T1555 #T1573.002 #T1048.003 #T1204.002 #T1036.005 #T1566.003 #T1573.001 #T1547.001 #T1102.001 #T1027.002 #T1496

2025-08-18

Trellix

The Coordinated Embassy Hunt: Unmasking the DPRK-linked GitHub C2 Espionage Campaign

#Kimsuky #LNK #Phishing #XenoRAT #T1134 #T1102.002 #T1059.005 #T1106 #T1027 #T1568 #T1082 #T1566.001 #T1087.001 #T1567.002 #T1102.003 #T1053.005 #T1071.004 #T1204.002 #T1105 #T1071.001 #T1112 #T1083 #T1059.001 #T1569 #T1033 #T1036.005 #T1566.002 #T1569.002

2025-08-13

Cyfirma

APT PROFILE – LAZARUS GROUP

#Lazarus #T1090.001 #T1134.002 #T1562.001 #T1543.003 #T1059.003 #T1553.002 #T1614.001 #T1074.001 #T1485 #T1591 #T1218.011 #T1620 #T1078 #T1587.001 #T1027.007 #T1010 #T1571 #T1090.002 #T1218.010 #T1542.003 #T1583.001 #T1033 #T1497.001 #T1560.002 #T1203 #T1036 #T1012 #T1016 #T1059.005 #T1106 #T1027 #T1566.003 #T1027.002 #T1562.004 #T1529 #T1049 #T1140 #T1585.001 #T1005 #T1053.005 #T1564.001 #T1608.001 #T1105 #T1046 #T1491.001 #T1055.001 #T1070 #T1589.002 #T1036.005 #T1110 #T1547.009 #T1489 #T1110.003 #T1534 #T1047 #T1573 #T1588.004 #T1104 #T1036.003 #T1591.004 #T1001.003 #T1057 #T1082 #T1561.002 #T1566.001 #T1574.013 #T1561.001 #T1608.002 #T1585.002 #T1218 #T1588.002 #T1036.004 #T1204.001 #T1041 #T1560 #T1202 #T1071.001 #T1218.005 #T1059.001 #T1593.001 #T1189 #T1124 #T1056.001 #T1070.006 #T1008 #T1102.002 #T1048.003 #T1583.006 #T1221 #T1557.001 #T1098 #T1547.001 #T1567.002 #T1584.004 #T1087.002 #T1070.004 #T1560.003 #T1070.003 #T1583.004 #T1132.001 #T1588.003 #T1021.002 #T1204.002 #T1220 #T1574.002 #T1083 #T1566.002 #T1021.001 #T1021.004 #T1584.001

2025-02-12

Cyfirma

APT PROFILE – APT43

#APT43 #T1055.012 #T1562.001 #T1190 #T1587 #T1543.003 #T1059.003 #T1074.001 #T1553.002 #T1591 #T1218.011 #T1587.001 #T1588.005 #T1598.003 #T1594 #T1218.010 #T1557 #T1007 #T1583.001 #T1555.003 #T1036 #T1012 #T1016 #T1059.005 #T1027 #T1071.002 #T1027.002 #T1562.004 #T1111 #T1003.001 #T1140 #T1585.001 #T1005 #T1114.003 #T1053.005 #T1608.001 #T1105 #T1114.002 #T1589.002 #T1036.005 #T1534 #T1078.003 #T1552.001 #T1560.001 #T1136.001 #T1057 #T1082 #T1550.002 #T1518.001 #T1176 #T1566.001 #T1071.003 #T1585.002 #T1588.002 #T1036.004 #T1204.001 #T1586.002 #T1041 #T1219 #T1589.003 #T1071.001 #T1564.002 #T1112 #T1218.005 #T1059.001 #T1593.001 #T1040 #T1546.001 #T1056.001 #T1070.006 #T1102.002 #T1583.006 #T1564.003 #T1098 #T1593.002 #T1547.001 #T1567.002 #T1059.007 #T1070.004 #T1560.003 #T1505.003 #T1583.004 #T1204.002 #T1055 #T1059.006 #T1083 #T1133 #T1566.002 #T1021.001 #T1584.001

2024-09-12

Cyfirma

APT PROFILE – KIMSUKY

#Kimsuky #T1055.012 #T1562.001 #T1190 #T1587 #T1543.003 #T1059.003 #T1074.001 #T1553.002 #T1591 #T1218.011 #T1587.001 #T1588.005 #T1598.003 #T1594 #T1218.010 #T1557 #T1007 #T1583.001 #T1555.003 #T1036 #T1012 #T1016 #T1059.005 #T1027 #T1071.002 #T1027.002 #T1562.004 #T1111 #T1003.001 #T1140 #T1585.001 #T1005 #T1114.003 #T1053.005 #T1608.001 #T1105 #T1114.002 #T1589.002 #T1036.005 #T1534 #T1078.003 #T1552.001 #T1560.001 #T1136.001 #T1057 #T1082 #T1550.002 #T1518.001 #T1176 #T1566.001 #T1071.003 #T1585.002 #T1588.002 #T1036.004 #T1204.001 #T1586.002 #T1041 #T1219 #T1589.003 #T1071.001 #T1564.002 #T1112 #T1218.005 #T1059.001 #T1593.001 #T1040 #T1546.001 #T1056.001 #T1070.006 #T1102.002 #T1583.006 #T1564.003 #T1098 #T1593.002 #T1547.001 #T1567.002 #T1059.007 #T1070.004 #T1560.003 #T1505.003 #T1583.004 #T1204.002 #T1055 #T1059.006 #T1083 #T1133 #T1566.002 #T1021.001 #T1584.001

2023-02-02

With Secure

No Pineapple! - DPRK Targeting of Medical Research and Technology Sector

#Whitepaper #NoPineapple #DTrack #GREASE #Zimbra #T1090.001 #T1136 #T1190 #T1012 #T1016 #T1106 #T1018 #T1071 #T1070.007 #T1057 #T1082 #T1119 #T1556 #T1037.005 #T1003.001 #T1553 #T1049 #T1087.002 #T1078 #T1070.004 #T1587.002 #T1053.005 #T1041 #T1505.003 #T1560 #T1071.001 #T1090.002 #T1083 #T1114.002 #T1033 #T1036.005 #T1021.001 #T1074 #T1059 #T1569.002

« Back