Tag: korea

6 Attack Reports | 0 Vulnerabilities

Attack reports

Malware MoonPeak Executed via LNK Files

In January 2026, IIJ observed malicious LNK files targeting Korean users to execute the MoonPeak malware, attributed to North Korean threat actors. The infection chain begins with a LNK file that runs an obfuscated PowerShell script, which checks for analysis environments, creates additional script…
powershell
persistence
korea
xenorat
github
moonpeak
lnk files
confuserex
2026-01-26
lots
Published: January 26, 2026
Downloadable IOCs: 4

Proton66: Compromised WordPress Pages and Malware Campaigns

This intelligence briefing focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. It details how these sites were injected with malicious scripts to redirect Android users to fake Google Play Store pages. The report also…
xworm
phishing
ransomware
android
korea
remcos
wordpress
strela stealer
2025-04-18
germany
weaxor
Published: April 18, 2025
Downloadable IOCs: 48

Notorious WrnRAT Delivered Mimic As Gambling Games

Cybersecurity analysts have uncovered a sophisticated malware operation targeting online gambling platforms. Threat actors are distributing the WrnRAT malware by disguising it as popular Korean gambling games. The multi-stage infection process involves a batch script, followed by a .NET-based dropp…
korea
gambling
screen capture
2024-10-29
pyinstaller
wrnrat
multi-stage infection
financial exploitation
Published: October 29, 2024
Downloadable IOCs: 5

Malware Used in Attacks Against Korean Companies

A recent analysis by ASEC discovered attacks exploiting a Korean ERP solution to distribute malware like XcLoader and Xctdoor. The attacks targeted Korean defense and manufacturing companies. The malware was propagated by compromising ERP update servers to install backdoors. Xctdoor captures system…
korea
2024-07-01
lazarus
andariel
xctdoor
xcloader
hotcroissant
Published: July 1, 2024
Downloadable IOCs: 9

Case of Malware Distribution Linking to Illegal Gambling Website Targeting Korean Web Server

This report examines a malware strain distributed to web servers in South Korea that redirects users to an illegal gambling site. The threat actor installed a Meterpreter backdoor, a port forwarding tool, and an IIS module malware on a compromised web server. The IIS module inspects HTTP headers an…
korea
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
meterpreter
webserver
iismodulemalware
gamblingredirect
Published: May 8, 2024
Downloadable IOCs: 8

Analysis of APT Group's Use of Malicious LNK Files to Deliver RokRat Attack

The report details a recent cyber attack campaign by the APT-C-28 (ScarCruft) group, known for targeting organizations in Korea and Asia. The campaign utilized a malicious LNK file disguised as a document related to a 'North Korean Human Rights Expert Debate' to deliver the RokRat remote access tro…
apt
lnk
rokrat
cloud
korea
Published: April 29, 2024
Downloadable IOCs: 3
Click here to see more Attack Reports