Tag: south korea

25 Attack Reports | 0 Vulnerabilities

Attack reports

Operation Artemis: Analysis of HWP-Based DLL Side Loading Attacks

The 'Artemis' campaign, conducted by APT37, utilizes malicious HWP documents with embedded OLE objects to initiate attacks. The threat actor impersonates legitimate entities to gain trust before delivering the payload. The attack chain combines HWP execution with DLL side-loading techniques to evad…
rokrat
south korea
steganography
dll side-loading
spear-phishing
ole
hwp
cloud infrastructure
2025-12-22
Published: December 22, 2025
Downloadable IOCs: 0

August 2025 APT Attack Trends Report

In August 2025, APT attacks in South Korea primarily utilized spear phishing techniques, with LNK files being the most prevalent method. Two main types of attacks were observed: Type A, which used compressed CAB files containing malicious scripts for information exfiltration and additional malware …
apt
rat
powershell
rokrat
south korea
xenorat
lnk files
spear phishing
cab files
2025-09-16
Published: September 16, 2025
Downloadable IOCs: 5

AI-Driven Deepfake Military ID Fraud Campaign

The Kimsuky APT group has launched a sophisticated spear-phishing campaign using AI-generated deepfake military ID cards to target South Korean defense institutions. The attack impersonates military employee ID issuance processes and exploits ChatGPT to create convincing fake ID images. The malware…
obfuscation
apt
south korea
ai
autoit
chatgpt
spear-phishing
military
deepfake
2025-09-15
Published: September 15, 2025
Downloadable IOCs: 21

Inside the Kimsuky Leak: How the 'Kim' Dump Exposed North Korea's Credential Theft Playbook

A data breach attributed to a North Korean-affiliated actor known as "Kim" has provided new insights into Kimsuky (APT43) tactics and infrastructure. The actor's operations focus on credential-based intrusions targeting South Korean and Taiwanese networks, utilizing Chinese-language tools and infra…
phishing
north korea
rootkit
south korea
credential theft
taiwan
ocr
2025-09-08
hybrid attribution
vmmisc.ko
gpki
Published: September 8, 2025
Downloadable IOCs: 11

Warning About NightSpire Ransomware Following Cases of Damage in South Korea

NightSpire, a ransomware group active since February 2025, employs an aggressive strategy and specialized infrastructure similar to Ransomware-as-a-Service models. They operate a Dedicated Leak Site, posting victim information and countdown timers for data release. Using highly threatening language…
ransomware
encryption
south korea
double-extortion
nightspire
rsa
2025-08-29
2025-09-01
aes
cyber extortion
dedicated leak site
Published: September 1, 2025
Downloadable IOCs: 2

Operation HanKook Phantom: Spear-Phishing Campaign

APT37, a North Korean state-backed cyber espionage group, has launched a sophisticated spear-phishing campaign targeting South Korean government sectors, research institutions, and academics. The attackers use malicious LNK files disguised as legitimate documents to deliver a multi-stage infection …
espionage
north korea
powershell
rokrat
south korea
data exfiltration
fileless
spear-phishing
cloud services
lnk files
2025-08-29
Published: August 29, 2025
Downloadable IOCs: 0

July 2025 APT Attack Trends Report (South Korea)

The report analyzes Advanced Persistent Threat (APT) attacks in South Korea during July 2025. Spear phishing was the primary attack method, with LNK files being the most common vector. Two types of LNK-based attacks were identified: Type A, which uses compressed CAB files containing malicious scrip…
apt
rat
rokrat
south korea
xenorat
lnk files
spear phishing
google drive
dropbox api
2025-08-19
Published: August 19, 2025
Downloadable IOCs: 0

June 2025 APT Attack Trends Report (South Korea)

This analysis examines Advanced Persistent Threat (APT) attacks targeting South Korea in June 2025. Spear phishing emerged as the primary attack vector, with LNK files being the most prevalent method, followed by an increase in HWP file-based attacks. The report details two types of spear phishing …
apt
rat
rokrat
south korea
xenorat
lnk files
spear phishing
2025-07-16
hwp files
Published: July 16, 2025
Downloadable IOCs: 0

Dissecting Kimsuky's Attacks on South Korea: In-Depth Analysis of GitHub-Based Malicious Infrastructure

A sophisticated spearphishing campaign targeting South Korea has been uncovered, utilizing GitHub as attack infrastructure. The threat actor, linked to the North Korean group Kimsuky, created multiple private repositories to store malware, decoy files, and exfiltrated victim data. The attack levera…
north korea
spearphishing
kimsuky
dropbox
south korea
xenorat
2025-06-26
Published: June 26, 2025
Downloadable IOCs: 16

May 2025 APT Group Trends (South Korea)

This analysis examines Advanced Persistent Threat (APT) attacks in South Korea during May 2025. The majority of identified attacks utilized spear phishing as the primary infiltration method. Two main types of attacks were observed: Type A, which uses LNK files to execute malicious scripts and downl…
obfuscation
apt
south korea
lnk files
spear phishing
decoy documents
task scheduler
2025-06-18
python scripts
Published: June 18, 2025
Downloadable IOCs: 7

Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation ToyBox Story)

APT37, a North Korean state-sponsored hacking group, launched a spear phishing campaign targeting activists focused on North Korea. The attack involved emails with Dropbox links to malicious LNK files, which when executed, activated additional malware. The group utilized legitimate cloud services a…
north korea
rokrat
south korea
lnk files
spear phishing
CVE-2022-41128
national security
2025-06-06
fileless attacks
cloud c2
Published: June 6, 2025
Downloadable IOCs: 1

April 2025 Threat Trend Report on APT Attacks (South Korea)

This analysis covers APT attacks detected in South Korea during April 2025. Spear phishing emerged as the primary distribution method for these attacks. Two main types of spear phishing were observed: Type A, which uses LNK files to distribute compressed malicious scripts for information leakage an…
apt
rat
rokrat
south korea
xenorat
spear-phishing
lnk files
google drive
2025-05-14
dropbox api
Published: May 14, 2025
Downloadable IOCs: 3

Disruption of Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan

Earth Ammit, a Chinese-linked threat actor, conducted two campaigns targeting drone supply chains in Taiwan and South Korea from 2023 to 2024. The VENOM campaign focused on software service providers using open-source tools, while TIDRONE targeted military industries with custom malware. Their tact…
south korea
taiwan
supply chain attack
2025-05-13
drone industry
venom campaign
custom backdoor
screencap
fiber-based
clntend
venfrpc
cxclnt
tidrone campagin
military sector
Published: May 13, 2025
Downloadable IOCs: 29

Lazarus APT updates its toolset in watering hole attacks

The Lazarus group has launched a sophisticated attack campaign dubbed 'Operation SyncHole' targeting South Korean organizations. The operation combines watering hole attacks with exploitation of vulnerabilities in South Korean software. At least six organizations in the software, IT, financial, sem…
apt
supply chain
south korea
vulnerability exploitation
watering hole
2025-04-24
copperhedge
signbt
threatneedle
agamemnon downloader
wagent
Published: April 24, 2025
Downloadable IOCs: 0

APT Group Profiles - Larva-24005

A new operation named Larva-24005, linked to the Kimsuky group, has been discovered by ASEC. The threat actors exploited RDP vulnerabilities to infiltrate systems, installing MySpy malware and RDPWrap for continuous remote access. They also deployed keyloggers to record user inputs. The group has b…
apt
phishing
kimsuky
south korea
CVE-2017-11882
keylogger
CVE-2019-0708
japan
2025-04-22
randomquery
rdp exploitation
bluekeep
myspy
kimalogger
Published: April 22, 2025
Downloadable IOCs: 0

Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer

A new malware called DocSwap, disguised as a document viewing authentication app, was discovered targeting South Korean mobile users. The malware, linked to a North Korean APT group, performs keylogging and information theft through accessibility services. It decrypts an obfuscated APK file, execut…
apt
north korea
south korea
2025-04-12
dpkr
docswap
accessibility services
Published: April 12, 2025
Downloadable IOCs: 0

March 2025 APT Group Trends (South Korea)

This intelligence report analyzes Advanced Persistent Threat (APT) attacks in South Korea during March 2025. The majority of attacks were classified as spear phishing, with LNK file distribution being the most prevalent method. Two types of LNK-based attacks were identified: Type A, which uses a CA…
obfuscation
apt
python
powershell
south korea
pebbledash
lnk files
spear phishing
2025-04-10
nukesped
task scheduler
cab files
Published: April 10, 2025
Downloadable IOCs: 0

APT Targets South Korea with Deceptive PDF Lures

The Kimsuky APT group, also known as Black Banshee, has been actively targeting South Korean government entities using evolving tactics. Two distinct campaigns were uncovered, both utilizing government-themed PDF documents as lures. The infection chain begins with a phishing email containing a mali…
obfuscation
apt
phishing
south korea
keylogging
lnk file
data exfiltration
cryptocurrency theft
snakekeylogger
2025-04-04
vba script
Published: April 4, 2025
Downloadable IOCs: 0

South Korean Organizations Targeted by Cobalt Strike 'Cat' Delivered by a Rust Beacon

An exposed web server containing tools for an intrusion campaign targeting South Korean organizations was identified. The server hosted a Rust-compiled Windows executable delivering Cobalt Strike Cat, along with SQLMap, Web-SurvivalScan, and dirsearch. The threat actor used these tools to identify …
sql injection
south korea
reconnaissance
2025-03-18
rust beacon
cobalt strike cat
marte
mingw
open directory
marte shellcode
Published: March 18, 2025
Downloadable IOCs: 9

Supply chain of Korean VPN service compromised

ESET researchers have uncovered a supply-chain attack against a South Korean VPN provider by a previously unknown China-aligned APT group named PlushDaemon. The attackers replaced the legitimate VPN installer with a malicious version that deployed their SlowStepper backdoor, a feature-rich implant …
backdoor
supply-chain
apt
espionage
china
south korea
vpn
2025-01-22
slowstepper
Published: January 22, 2025
Downloadable IOCs: 0

December 2024 Threat Trend Report on APT Attacks (South Korea)

This intelligence report analyzes Advanced Persistent Threat (APT) attacks targeting South Korea in December 2024. The primary method of attack was spear phishing, with a focus on distributing LNK files. Two main types of attacks were identified: Type A, which uses compressed CAB files containing m…
apt
rat
rokrat
south korea
xenorat
spear-phishing
lnk files
2025-01-09
decoy documents
Published: January 9, 2025
Downloadable IOCs: 3

Analysis of Attack Cases Against Korean Solutions by the Andariel Group (SmallTiger)

The Andariel group has been targeting various South Korean software solutions, particularly asset management and document management systems. Recent attacks involve the installation of SmallTiger malware, often through exploiting vulnerabilities in outdated software versions. In asset management so…
south korea
rdp
smalltiger
keylogger
web shell
2024-12-31
modeloader
document management
asset management
Published: December 31, 2024
Downloadable IOCs: 5

New Android Spyware Campaign Targets South Koreans via AWS

A sophisticated Android spyware campaign targeting South Koreans has been uncovered by Cyble Research and Intelligence Labs. Active since June 2024, the malware exploits an Amazon AWS S3 bucket as its Command and Control server to exfiltrate sensitive personal data including SMS messages, contacts,…
android
spyware
south korea
cloud security
data exfiltration
aws
mobile malware
2024-10-01
stealth techniques
Published: October 1, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21893
Downloadable IOCs: 7

Private HTS Program Continuously Used in Attacks

This report outlines a continuous campaign where a threat actor distributes malware, including Quasar RAT, through a private home trading system (HTS) named HPlus. The malware is initially delivered via an MSI installer, and users who request remote assistance inadvertently execute the AnyDesk soft…
south korea
quasar rat
2024-07-17
Published: July 17, 2024
Downloadable IOCs: 1

SecretCalls: A Formidable App of Notorious Korean Financial Fraudster

Voice phishing groups in South Korea build phishing pages and apps like SecretCalls to trick victims into installing malware and accessing phishing sites for financial fraud. Detailed analysis of SecretCalls Loader reveals anti-analysis techniques like DEX encryption, emulator detection, and instal…
android
2024-05-03
south korea
financial fraud
secretcalls
voice phishing
Published: May 3, 2024
Downloadable IOCs: 23
Click here to see more Attack Reports