-
Nov 4, 2024 | 
securityboulevard.com | Seongsu Park
IntroductionIn November 2023, a security vendor discovered that North Korean threat actors were using the Contagious Interview and WageMole campaigns to procure remote employment opportunities in Western countries, thus evading financial sanctions against North Korea (DPRK). The Contagious Interview campaign focuses on stealing data, while WageMole uses that stolen data, along with other social engineering techniques, to help these threat actors land remote jobs.
-
Nov 4, 2024 | 
zscaler.com | Seongsu Park
Get the latest Zscaler blog updates in your inboxSubscribe IntroductionIn November 2023, a security vendor discovered that North Korean threat actors were using the Contagious Interview and WageMole campaigns to procure remote employment opportunities in Western countries, thus evading financial sanctions against North Korea (DPRK).
-
Jun 28, 2024 | 
securityboulevard.com | Seongsu Park
IntroductionIn March 2024, Zscaler ThreatLabz observed new activity from Kimsuky (aka APT43, Emerald Sleet, and Velvet Chollima), an advanced persistent threat actor backed by the North Korean government. This group, first observed in 2013, is notorious for cyber espionage, and financially motivated cyber attacks, primarily targeting South Korean entities, including think tanks, government institutions, and the academic sector.
-
Jun 27, 2024 | 
securityboulevard.com | Seongsu Park
By Seongsu Park IntroductionIn March 2024, Zscaler ThreatLabz observed new activity from Kimsuky (aka APT43, Emerald Sleet, and Velvet Chollima), an advanced persistent threat actor backed by the North Korean government. This group, first observed in 2013, is notorious for cyber espionage, and financially motivated cyber attacks, primarily targeting South Korean entities, including ... Read More
-
Jun 27, 2024 | 
zscaler.com | Seongsu Park
Get the latest Zscaler blog updates in your inboxSubscribe IntroductionIn March 2024, Zscaler ThreatLabz observed new activity from Kimsuky (aka APT43, Emerald Sleet, and Velvet Chollima), an advanced persistent threat actor backed by the North Korean government. This group, first observed in 2013, is notorious for cyber espionage, and financially motivated cyber attacks, primarily targeting South Korean entities, including think tanks, government institutions, and the academic sector.
-
Nov 20, 2023 | 
securelist.com | Dmitry Kalinin |Seongsu Park |Dmitry Galov |Dan Demeter
As the annual Black Friday approaches, the digital landscape experiences an unprecedented surge in e-commerce and online shopping activity. Major sales aside, e-commerce is still a huge market. In 2022, global e-commerce retail revenue was estimated to reach $5.7 trillion worldwide, marking nearly a 10% increase compared to the previous year.
-
Nov 10, 2023 | 
securelist.com | Dmitry Kalinin |Seongsu Park |Leonid Bezvershenko |Georgy Kucherin
Ducktail is a malware family that has been active since the second half of 2021 and aims to steal Facebook business accounts. Kaspersky Daily Iran, WithSecure, and GridinSoft have all covered Ducktail attacks: the infostealer spread under the guise of documents relating to well-known companies’ and brands’ projects and products. The group behind the Ducktail attacks presumably hails from Vietnam.
-
Apr 24, 2023 | 
securelist.com | Pierre Delcher |Ivan Kwiatkowski |Seongsu Park |Boris Larin
IntroductionWe introduced Tomiris to the world in September 2021, following our investigation of a DNS-hijack against a government organization in the Commonwealth of Independent States (CIS). Our initial report described links between a Tomiris Golang implant and SUNSHUTTLE (which has been associated to NOBELIUM/APT29/TheDukes) as well as Kazuar (which has been associated to Turla); however, interpreting these connections proved difficult.
-
Apr 12, 2023 | 
securelist.com | Seongsu Park |Olga Svistunova |Georgy Kucherin |Vasily Berdnikov
The Lazarus group is a high-profile Korean-speaking threat actor with multiple sub-campaigns. We have previously published information about the connections of each cluster of this group. In this blog, we’ll focus on an active cluster that we dubbed DeathNote because the malware responsible for downloading additional payloads is named Dn.dll or Dn64.dll. This threat is also known as Operation DreamJob or NukeSped.
-
Mar 6, 2023 | 
sp4rk.medium.com | Seongsu Park
In early 2022, the Kimsuky group carried out a sophisticated cyber attack against defense, political, and North Korea-related individuals. The attack had a complicated infection process from the initial infection to exfiltration, and each stage shows the following characteristics:There were several other characteristics as well: Typically, it goes through a two-stage or more infection process. It can go through up to five stages or more.
