Related Families: SplitLoader, YouieLoad
Verticals Targeted: Education, Software, Information Technology, Defense, Aerospace
New North Korean Threat Actor Group Moonstone Sleet
Jun 7, 2024 12:58:01 PM / by The Hivemind posted in Threat Bulletin, North Korea, MoonstoneSleet, YouieLoad, Threat Actor Profile, SplitLoader
Velvet Chollima Using Gomir Linux Backdoor
May 24, 2024 11:58:05 AM / by The Hivemind posted in Threat Bulletin, Espionage, North Korea, Linux, Kimsuky, GoBear, Velvet Chollima, Gomir, Troll Stealer
Related Families: GoBear, Troll Stealer, BetaSeed, Endor
Verticals Targeted: Government
Executive Summary
North Korea nexus threat actor group Velvet Chollima was observed using a new Linux backdoor, dubbed Gomir, to target entities in South Korea.
2023 Recap - Threat Actor Activity Highlights - North Korea
Dec 15, 2023 1:37:07 PM / by The Hivemind posted in Threat Bulletin, North Korea, APAC, 2023 Recap, Chollima
Executive Summary
Several high-profile North Korea nexus threat actor groups have been active in 2023. Reported activities include but are not limited to supply chain attacks, targeting of cryptocurrency, and proliferation of MacOS malware. In this report, PolySwarm highlights cyber activity perpetrated by North Korea nexus threat actor groups in 2023.
BlueNoroff's RustBucket MacOS Malware
May 12, 2023 3:48:04 PM / by The Hivemind posted in Threat Bulletin, Lazarus, North Korea, Financial, MacOS, Mac, RustBucket, BlueNoroff
Verticals Targeted: Financial
Executive Summary
North Korea nexus threat actor group BlueNoroff was recently observed using malware to target MacOS systems. Dubbed RustBucket, the malware can be used to communicate with the C2 to download and execute additional payloads.
PolySwarm 2022 Recap - Threat Actor Activity Highlights: North Korea
Dec 21, 2022 1:28:03 PM / by PolySwarm Tech Team posted in Threat Bulletin, North Korea, 2022 Recap, Asia, APAC
Executive Summary
This Threat Bulletin is part of PolySwarm’s 2022 Recap series. This report highlights the activity perpetrated by North Korea-based threat actors in 2022.
Key Takeaways
- This report provides highlights of activity perpetrated by North Korea-based threat actors in 2022.
- Threat actors featured in this report include Lazarus Group, BlueNoroff, Reaper, Andariel, Kimsuky, Gwisin, and H0ly Gh0st.
- PolySwarm tracked malware associated with multiple North Korea nexus threat actors in 2022.
North Korean Threat Actors Living Off the Land
Oct 11, 2022 12:47:31 PM / by PolySwarm Tech Team posted in Threat Bulletin, Lazarus, North Korea, LoTL, APT 38, Living off the land, ZataNile, EventHorizon
Related Families: ZetaNile (BlindingCan), EventHorizon
Verticals Targeted: Media, Defense, IT Services, Aerospace
Executive Summary
Microsoft recently reported on North Korean threat actor group Lazarus using living off the land (LOTL) techniques to target multiple verticals. Weaponization of legitimate tools includes SSH clients PuTTY and KiTTY, as well as TightVNC Viewer, Sumatra PDF reader, and muPDF/Subliminal Recording installer.
Kimsuky GoldDragon C2 Cluster
Sep 19, 2022 2:06:44 PM / by PolySwarm Tech Team posted in Threat Bulletin, Espionage, North Korea, Kimsuky, GoldDragon
Verticals Targeted: Think Tanks, Media, Government
Executive Summary
In early 2022, the North Korean threat actor group Kimsuky targeted a South Korean think tank and media entities. In this campaign, they leveraged what is known as the GoldDragon backdoor and associated C2 cluster.
Key Takeaways
Recent Ransomware Threats to Healthcare
Jul 21, 2022 1:27:35 PM / by PolySwarm Tech Team posted in Threat Bulletin, North Korea, Ransomware, Iran, IcedID, Healthcare, Maui, Quantum, Hospital
Executive Summary
Multiple ransomware families have been used to target the healthcare vertical in the past year. In this report, we cover recently reported attacks on the healthcare vertical leveraging Maui and Quantum ransomware families.