korea (4)

12167935268?profile=RESIZE_400xThe Lazarus Group is North Korean state sponsored cybercrime group and they have been credited, in one way or another, with a recent social engineering campaign targeting developers on GitHub.  They are said to have been created by the North Korean government as early as 2007 and they are a part of the RGB, which is North Korea’s primary foreign intelligence agency.  “Lazarus Group” would appear to be the primary identity of the group, but they do have several aliases such as Appleworm, Group 77

11244328498?profile=RESIZE_400xThe Shadow Force group is a threat group that has been active since 2013, targeting corporations and organizations in South Korea.  Trend Micro revealed the first analysis report in September 2015, where it stated that a Korean media-related company had been attacked.  In March 2020, AhnLab published an analysis report on Operation Shadow Force.  It was introduced as a single campaign a there was the possibility of it being activies of an existing threat group.  However, no relevant threat group

10807583873?profile=RESIZE_400xA malicious campaign mounted by the North Korea-linked Lazarus Group targets energy providers worldwide, including those based in the United States, Canada, and Japan.

The campaign is meant to infiltrate organizations worldwide to establish long-term access and subsequently exfiltrate data of interest to the adversary's nation-state, according to investigators.  Some elements of the espionage attacks have already been reported in the media.

See:  https://redskyalliance.org/xindustry/lazarus-grou

4157799936?profile=RESIZE_710xA new ransomware strain called PXJ ransomware (also known as XVFXGW ransomware) was first discovered in late February 2020.[1]  Half of the known samples were uploaded from Korea, and it uses a Korean website for a C2, showing predominantly Asian targeting.

Details

The earliest PXJ ransomware sample is from 24 February 2020.  It received its name for the .pxj extension that it adds to the files it encrypts.  Its alternative name, XVFXGW, refers to the strings in two contact emails (xvfxgw3929@pr