Threat Research

    DPRK-Related Campaigns with LNK and GitHub C2

    Labs recently identified a wave of LNK file attacks targeting users in South Korea. These campaigns use multi-stage scripts and rely on GitHub as C2 infrastructure to avoid detection. While similar LNK files date back to 2024, earlier versions were less obfuscated and easier to trace, linking them to XenoRAT distribution....
    4/3/2026  0
    Read More »

    PlushDaemon Compromises Network Devices for Adversary-in-the-Middle Attacks

    PlushDaemon is a China-aligned espionage group active since at least 2018, targeting entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand....
    11/24/2025  0
    Read More »

    Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation. ToyBox

    APT37, a North Korea–linked threat group, conducted a social engineering campaign masquerading as an academic forum invitation from a South Korean national security think tank. The lure referenced a real event titled “Trump 2.0 Era: Prospects and South Korea’s Response” to gain credibility....
    11/13/2025  0
    Read More »

    The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors

    A recent intrusion beginning in August 2025 revealed China-nexus threat actors using a technique called log poisoning to deploy a China Chopper web shell on vulnerable web servers. The attackers used AntSword for control and introduced a lesser-known tool, Nezha, to run commands and later deploy Ghost RAT. This marks the first known use of Nezha in web compromises....
    10/15/2025  0
    Read More »

    APT37 Targets Windows with Rust Backdoor and Python Loader

    North Korean-aligned threat group APT37 (aka ScarCruft, Ruby Sleet, Velvet Chollima) has been observed using advanced malware in recent campaigns targeting individuals linked to the North Korean regime and human rights activism in South Korea....
    9/9/2025  0
    Read More »

    The Coordinated Embassy Hunt: Unmasking the DPRK-linked GitHub C2 Espionage Campaign

    A research center uncovered a DPRK-linked espionage campaign targeting diplomatic missions in South Korea in early 2025. Between March and July, at least 19 spear-phishing attacks impersonated trusted contacts to lure embassy staff. Attackers used GitHub for covert C2 communications and cloud platforms like Dropbox to deliver XenoRAT malware....
    8/19/2025  0
    Read More »

    Gunra Ransomware Group Unveils Efficient Linux Variant

    Gunra ransomware’s Linux variant significantly expands the group’s attack surface, reflecting its intention to move beyond its initial targets. This variant includes key features such as the ability to execute up to 100 encryption threads simultaneously and perform partial encryption....
    7/30/2025  0
    Read More »

    Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan

    Earth Ammit, a threat actor linked to Chinese-speaking APT groups, conducted two coordinated cyberespionage campaigns—VENOM and TIDRONE—between 2023 and 2024, targeting organizations in Taiwan and South Korea....
    5/14/2025  0
    Read More »
    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.