Threat Intelligence

South Korean Security Firm's Code Signing Certificate Leak Linked to North Korean APT

ENKIWhitehat

2025. 4. 1.

Executive Summary

On 2025-02-20, reports emerged that Somansa had been breached by a state-sponsored attacker, resulting in the compromise of its code signing certificate.
ENKI Threat Research Group subsequently discovered malware signed with Somansa's compromised certificate on VirusTotal. Our analysis revealed links to Democratic People's Republic of Korea (DPRK)-nexus threat actors.
Our analysis revealed that the p-e[.]kr domain, frequently employed by DPRK-nexus threat actors, was utilized for C&C.
Analysis of the malware's PE Rich Header showed product IDs and build IDs similar to those previously observed in malware attributed to DPRK, China, and Iran-nexus threat actors. This implies similar build environments, with the strongest correlations with DPRK-nexus threat actors.

1. Overview

Following reports that a code signing certificate of South Korean cybersecurity firm Somansa had been compromised, we discovered malware signed with Somansa's certificate on VirusTotal.

Our analysis identified the malware as a backdoor and, based on its C&C domain and PE Rich Header, established connections to DPRK-nexus threat actors.

This report details our analysis of the malware and its correlations to DPRK-nexus threat actors.

2. Background

On 2025-02-20, reports emerged that South Korean cybersecurity firm Somansa had been breached by a state-sponsored attacker, resulting in the compromise of its code signing certificate.

According to the information security industry and the Korea Internet & Security Agency (KISA) on the 20th, Somansa recently notified its clients, stating, "Evidence has been discovered of an attack by an external state-sponsored threat actor, resulting in the exfiltration of a product code signing certificate."
Somansa added that they "have been working with KISA since the 6th \[of February], actively inspecting internal systems to prevent further damage." As the investigation is ongoing, the nation behind the hacking group has not yet been reported.
In the notification, Somansa announced that they "are re-signing packages with a new certificate and will roll out updates according to clients' respective package update schedules."
(Excerpt translated from a Korean news report titled "보안기업 '코드서명 인증서'까지 털렸다…국가배후 해킹조직 공격" ("Even a Security Firm's 'Code Signing Certificate' Was Hacked… State-Sponsored Hacking Group Attack"))

2.1. Code Signing

Code signing is a technology that enables verification of a program's origin and integrity using Public Key Cryptography.

Code signatures are generated using a private key and can be verified with the corresponding public key. Because it is effectively impossible to derive the private key from a public key, code signing is used to verify the origins of programs. However, if a private key is compromised, such as in this case, those with access to it can use it to generate code signatures.

On Microsoft Windows, code signatures can affect Windows Defender SmartScreen warnings:

"cannot verify the digital signature" warnings are not displayed.
Programs signed with the same certificate share reputation.
For certificates with sufficient reputation, "unknown publisher" warnings are not displayed.
- OV (Organization Validated) Certificates don't receive enough reputation by default, so a warning is displayed.
- EV (Extended Validation) Certificates receive enough reputation by default, so a warning is not displayed.

If a certificate is compromised, because programs signed with the same certificate share reputation, the reputation of all software signed with it may degrade. Furthermore, once a certificate compromise is confirmed, the certificate may be revoked, and the affected organization may face stricter validation from Certificate Authorities, making it harder to be issued new certificates.

If a code signing certificate is compromised, it can be used to sign arbitrary programs to misrepresent their origin. This allows attackers to exploit the trust associated with code signing, potentially misleading users or automated systems into authorizing a program that they would not have otherwise.

3. Malware Analysis

Following reports of the code signing certificate compromise, we assessed that the compromised certificate may be used to sign malware and started hunting. Using the VirusTotal query signature:"somansa" tag:signed, we were able to discover the malware. This sample was first uploaded to VirusTotal from South Korea on 2025-02-21 at 05:25:56 (UTC).

caption - VirusTotal upload history

We verified that the malware had a valid signature, with the following details:

Validity Period: 2024-03-26 00:00:00 (UTC+0) to 2025-03-22 23:59:00 (UTC+0)
Date Signed: 2024-09-30 04:59:00 (UTC+0)

caption - Code Signature Information

Most strings used by the malware are encrypted with a simple monoalphabetic substitution cipher. This is implemented like a shift cipher (key = 41) but with a custom alphabet (`7Uzc5ngXl_ESWkj3t14Cw+aYLvyh0odZH8OReKiNIr-JM2GQAxpmVb=qPTuB9Ds6fF`). Characters not present in this custom alphabet are left unchanged. For example, the character 'K' at index 37 is substituted with the character at index (37 + 41) % 66 = 12, which is 'W'.

caption - String Decryption Function

The following types of strings are encrypted:

Library and function names
Parts of the self-deletion script (excluding format strings)
Other strings, including the C&C domain, GDI-related strings, and the self-deletion script name.

Library functions are dynamically resolved using what appears to be a modified version of HackingTeam's dynamic_import code, with the following modifications:

The aforementioned string decryption function is used in place of shiftBy1.
ReportExitProcess is not called on failure.

caption - The dynamic api resolution code we analyzed

caption - HackingTeam's dynamic_import code

An IDAPython script developed to decrypt these strings is provided below.

from idaapi import *
from idautils import *
from idc import *
from ida_segment import get_segm_by_name

def get_ins(ea):
   return [print_insn_mnem(ea), print_operand(ea, 0), print_operand(ea, 1)]

def get_name(ea):
    result = ""
    i = 0
    while True:
        if get_byte(ea + i) == 0:
            return result
        else:
            result += chr(get_byte(ea + i))
        i += 1

def check_ea(ea):
    func = get_func(0x1400011F0)
    for xref in XrefsTo(ea):
        if func.start_ea < xref.frm < func.end_ea:
            return True
    return False

def search_en_data(ea):
    while True:
        ins = get_ins(ea)
        if ins[0] == "lea" and ins[1] == "rcx":
            addr = get_name_ea_simple(ins[2])
            return get_name(addr)
        ea = prev_head(ea)

def decrypt(en_data):
    custom_alphabet = "7Uzc5ngXl_ESWkj3t14Cw+aYLvyh0odZH8OReKiNIr-JM2GQAxpmVb=qPTuB9Ds6fF"
    result = list(en_data)
    for i, data in enumerate(result):
        if data in custom_alphabet:
            j = custom_alphabet.index(data)
            result[i] = custom_alphabet[(j + 41) % 0x42]
            
    return "".join(result)

segm = get_segm_by_name(".text")
ea = segm.start_ea
end_ea = segm.end_ea

while True:
    if ea >= end_ea:
        break
    else:
        if check_ea(ea):
            ea = next_head(ea)
            continue
        elif "sub_1400013E0" in GetDisasm(ea):
            print (hex(ea), decrypt(search_en_data(ea)))
            set_cmt(ea, decrypt(search_en_data(ea)), 0)
        elif "sub_140001350" in GetDisasm(ea):
            print (hex(ea), decrypt(search_en_data(ea)))
            set_cmt(ea, decrypt(search_en_data(ea)), 0)
                
    ea = next_head(ea)

The malware first generates a 40-bit unique identifier (UID) using CPU timing jitter. It measures the parity of the number of iterations required for the return value of clock() to change, twice. If the two measurements differ, the first measurement is used as one bit of entropy. This process is repeated 40 times to generate the UID.

The C standard approximately specifies that clock() should measure the processor time used by the process. However, the Universal C Runtime (UCRT), as used on Microsoft Windows, is not standards-conformant; approximately, clock() measures the wall-clock time elapsed since process start. Therefore, the value generated by this function may vary depending on environmental factors such as CPU state or system load.

This unusual Random Number Generator (RNG) implementation can be viewed as a notable characteristic of the malware.

caption - uid initialization function

The C&C server URL is tcp://daumnet[.]p-e[.]kr:9980, and communications use a Type-Length-Value (TLV) protocol over TCP.

caption - C&C protocol

Data sent to and received from the C&C server is encrypted and decrypted using an XOR operation with the following key:

[0x3b, 0xa0, 0x28, 0xcc, 0x41, 0x0f, 0xd6, 0x5e, 0xb7, 0x83, 0x92, 0xcf, 0xe4, 0x4a, 0xb8, 0x77]

Send operations are performed as follows:

type, size are encrypted with the key and sent.
data is encrypted with the key and sent.

Receive operations are performed with the same steps in reverse.

The C&C handshake procedure is performed is as follows:

type = 0x3e9, size = 3, data = {0x1a, 0x3c, 0x5e} is sent.
If the response is the same as what was sent above, type = 0x3eb, size = 5, data = UID is sent.

caption - handshake function

After a successful handshake, the following information is collected and sent to C&C:

Administrator group membership
List of IPv4 addresses
Computer name
Username
Executable path of the malware
Process ID (PID) of the malware

The information is formatted with "%d|%s|%s|%s|%s|%x" and sent with type = 0x3e8. Then, attempts to receive commands are made, retrying after 60 seconds on failure. The commands are detailed in the table below.

| type   | Action                  | Details                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| -------- | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 0x03ed | Exit                    | Terminates the malware process.                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| 0x03ee | Self-Delete and Exit    | Self-delete using a generated batch script (1.bat), then exit.                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| 0x07d1 | Start Reverse Shell     | Starts a reverse shell thread. Launches cmd.exe in a new process group and a JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE job. Input/output are piped. Output is polled every 10ms and sent with type = 0x07d3.                                                                                                                                                                                                                                                                                           |
| 0x07d2 | Write to Reverse Shell  | Writes received data to the reverse shell thread's input pipe.                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| 0x07d4 | Close Reverse Shell     | Closes the reverse shell thread, resulting in its termination.                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| 0x0bb9 | Get Drive Information   | Retrieves capacity and free space for each logical drive and sends this information with type = 0x0bba.                                                                                                                                                                                                                                                                                                                                                                                             |
| 0x0bbb | List Files/Directories  | If the specified path is a directory: <br>- For each file/directory under it:<br> - Send type = 0x0bbd with file/directory information.<br> - For files: filename, creation time (ctime), modification time (mtime), and size.<br> - For directories: directory name, ctime, and mtime.<br> - On error, sends type = 0x0bbd.<br>Else, sends type = 0x0bbd.                                                                                                                                      |
| 0x0ce4 | Zero, Move, Delete File | In a separate thread:<br>- Overwrites file content with a pattern of {0x5f} followed by {0x00} repeated 0x3fff times.<br>- Moves the file to a new name consisting of random lowercase letters ([a-z]) of the original filename's length.<br>- Deletes the renamed file.                                                                                                                                                                                                                      |
| 0x0ce5 | Delete File             | Deletes the specified file.                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| 0x0c1c | Open File               | Opens the specified file. Sends type = 0x0c20 on success, type = 0x0c1f on error.                                                                                                                                                                                                                                                                                                                                                                                                                 |
| 0x0c1d | Write to File           | Writes data to the file opened with the 0x0c1c command. On error or completion, sends type = 0x0c1f and closes the file.                                                                                                                                                                                                                                                                                                                                                                          |
| 0x0c1e | Close File              | Closes the file opened with the 0x0c1c command.                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| 0x0c80 | Start File Exfiltration | Starts a file exfiltration thread. This thread attempts to send all files under a given path:<br>- On error, sends type = 0x0c86 and exits.<br>- Sends file metadata (path, name, file_size) with type = 0x0c81 and data formatted as L"%s\|%s\|%I64u".<br>- Sends file content in 0x100000-byte chunks with type = 0x0c82.<br>- On success, sends type = 0x0c84. <br>- If stopped, sends type = 0x0c86.<br>

caption - type's and their corresponding operations

4. Attribution

4.1. C&C Domain Correlation

The C&C domain utilized by the malware is daumnet[.]p-e[.]kr. This domain has previously been linked to Kimsuky, a DPRK-nexus threat actor. The following domains share the same WHOIS Admin Contact (AC) email address (`cfa4a551515dc742s@gmail.com`) as p-e[.]kr:

n-e[.]kr
r-e[.]kr
o-r[.]kr
kro[.]kr

AhnLab, in their report "Phishing Attacks Impersonating Famous Korean Banking Apps", identified several domains frequently used by Kimsuky, all of which share the cfa4a551515dc742s@gmail.com WHOIS ACs:

n-e[.]kr
p-e[.]kr
r-e[.]kr
o-r[.]kr
kro[.]kr

Additionally, Genians, in their report "위협 행위자 김수키의 이메일 피싱 캠페인 분석" ("Analysis of Kimsuky Threat Actor's Email Phishing Campaign"), found that the p-e[.]kr domain was used by Kimsuky in phishing emails disguised as MYBOX security notifications, designed to steal email credentials.

4.2. Code Correlation

In AhnLab's "North Korea-related Hangul Word Processor (HWP) File Being Distributed" report, sample a7077d9a2c98ec2d0b3b1c12f23b2a79 employs the same methods for dynamic API resolution as observed in the malware we analyzed.

caption - The dynamic API resolution code in `a7077d9a2c98ec2d0b3b1c12f23b2a79`

caption - The dynamic API resolution code we analyzed

The string decryption code is also identical, but with a different alphabet(zcgXlSWkj314CwaYLvyh0U_odZH8OReKiNIr-JM2G7QAxpnmEVbqP5TuB9Ds6fFt) and key(-22).

caption - The string decryption code in a7077d9a2c98ec2d0b3b1c12f23b2a79

caption - The string decryption code we analyzed

Palo Alto Networks, in their "Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy" report, found that Kimsuky's KLogEXE and FPSpy malware utilized the dynamic API resolution and string decryption code from HackingTeam's dynamic_import. Additionally, the r-e[.]kr domain was used.

caption - The dynamic API resolution code in 9760f489a390665b5e7854429b550c83

In AhnLab's "SmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel)" report, Andariel's SmallTiger malware used the same string decryption code, but with a different alphabet and key.

caption - The string decryption code in 2766fcf5fa81a2877864a07ef306cde4

Additionally, the following domains were used in C&C infrastructure:

kro[.]kr
n-e[.]kr
n-b[.]kr
o-r[.]kr
p-e[.]kr

caption - SmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel) IOC

4.3. Build Environment Correlation

Through PE Rich Header analysis, we were able to correlate the build environment of the analyzed malware with those previously used by threat actors in the past.

The PE Rich Header contains information about the tools used, including their Product IDs, Build IDs, and usage counts. If the combination of tools used is uncommon, it can be used to correlate malware to their build environments, and potentially its authors.

The PE Rich Header information in the analyzed malware is as follows:

RichEntry(product_id = 0x0102, build_id = 0x59f2, count = 0x00000001), # VS2015 Linker 14.00.23026
RichEntry(product_id = 0x00ff, build_id = 0x59f2, count = 0x00000001), # VS2015 CVTRES 14.00.23026
RichEntry(product_id = 0x0109, build_id = 0x59f2, count = 0x00000003), # VS2015 Universal Tuple Compiler(LTCG/C++) 19.00.23026
RichEntry(product_id = 0x0001, build_id = 0x0000, count = 0x00000067), # Import
RichEntry(product_id = 0x00cb, build_id = 0xffdd, count = 0x00000009), # VS2012 Import 11.00.65501
RichEntry(product_id = 0x0104, build_id = 0x59e5, count = 0x00000014), # VS2015+ Universal Tuple Compiler(C) 19.00.23013
RichEntry(product_id = 0x0105, build_id = 0x59e5, count = 0x00000021), # VS2015+ Universal Tuple Compiler(C++) 19.00.23013
RichEntry(product_id = 0x0103, build_id = 0x59e5, count = 0x00000008), # VS2015+ MASM 14.00.23013
RichEntry(product_id = 0x00f2, build_id = 0x9cb4, count = 0x0000000d), # VS2013 Universal Tuple Compiler(C) 18.10.40116
RichEntry(product_id = 0x00f3, build_id = 0x9cb4, count = 0x00000087), # VS2013 Universal Tuple Compiler(C++) 18.10.40116
RichEntry(product_id = 0x00f1, build_id = 0x9cb4, count = 0x00000005)  # VS2013 MASM 12.10.40116

Of these, we identified version information for the following tools:

VS2015 Linker 14.00.23026
VS2015 CVTRES 14.00.23026
VS2015 Universal Tuple Compiler (LTCG/C++) 19.00.23026
VS2012 Import 11.00.65501
VS2013 Universal Tuple Compiler (C) 18.10.40116
VS2013 Universal Tuple Compiler (C++) 18.10.40116
VS2013 MASM 12.10.40116

We were unable to determine the precise version information for the remaining tools.

To identify samples with similar PE Rich Headers, we first queried VirusTotal. Although VirusTotal does not expose functionality to directly match PE Rich Header information, it is possible to match some tools present in the header. Because this is a weaker condition than all tools matching, we are able to find a superset of the set of matching samples.

We were able to query 233.0M PE files on VirusTotal.
We searched for samples with some of the same tools present in their Rich Headers using the query: `entity:file type:pe detectiteasy:"Linker: Microsoft Linker(14.00.23026)" detectiteasy:"Compiler: Microsoft Visual C/C++(19.00.23026)[LTCG/C++]" detectiteasy:"Tool: Visual Studio(2015)”`. This yielded 27.9K samples.
Filtering to samples with at least 8 detections, we found 9.2K samples.

- We retrieved these samples and matched their PE Rich Headers with the sample we analyzed. We found 1,412 inclusive matches(samples that included the set of tools used), and 278 exact matches(samples that equaled the set of tools used).

Calculating the rounded percentages of the samples from each step, we get 0.012% weak matches, 0.004% with sufficient detections, 0.0006% with inclusive matches, and 0.00012% with exact matches, so we can confirm that this is an uncommon set of PE Rich Header information.

Additionally, from vx-underground's yearly APT archives, out of 22,197 deduplicated samples, we found 14,950 PE files, and performed the same matching as above.

As a result, we found 28 inclusive matches, and 8 exact matches. In all 28, we confirmed links to DPRK, China, or Iran-nexus threat actors. We list the details below, and the hashes in the IOC section.

DPRK-Nexus

From Ahnlab's “Analysis Report on Lazarus Threat Group’s Volgmer and Scout Malwares” report, we found 2 Volgmer with exact matches, and 4 Volgmer backdoor samples with inclusive matches.

From Kaspersky's “Lazarus Trojanized DeFi app for delivering malware” report, we found 3 samples listed as "Similar Backdoor" with exact matches.

From Malwarebytes' “Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat” report, we found 4 RokRAT samples with inclusive matches.

From TALOS' "Korea In The Crosshairs” report, we found a RokRAT sample with an inclusive match.

From stairwell's “The ink-stained trail of GOLDBACKDOOR” report, we found a GOLDBACKDOOR sample with an inclusive match.

From VOLEXITY's “North Korean APT InkySquid Infects Victims Using Browser Exploits”, we found 2 BLUELIGHT samples with inclusive matches.

China-Nexus

From nccgroup's “Abusing cloud services to fly under the radar” report, we found 2 samples with exact matches.

From SentinelLABS' “ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage” report, we found ShadowPad samples with an inclusive match and 1 with an exact match.

Iran-Nexus

From Kaspersky's “Ferocious Kitten: 6 years of covert surveillance in Iran” report, we found 2 MarkiRAT samples with inclusive matches.

From unit42's “OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory” report, we found 5 RDAT backdoor samples with inclusive matches.

PE Rich Headers can be forged, and there have been reports such cases. For example, in Kaspersky's “The devil’s in the Rich header” report, another sample's PE Rich Header was copied from another executable. In that case, Product ID, Build ID, and count values were the same, but we found no such cases with the sample we analyzed, so we deem it unlikely in this case.

Based on these analyses, we assess that this sample is related to DPRK-nexus threat actors. Of the 28 samples with an inclusive match, 17 are attributed to DPRK-nexus threat actors. The uncommon set of tools used, combined with the fact that the majority of correlated samples are attributed to DPRK-nexus actors, supports this assessment.

5. Course of Action

Organizations that manage code signing certificates must implement rigorous security measures to prevent certificate exfiltration. Certificates should be stored encrypted and securely, such that external access is prevented. Systems that apply code signatures should be strictly isolated from other systems.

In addition to secure certificate management, code signing policies also require hardening. As it is possible to bypass or ignore code signature checks, code signing must be enforced, not checked, in order to be effective. Furthermore, the default security settings in Microsoft Windows are very insecure. On Microsoft Windows, by default, it is possible to bypass code signature checks and run code, and code signatures signed by revoked certificates are trusted. In order to prevent this, security settings can be modified, but they are numerous and complex.

The simplest approach is to enable Windows Smart App Control. Smart App Control only allows code with valid signatures or that Microsoft deems safe, to run. However, even in this case it is possible to run code with invalid signatures, and code that Microsoft deems safe may turn out to be malware, so caution is needed.

A more complex but robust approach is to create and apply a custom Windows Defender Application Control (WDAC) policy. Smart App Control is based on WDAC, and it is possible to create an App Control policy based on the Smart App Contol policy. Disabling Enabled:Intelligent Security Graph Authorization and enabling `Enabled:Revoked Expired As Unsigned` will block code with invalid signatures that Microsoft deems safe, and code signed by revoked or expired certificates will also be blocked.

Among other approaches, security features such as AppLocker can be used to harden code signing policies.

6. Conclusion

On 2025-02-20, reports emerged that Somansa's code signing certificate had been compromised. Subsequently, on 2025-02-21 at 05:25 UTC, malware with a valid Somansa signature was uploaded to VirusTotal.

While the circumstances under which this malware was used are unknown, through C&C domain, code pattern and PE Rich Header analysis we were able to establish a connection to DPRK-nexus threat actors. Furthermore, the successful exfiltration and subsequent abuse of code signing certificates shows the sophistication of the threat actor.

Attacks attributed to DPRK-nexus threat actors are becoming increasingly refined and persistent. These actors have been observed repeatedly targeting the same organizations, using various themes. Beyond the case detailed in this report, organizations and individuals should remain vigilant and cautious of potentially unidentified threats from the past or from insider threats.

7. Appendix

Appendix A. MITRE ATT&CK

| Tactics | Techniques |
| --- | --- |
| Reconnaissance | T1592: Gather Victim Host Information-nT1590.005: Gather Victim Network Information: IP Addresses |
| Execution | T1059.003: Command and Scripting Interpreter: Windows Command Shell-nT1106: Native API |
| Privilege Escalation | T1134.001: Access Token Manipulation: Token Impersonation/Theft-nT1134.002: Access Token Manipulation: Create Process with Token |
| Defense Evasion | T1140: Deobfuscate/Decode Files or Information-nT1070.004: Indicator Removal: File Deletion-nT1070.006: Indicator Removal: Timestomp-nT1027.007: Obfuscated Files or Information: Dynamic API Resolution-nT1027.008: Obfuscated Files or Information: Stripped Payloads -nT1553.002: Subvert Trust Controls: Code Signing |
| Discovery | T1083: File and Directory Discovery-nT1046: Network Service Discovery-nT1069.001: Permission Groups Discovery: Local Groups -nT1057: Process Discovery -nT1082: System Information Discovery-nT1033: System Owner/User Discovery |
| Collection | T1113: Screen Capture |
| Command and Control | T1132.002: Data Encoding: Non-Standard Encoding-nT1573.001: Encrypted Channel: Symmetric Cryptography |
| Exfiltration | T1030: Data Transfer Size Limits-nT1041: Exfiltration Over C2 Channel |
| Impact | T1485: Data Destruction -nT1565.001: Data Manipulation: Stored Data Manipulation

Appendix B. IOCs

Malware

983b16c505a0b52a65dd31c7f50f8e9bfa2d7160d14e8eefbdf29b5c4a2c6e68

C&C

daumnet.p-e[.]kr:9980

Malware with PE Rich Header similarities

DPRK-Nexus

Analysis Report on Lazarus Threat Group’s Volgmer and Scout Malwares

0d133ea8098e3802bf74202e4d25d6e151fbbd1b787ed08e063bd678166da8c1
568465424dfff48605ee683409dc31f74dd612ffc182971c549fd4801fb6cf18
0e0e0736f98e1819f50b6f05fa59b19296ea7a61042be94c46eb03012b42ea49
80f31bf4e0b4ba1d3c963cf37dd7cefb5517b6454f7809fe3a1703e8b5941b41
b4f8177d87df58e31afab30302a9d9ba609cd975341b5532f75808da342381db
f563f8abf56ae9819462e21635fbd4c790b2f7d69ae8c02d042a3510209694a9

Lazarus Trojanized DeFi app for delivering malware

202cfbe37bcde2f5700fa43e5a4e08e6b2df6322d9cdfa958d95ab598b47b6b3
4281854f27a755ab51e71d951016ad10ff30a03cd612ba1b14c4d89d9b4be212
d178cced92bbce22d2214dbdd3db0491f1c352d21634fda9abd08d720faca84d

Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat

2a253c2aa1db3f809c86f410e4bd21f680b7235d951567f24d614d8e4d041576
a42844fc9cb7f80ca49726b3589700fa47bdacf787202d0461c753e7c73cfd2a

Korea In The Crosshairs

b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e

The ink-stained trail of GOLDBACKDOOR

485246b411ef5ea9e903397a5490d106946a8323aaf79e6041bdf94763a0c028

North Korean APT InkySquid Infects Victims Using Browser Exploits

7c40019c1d4cef2ffdd1dd8f388aaba537440b1bffee41789c900122d075a86d
94b71ee0861cc7cfbbae53ad2e411a76f296fd5684edf6b25ebe79bf6a2a600a

China-Nexus

Abusing cloud services to fly under the radar

9124266b87b16c02b94125fadfffdd15bc1a5ea714f0dec4962733693a655395
da56716727f513365b2308a0b145028fcd905aca2b9450f7632b4b10c209547d

ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage

f0854ec2496f9b4c634040bfac7381d6bc9926e9e89dc097b4684f73e1f6d9b3
c0d2aaf266866900552c681ce63bfd4a3b09442a7742d7f20dcdbdd3ec9763aa

Iran-Nexus

Ferocious Kitten: 6 years of covert surveillance in Iran

3c94eba2e2b73b2d2230a62e4513f457933d4668221992c71c847b79ba12f352
d723b7c150427a83d8a08dc613f68675690fa0f5b10287b078f7e8d50d1a363f

OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory

4ea6da6b35c4cdc6043c3b93bd6b61ea225fd5e1ec072330cb746104d0b0a4ec
55282007716b2b987a84a790eb1c9867e23ed8b5b89ef1a836cbedaf32982358
7b5042d3f0e9f077ef2b1a55b5fffab9f07cc856622bf79d56fc752e4dc04b28
acb50b02ab0ca846025e7ad6c795a80dc6f61c4426704d0f1dd7e195143f5323
ba380e589261781898b1a54c2889f3360db09c61b9155607d7b4d11fcd85bd9d

Appendix C. Decryption Key Information

Custom Alphabet

7Uzc5ngXl_ESWkj3t14Cw+aYLvyh0odZH8OReKiNIr-JM2GQAxpmVb=qPTuB9Ds6fF

xor key

0x3b, 0xa0, 0x28, 0xcc, 0x41, 0x0f, 0xd6, 0x5e, 0xb7, 0x83, 0x92, 0xcf, 0xe4, 0x4a, 0xb8, 0x77

ENKIWhitehat

Offensive security experts delivering deeper security through an attacker's perspective.

COM-pletely Unplanned: A Windows Bug Hunter’s Journey to LPE

2025. 5. 12.

Vulnerability Research

COM-pletely Unplanned: A Windows Bug Hunter’s Journey to LPE

2025. 5. 12.

Vulnerability Research

Konni's Latest AsyncRAT Attacks Leveraging LNK Files

2025. 3. 12.

Threat Intelligence

Konni's Latest AsyncRAT Attacks Leveraging LNK Files

2025. 3. 12.

Threat Intelligence

Analysis of Lazarus's Recent Contagious Interview Campaign Activity

2025. 1. 20.

Threat Intelligence

Analysis of Lazarus's Recent Contagious Interview Campaign Activity

2025. 1. 20.

Threat Intelligence

Prepare Before a Security Incident Occurs

The Beginning of Flawless Security System, From the Expertise of the No.1 White Hacker

Contact

Prepare Before
a Security Incident Occurs

The Beginning of Flawless Security System, From the Expertise of the No.1 White Hacker

Contact

ENKI WhiteHat provides unparalleled security

with unrivaled expertise.

Contact

biz@enki.co.kr

+82 2-402-1337

167, Songpa-daero, Songpa-gu, Seoul, Republic of Korea
(Tera Tower Building B, Units 1214–1217)

Useful Links

Company

History

Awards&Certification

Product & Service

Offensive Security Consulting

Cyber Security Training

Cyber Threat Intelligence

Other

ENKI WhiteHat Co., Ltd.

ENKI WhiteHat provides unparalleled security

with unrivaled expertise.

Contact

biz@enki.co.kr

+82 2-402-1337

167, Songpa-daero, Songpa-gu, Seoul, Republic of Korea
(Tera Tower Building B, Units 1214–1217)

Useful Links

Company

History

Awards&Certification

Product & Service

Offensive Security Consulting

Cyber Security Training

Cyber Threat Intelligence

Other

ENKI WhiteHat Co., Ltd.

ENKI WhiteHat provides unparalleled security

with unrivaled expertise.

Contact

biz@enki.co.kr

+82 2-402-1337

167, Songpa-daero, Songpa-gu, Seoul, Republic of Korea
(Tera Tower Building B, Units 1214–1217)

ENKI WhiteHat Co., Ltd.