NKNShell Malware Distributed via VPN Website
AhnLab SEcurity intelligence Center (ASEC) has confirmed that malware has been uploaded to the website of a South Korean VPN provider. Based on the distribution method and characteristics of the malware used, this attack appears to be the work of the same threat actor who has been targeting South Korean
October 2025 APT Attack Trends Report (South Korea)
Overview AhnLab is monitoring Advanced Persistent Threat (APT) attacks in South Korea by utilizing their own infrastructure. This report covers the classification, statistics, and features of APT attacks in South Korea that were identified in October 2025. Figure 1. Statistics of APT attacks in South Korea in October 2025
Distribution of Malware Abusing LogMeIn and PDQ Connect
AhnLab SEcurity intelligence Center (ASEC) recently identified cases of attacks abusing the RMM (Remote Monitoring and Management) tools LogMeIn Resolve (GoTo Resolve) and PDQ Connect. While the initial distribution method is unknown, the attacks involve a legitimate-looking website that disguises the malware as a normal program. When a user downloads
Distribution of Backdoor Malware with Legitimate Signature, Disguised as Steam Cleanup Tool
Multiple cases have been reported where malware disguised as the “SteamCleaner” tool for cleaning the popular game platform Steam client is being distributed. When a system is infected with this malware, a malicious Node.js script resides on the user’s PC and communicates with the C2 server periodically, allowing threat actors
Case of ActiveMQ Vulnerability Exploitation to Install Sharpire (Kinsing)
AhnLab SEcurity intelligence Center (ASEC) has confirmed that the Kinsing threat actor is still distributing malware by exploiting known vulnerabilities. Since the disclosure of the CVE-2023-46604 vulnerability in ActiveMQ, the threat actor has been exploiting it to install malware on both Linux and Windows systems. [1] Aside from the well-known XMRig
Statistics Report on Malware Targeting Windows Database Servers in Q3 2025
AhnLab SEcurity intelligence Center (ASEC) utilizes the AhnLab Smart Defense (ASD) to categorize and respond to attacks targeting Windows-based MS-SQL and MySQL servers. This report will cover the current state of damage to MS-SQL and MySQL servers that became attack targets based on the logs discovered in the third quarter
August 2025 Threat Trend Report on APT Attacks (South Korea)
Overview AhnLab has been using AhnLab Smart Defense (ASD) to monitor advanced persistent threat (APT) attacks against targets in Korea. This report covers the categorization and statistics of APT attacks in South Korea during August 2025 as well as functions for each type. Figure 1. August 2025 statistics on APT
July 2025 APT Attack Trends Report (South Korea)
Overview AhnLab has been using AhnLab Smart Defense (ASD) to monitor advanced persistent threat (APT) attacks against targets in Korea. This report will cover the types and statistics of APT attacks in Korea during July 2025 as well as features for each type. Figure 1. July 2025 statistics on
Detecting Malware Exploiting Linux PAM through AhnLab EDR
Pluggable Authentication Modules (PAM) is a modular framework that allows applications such as su, sudo, and sshd to perform security policy logic such as authentication without implementing it directly. Applications delegate authentication to the libpam library, which then loads and executes PAM modules according to the configuration information before aggregating
Malicious LNK Disguised as Credit Card Security Email Authentication Pop-up
AhnLab SEcurity intelligence Center (ASEC) has recently identified a case where a malicious LNK file is disguised as the credit card security email authentication pop-up to steal user information. The identified malicious LNK file has the following file name, disguising itself as the credit card company. **card_detail_20250610.html.lnk The threat actor has been
