Analysis of Trigona Threat Actor’s Latest Attack Cases
AhnLab SEcurity intelligence Center (ASEC) has covered the case of Trigona threat actors attacking MS-SQL servers in the past post, “Trigona Ransomware Threat Actor Uses Mimic Ransomware.”[1] In the attack cases, both Trigona and Mimic ransomware were used. However, while the email address used by the threat actor in the
Makop Ransomware Identified in Attacks in South Korea
AhnLab SEcurity intelligence Center (ASEC) recently identified cases of Makop ransomware attacks targeting South Korean users. The Makop ransomware has been distributed to South Korean users by disguising as resumes or emails related to copyrights for several years. Recently, it has been reported that the ransomware is exploiting RDP for
Distribution of PebbleDash Malware in March 2025
PebbleDash is a backdoor malware that was previously identified by the Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. as a backdoor malware of Lazarus (Hidden Corba) in 2020. At the time, it was known as the malware of the Lazarus group, but recently, there have been more cases
APT Group Profiles – Larva-24005
1) Introduction During the breach investigation process, the AhnLab SEcurity intelligence Center (ASEC) discovered a new operation related to the Kimsuky group and named it Larva-24005.1 The threat actors exploited the RDP vulnerability to infiltrate the system. They then changed the system configuration by installing the MySpy
Analysis Report on Larva-24011 Threat Actor’s Latest Attack Trend
1. Overview The Larva-24011 threat actor is targeting vulnerable systems to install CoinMiner and proxyware for financial gain. AhnLab Security Intelligence Center (ASEC) has recently observed that besides installing CoinMiner and proxyware, the threat actor is engaging in more attack cases of controlling infected systems and exfiltrating information such as
Ransomware Attacks Using RDP as the Attack Vector (Detected by EDR)
A remote desktop service refers to the feature that allows remote control of other PCs. In Windows, this service is provided by default through Remote Desktop Protocol (RDP). This means that if the target system is a Windows environment, RDP can be used to control this remote target without having
Kimsuky Threat Group Uses RDP to Control Infected Systems
Kimsuky, a threat group known to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy agency in 2014. Other countries have also become targets of their attack since 2017. [1] The group usually
Hakuna Matata Ransomware Targeting Korean Companies
Recently, AhnLab Security Emergency response Center (ASEC) has identified that the Hakuna Matata ransomware is being used to attack Korean companies. Hakuna Matata is a ransomware that has been developed relatively recently. The first report related to Hakuna Matata was identified on July 6th, 2023 on Twitter. [1] On July
Kimsuky Threat Group Using Chrome Remote Desktop
AhnLab Security Emergency response Center (ASEC) has recently discovered the Kimsuky threat group using Chrome Remote Desktop. The Kimsuky threat group uses not only their privately developed AppleSeed malware, but also remote control malware such as Meterpreter to gain control over infected systems. [1] Logs of the group using customized
Crysis Threat Actor Installing Venus Ransomware Through RDP
AhnLab Security Emergency response Center (ASEC) has recently discovered that the Crysis ransomware’s threat actor is also using the Venus ransomware in the attacks. Crysis and Venus are both major ransomware types known to target externally exposed remote desktop services. [1] Actual logs from the AhnLab Smart Defense (ASD) infrastructure also
