NKNShell Malware Distributed via VPN Website
AhnLab SEcurity intelligence Center (ASEC) has confirmed that malware has been uploaded to the website of a South Korean VPN provider. Based on the distribution method and characteristics of the malware used, this attack appears to be the work of the same threat actor who has been targeting South Korean
May 2025 APT Group Trends (South Korea)
Overview AhnLab is monitoring Advanced Persistent Threat (APT) attacks in South Korea using its own infrastructure. This report covers the classification, statistics, and features of APT attacks in Korea that were identified over the course of a month in May 2025. Figure 1. Statistics of APT attacks in
Status of Korean Servers Exposed to Ivanti Connect Secure Vulnerabilities (Multiple CVEs)
Multiple vulnerabilities have been disclosed for the Ivanti Connect Secure product, including several with a CVSS score of 9 or higher (CRITICAL). The majority of Ivanti Connect Secure servers operating in Korea have been identified as vulnerable versions. Figure 1. Default connection screen of Ivanti Connect Secure Ivanti
Analysis of Attack Case Installing SoftEther VPN on Korean ERP Server
AhnLab SEcurity intelligence Center (ASEC) has recently discovered an attack case where a threat actor attacked the ERP server of a Korean corporation and installed a VPN server. In the initial compromise process, the threat actor attacked the MS-SQL service and later installed a web shell to maintain persistence and
Analysis of Attack Cases: From Korean VPN Installations to MeshAgent Infections
AhnLab Security Emergency response Center (ASEC) has previously covered the case where SparkRAT was distributed contained within a Korean VPN’s installer in the post, “SparkRAT Being Distributed Within a Korean VPN Installer”[1]. This VPN was commonly installed by Chinese users who required better access to the Internet, and the problem
Chinese Hacker Group Stealing Information From Korean Companies
Recently, there have been frequent cases of attacks targeting vulnerable servers that are accessible externally, such as SQL servers or IIS web servers. The team has confirmed two affected companies in this case. One being a company for semiconductors, and the other being a smart manufacturing company which utilizes artificial
SparkRAT Being Distributed Within a Korean VPN Installer
AhnLab Security Emergency response Center (ASEC) has recently discovered SparkRAT being distributed within the installer of a certain VPN program. SparkRAT is a Remote Administration Tool (RAT) developed with GoLang. When installed on a user’s system, it can perform a variety of malicious behaviors, such as executing commands remotely, controlling
