{
	"id": "662a629b-5164-483c-acf3-7741fd42edb5",
	"created_at": "2026-04-06T00:19:10.501689Z",
	"updated_at": "2026-04-10T03:29:48.707909Z",
	"deleted_at": null,
	"sha1_hash": "05ef6cbe45e1dcfab77569f14b61db8f99aacd89",
	"title": "IssueMakersLab - Cyber Warfare Research Team",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1355125,
	"plain_text": "IssueMakersLab - Cyber Warfare Research Team\r\nArchived: 2026-04-02 10:56:49 UTC\r\n1. Overview\r\nFor about a year from June 2016 to May 2017, the estimated power of North Korea has been involved in South\r\nKorea’s 10 more organization’s websites related to diplomacy, space aviation, North Korea, unification,\r\nparliamentary, labor, finance, etc.\r\nA Watering hole attack was conducted to distribute malware to visitors through. As direct attacks against\r\ninstitutions and businesses in the field became increasingly difficult, they conducted an attack against a relatively\r\neasy association compliant, and conducted a bypass penetration.\r\nInfection vector used program was ActiveX programs from 10 domestic software, including electronic payments,\r\nauthentication, encryption, reporting, webmail and groupware, to infect visitors in their respective fields. Some\r\nActiveX programs have been installed on the PCs of many users in the country, and they distributed the malware\r\nusing a vulnerability in zero day vulnerability where no patches existed at the time of distributing the malware. It\r\nwas also able to distribute malwares without being detected for a long time by only distributing them for a very\r\nshort period of time or identifying and distributing specific users.\r\nThe malwares were similar to those that were distributed to South Korean security agencies and large South\r\nKorean companies, which police and prosecutors concluded in 2016 were respectively responsible for North\r\nKorea. There is also a connection with malwares used in the South's ATM hacking scandal, which is suspected of\r\nbeing committed by North Korea but has yet to be closed. In addition, during the time of the North Korea's March\r\n20 attack against broadcast and financial hacking (2013) incident, ActiveX vulnerabilities of the South Korean\r\nfinancial security module were used to infiltrate the agencies for several months, resulting in secondary damage\r\ncalled hard disk destruction. With this so called \" Operation GoldenAxe”, it is expected to reach further damage.\r\n2. Target\r\n2.1. Web sites for distributing malware\r\nThe following 10 Web sites were hacked and malwares were distributed to visitors.\r\nhxxp://www[.]kcfr[.]or[.]kr The Korea Foreign Affairs Association\r\nhxxp://www[.]ksas[.]or[.]kr Aerospace Research Institute\r\nhxxp://www[.]nksis[.]com North Korean Strategic Information Service Center\r\nhxxp://www[.]tongzun[.]co.kr\r\nA group of North Korean defectors preparing for\r\nreunification\r\nhttp://www.issuemakerslab.com/research3/\r\nPage 1 of 5\n\nhxxp://www[.]tongiledu[.]org Unification Education Council\r\nhxxp://kuprp[.]nodong[.]net National Union of Public Research Workers\r\nhxxp://ampcc[.]go[.]kr The National Council of Councils\r\nhxxp://www[.]wblu[.]or[.]kr Woori Bank Branch\r\nhxxp://newanticancer[.]com Sindaeam Hospital\r\nhxxp://www[.]rokps[.]or[.]kr Hunjeonghoe of South Korea (former lawmaker)\r\n2.2. ActiveX programs used to distribute malware\r\nThe following 10 ActiveX programs were used to distribute malware.\r\nSome ActiveX vulnerabilities used in the dissemination were exploited by zero-day vulnerabilities, with no\r\npatches present at the time of the spread of malwares.\r\nIn particular, ActiveX zero-day vulnerabilities in M2Soft's reporting solution were used in June 2016 for an\r\norganization, and were again used to distribute the malware of North Korea.\r\nEasyPayPlugin.EPplugin.1 EasyPay Electronic Payment Plug-in Module\r\nMagicLoaderX.MagicLoaderX.1\r\nDream Security MagicloaderX Authentication Plug-in Modul\r\nNVERSIONMAN.NVersionManCtrl.1\r\nNanoom Groupware Smart Flow NVersionMan\r\nModule\r\nadmctrl.FileIO.1\r\nDream Security Administrator Privilege Processing\r\nComponent Modul\r\nRDVistaSupport.VistaSupport.1 M2 Soft Reporting Solution Report Designer Module\r\nJxVistaDll.JXVistaUtil.1\r\nSoft 25 Zone Encryption Solution JX - CEAL Vista\r\nModule\r\nJXFILEBOX.JxFileBoxCtrl.1 Soft 25 JXFILEBOX Module\r\nJXORGTREE.JXOrgTreeCtrl.1 Soft25 Webmail JXMAIL Module\r\nINIWALLET61.INIwallet61Ctrl.1 INISYS INIWALLET Browser extension module\r\nINIUPDATER.INIUpdaterCtrl.1 Initec INISAFE Encryption Solution Update Module\r\n3. Malware distributed (malware by North Korea)\r\nhttp://www.issuemakerslab.com/research3/\r\nPage 2 of 5\n\nA number of malwares have been circulated, which are similar to malwares those were said to be attributed by\r\nNorth Korea from the investigation report of the Prosecutor’s Office and National Police Office.\r\nmalwares allow users to remotely control their PCs to steal information or transmit additional malwares.\r\n3.1. Similar to the malware used for hacking to South Korea’s large enterprise group\r\n(Source: S. Korea’s National Police Office)\r\nThe malware on the left of the picture below is malware that was announced by the police as North Korean made,\r\nand the malware on the right was distributed in the Operation GoldenAxe. Unique Encryption/Decryption logic\r\nused in malware is identical. Other malwares found the same part of the protocol used to control \u0026 command.\r\n3.2. Similar to malware used for hacking of S. Korea’s Security Software Companies (Source: S. Korea’s\r\nProsecutor’s Office)\r\nThe malware at the top of the picture below is malware that was announced by the S. Korean Prosecutor’s Office\r\nas the act of North Korea. Two malwares use the same Encryption/Decryption method and has the same C\u0026C\r\ncommand system. \r\nhttp://www.issuemakerslab.com/research3/\r\nPage 3 of 5\n\nWhen the above two malwares are decoded, the same C\u0026C command system is used as follows.\r\n3.3. Connected to malware found in S. Korea’s ATM hacking (suspected North Korean actions)\r\nThe C\u0026C server address used in the incident targeting The National Council on Public Relations\r\n(hxxp://ampcc[.]go[.]kr) that distributed malwares during this Operation GoldenAxe corresponds to that of code\r\nfound in the ATM hacking incident in Korea.\r\n4. Comments/Response\r\nNorth Korea is mainly using zero-day vulnerabilities in the ActiveX program of South Korean software. ActiveX\r\nis a common use by local organizations, companies, and others, and many are installed on the local users ' PCs.\r\nAlso, finding an ActiveX vulnerability is fairly easy compared to other software programs, making it the best\r\nhttp://www.issuemakerslab.com/research3/\r\nPage 4 of 5\n\nweapon for North Korea to use in an attack spreading malware. In particular, the March 20 attack in 2013, which\r\nwas found to have been committed by North Korea, was infiltrated by the vulnerability of ActiveX financial\r\nsecurity module, which is widely used in South Korea. In the current situation where it is difficult to penetrate\r\ndirectly as major organizations and companies have increased security due to frequent cyberattack from North\r\nKorea, the agency and its employees are infected through associations and associations.\r\nTherefore, it is necessary to refrain from using ActiveX, which is relatively vulnerable to security.\r\nSource: http://www.issuemakerslab.com/research3/\r\nhttp://www.issuemakerslab.com/research3/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"http://www.issuemakerslab.com/research3/"
	],
	"report_names": [
		"research3"
	],
	"threat_actors": [
		{
			"id": "bc6e3644-3249-44f3-a277-354b7966dd1b",
			"created_at": "2022-10-25T16:07:23.760559Z",
			"updated_at": "2026-04-10T02:00:04.741239Z",
			"deleted_at": null,
			"main_name": "Andariel",
			"aliases": [
				"APT 45",
				"Andariel",
				"G0138",
				"Jumpy Pisces",
				"Onyx Sleet",
				"Operation BLACKMINE",
				"Operation BLACKSHEEP/Phase 3.",
				"Operation Blacksmith",
				"Operation DESERTWOLF/Phase 3",
				"Operation GHOSTRAT",
				"Operation GoldenAxe",
				"Operation INITROY/Phase 1",
				"Operation INITROY/Phase 2",
				"Operation Mayday",
				"Operation VANXATM",
				"Operation XEDA",
				"Plutonium",
				"Silent Chollima",
				"Stonefly"
			],
			"source_name": "ETDA:Andariel",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434750,
	"ts_updated_at": 1775791788,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/05ef6cbe45e1dcfab77569f14b61db8f99aacd89.pdf",
		"text": "https://archive.orkl.eu/05ef6cbe45e1dcfab77569f14b61db8f99aacd89.txt",
		"img": "https://archive.orkl.eu/05ef6cbe45e1dcfab77569f14b61db8f99aacd89.jpg"
	}
}