{ "id": "4002e064-4825-4078-adb6-d93c4f0c19a8", "created_at": "2026-04-06T00:19:52.908436Z", "updated_at": "2026-04-10T03:38:19.765967Z", "deleted_at": null, "sha1_hash": "adee176ab0c31654bef2066ba0b21ecc9e114052", "title": "Covid-19 Relief: North Korea Hackers Lazarus Planning Massive Attack on US, UK, Japan, Singapore, India, South Korea?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 299439, "plain_text": "Covid-19 Relief: North Korea Hackers Lazarus Planning Massive\r\nAttack on US, UK, Japan, Singapore, India, South Korea?\r\nBy Bhaswati Guha Majumder\r\nPublished: 2020-06-18 · Archived: 2026-04-05 23:35:08 UTC\r\nVideo Player is loading.\r\nCurrent Time 0:00\r\nDuration -:-\r\nLoaded: 0%\r\nRemaining Time -:-\r\nÂ\r\nHacking activity increased during Coronavirus pandemic\r\nClose\r\nHacking activity increased during Coronavirus pandemic\r\nNorth Korea-based hacking group Lazarus is planning to launch broader phishing attacks designed as COVID-19\r\nrelief efforts against six countries including Singapore, targeting more than five million individuals and businesses\r\n(small, medium, and large enterprises), warned a security firm.\r\nTravel Guides \u0026 Travelogues\r\nCYFIRMA, a threat intelligence and cybersecurity platform company, has exposed the malicious plans of North\r\nKorean hackers. They revealed that the campaign was planned to launch on Saturday, June 20. The hackers, who\r\n0:00\r\nhttps://www.ibtimes.sg/covid-19-relief-north-korea-hackers-lazarus-planning-massive-attack-us-uk-japan-singapore-47072\r\nPage 1 of 4\n\nclaimed to have 8,000 business contact details, made plans to send phishing emails from a spoofed Ministry of\r\nManpower email account offering additional payment of S$750 for all employees of these companies.\r\nHacing activitis (Representational picture) Pixabay\r\nIf You Receive an Email Like This, Do Not Trust\r\nThe phishing emails reads like this:\r\nMember of Singapore Business Federation,\r\nTravel Guides \u0026 Travelogues\r\nThank you for your long-term support during the COVID19 circuit breaker. We understand the pain\r\nand torture you have suffered in the past two months, which has prevented you from conducting\r\nbusiness.\r\nDiscover more\r\nTravel Guides \u0026 Travelogues\r\nGeographic Reference\r\nTourist Destinations\r\nIn the past few months, we have announced many business-friendly programs supported by the\r\nSingapore government. In addition, the Ministry of Manpower (MOM) of Singapore today\r\nannounced a new financial plan that provides a one-time subsidy of S$750 per employee under the\r\nWork Support Plan (JSS).\r\nhttps://www.ibtimes.sg/covid-19-relief-north-korea-hackers-lazarus-planning-massive-attack-us-uk-japan-singapore-47072\r\nPage 2 of 4\n\nPlease register your company and don't forget to provide your company bank information so that we\r\ncan transfer funds automatically.\r\nClaim your financial support immediately\r\nThank you,\r\nMinistry of Manpower [MOM] Singapore\r\nMOM Service Center\r\n1500 Bendemeer Road, Singapore 339946\r\nEmployment Pass Service Center\r\nBinhe Road, 20 Upper Ring Road, #04-01/02, Singapore 058416\r\nThe researchers at CYFIRMA, who have been tracking the Lazarus Group for many years, . said their\r\ninvestigation into the Group's activities has revealed detailed plans indicating an upcoming global phishing\r\ncampaign this weekend.\r\nAs in many countries government organizations announced significant financial support to individuals and\r\nbusinesses in their effort to stabilize their pandemic-ravaged economies, the phishing campaign is designed to\r\nimpersonate government agencies, departments, and trade associations who are tasked to oversee the disbursement\r\nof the financial aid.\r\nNorth Korea Hackers\r\nIn a news release, CYFIRMA said they first picked up the lead on June 1. After the analysis, evidence showed that\r\nhackers planning to launch attacks in six countries across multiple continents over a two-day period. Further\r\nresearch uncovered seven different email templates impersonating government departments and business\r\nassociations.\r\nAs of Thursday, the researchers have not seen the phishing or impersonated sites defined in the email templates.\r\nBut the research showed that the North Korean hackers were planning to set that up in the next 24 hours.\r\nThey also found that North Korean cyber criminals are planning to spoof or create fake email IDs impersonating\r\nvarious authorities. These are some of the emails discussed in their phishing campaign plan:\r\nA cybersecurity expert Jeffrey Kok, who is the Vice President Solution Engineers for Asia Pacific and Japan for\r\nCyberArk told IBTimes Singapore:\r\nPhishing remains probably the malicious attacker's number one way of potentially accessing\r\nconfidential information. For the individual, this can mean compromised personal details, which is\r\ndamaging but usually limited in scale.\r\nHowever, for attacks that target businesses, the effects can be much more wide-ranging. Once a\r\nfoothold in business is established through a successful phish, critical data and assets within the\r\nhttps://www.ibtimes.sg/covid-19-relief-north-korea-hackers-lazarus-planning-massive-attack-us-uk-japan-singapore-47072\r\nPage 3 of 4\n\nbusiness are all at risk if the attack is not contained. This could include customer data files, financial\r\ninformation, or even result in the IT infrastructure being taken down.\r\nTo meet this challenge, businesses should consider adopting privileged access management to\r\nprevent the lateral spread of an attack. By proactively managing and rotating high-value 'privileged'\r\ncredentials and limiting user access to only the information and tools needed to perform their\r\nimmediate role, an attacker's route to critical data and assets can be contained, reducing their ability\r\nto exfiltrate information or disrupt operations.\r\n1 of 5\r\nRecent analysts also claimed that North Korea will most likely attack the U.S. presidential election in November\r\nafter Kim Jong Un's regime explicitly threatened that possibility recently. Sung-Yoon Lee, the Kim Koo-Korea\r\nFoundation professor in Korean Studies at the Fletcher School of Law and Diplomacy at Tufts University said that\r\nNorth Korea will be able to test how far and to what extent it can damage the U.S. election system. Lee said, \"I\r\nfully expect North Korea to test its own capabilities to see what it can get away with by hacking into the U.S.\r\nelection system.\"\r\nSource: https://www.ibtimes.sg/covid-19-relief-north-korea-hackers-lazarus-planning-massive-attack-us-uk-japan-singapore-47072\r\nhttps://www.ibtimes.sg/covid-19-relief-north-korea-hackers-lazarus-planning-massive-attack-us-uk-japan-singapore-47072\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.ibtimes.sg/covid-19-relief-north-korea-hackers-lazarus-planning-massive-attack-us-uk-japan-singapore-47072" ], "report_names": [ "covid-19-relief-north-korea-hackers-lazarus-planning-massive-attack-us-uk-japan-singapore-47072" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434792, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/adee176ab0c31654bef2066ba0b21ecc9e114052.pdf", "text": "https://archive.orkl.eu/adee176ab0c31654bef2066ba0b21ecc9e114052.txt", "img": "https://archive.orkl.eu/adee176ab0c31654bef2066ba0b21ecc9e114052.jpg" } }