{ "id": "08c8883b-c045-4a9f-96a5-01df86c533f5", "created_at": "2026-04-06T00:18:53.463034Z", "updated_at": "2026-04-10T03:38:06.562567Z", "deleted_at": null, "sha1_hash": "f07ffa16bec550daba0d2163e67ed3831da8597b", "title": "Report Ties North Korean Attacks to New Malware, Linked by Word Macros", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1954653, "plain_text": "Report Ties North Korean Attacks to New Malware, Linked by Word\r\nMacros\r\nBy Ionut Ilascu\r\nPublished: 2018-10-01 · Archived: 2026-04-05 14:34:54 UTC\r\nNewly discovered malware from the world of cyberespionage connects the dots between the tools and operations of the\r\nlittle-known Reaper group believed to act on behalf of the North Korean government.\r\nThe latest findings indicate that the remote access Trojans (RAT) in the KONNI and DOGCALL families are the work of the\r\nsame operator, tasked with spying organizations in the military and defense industry in South Korea, an entity in the Middle\r\nEast that was doing business with the Pyongyang and politically-motivated victims in Eurasia.\r\nNK is the common ground for the KONNI and NOKKI RATs\r\nSecurity researchers from Palo Alto Network's Unit 42 recently published an analysis of NOKKI, a new RAT named so\r\nbecause of the significant code overlap with KONNI threat of the same type, initially discovered Cisco Talos.\r\nhttps://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nDuring the NOKKI analysis, the researchers found that the latest attacks using this RAT began in July and relied on\r\nmalicious Microsoft Word documents to lure victims into deploying the malware.\r\nThis is common tactics, but the technique used to avoid detection was particular, in that \"it would first convert the base64-\r\nencoded text into hex, and then convert that hex into a text string,\" Unit 42 explains in a report shared with\r\nBleepingComputer.\r\nThis unique approach for evading detection was present in one other malicious document in Unit 42's sample bank, with a\r\ncreation date of March 19, and the last modification on June 16.\r\nIts name was 'World Cup predictions.doc' and the macro code inside it ran the same deobfuscation routine for payload\r\ndelivery as the in macros that dropped the NOKKI RAT.\r\nUnit 42 found that the new sample of malicious macro code downloaded and executed a VBScript and included two texts it\r\ncould append to the Microsoft file displayed to the victim: one was an excerpt from an ESPN article on World Cup\r\npredictions; the other was a piece from an article detailing Supreme Leader's visit to Singapore.\r\nhttps://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/\r\nPage 3 of 6\n\nWord document with macro that downloads DOGCALL RAT\r\nIf the lure worked and the victim opened the document and enabled macro code, they would read one of the two texts as if it\r\nwas a regular document, just like seen in the image below, while the DOGCALL RAT downloaded and installed in the\r\nbackground.\r\nMacro code shows decoy text while RAT installs in the background\r\nNew dropper found for an old RAT\r\nIf NOKKI or KONNI have not been attributed to North Korean operations in the past, DOGCALL has been associated with\r\nthe cyber activity led by Pyongyang, more specifically with the Reaper group, also known as APT37, Group123, FreeMilk,\r\n StarCruft, Operation Daybreak and Operation Erebus.\r\nWhile disentangling the deobfuscation and download routines used by the macro in the 'World Cup predictions' document,\r\nthe researchers also noticed a malware dropper that has not been reported before, which they called Final1stspy.\r\nThe final payload delivered by Final1stspy is from the DOGCALL family and it can take screenshots, log keystrokes,\r\nexfiltrate files, download and execute other payloads or capture audio through the computer's microphone.\r\nhttps://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/\r\nPage 4 of 6\n\nUnit 42's research adds new pieces to the North Korean cyberespionage operations puzzle and shows that even nation-state actors make mistakes that lead to revealing the author behind the malicious tools, or at least pin them under the same\r\noperator.\r\nUsing information about tools already attributed to the DPRK (Democratic People’s Republic of Korea) cyberspionage\r\nenterprises, security researchers recently have built a malware family tree showing how various operations between 2009\r\nand 2017 connect to each other, some of them unattributed to the government in Pyongyang.\r\nhttps://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/\r\nhttps://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/" ], "report_names": [ "report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434733, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f07ffa16bec550daba0d2163e67ed3831da8597b.pdf", "text": "https://archive.orkl.eu/f07ffa16bec550daba0d2163e67ed3831da8597b.txt", "img": "https://archive.orkl.eu/f07ffa16bec550daba0d2163e67ed3831da8597b.jpg" } }