January 22, 2025

Jonathan Greig
New research shows that North Korean hackers have been spoofing venture capital and financial firms in Japan, Vietnam and the United States.

Recorded Futures’ Insikt Group has reported that this campaign had been linked with APT38. APT38 was a North Korean group well-known for attacks on crypto firms.

In the cluster that spanned from September 2022 to March 2023, researchers found six malicious files and 74 domains. Insikt Group reported on TAG71’s activity in a previous report. The group was spoofing cloud services and domains owned by financial companies from Japan, Taiwan, the United States, among others.

The Record of Recorded Future is a completely independent editorial unit.

It was stated in the report that North Korean hacking group have been attacking commercial banks and ecommerce websites to gain financial benefit for a very long time.

The North Korean government, as a result, will try to raise money for its regime which is under severe international sanctions.

Mitch Haszard of Insikt Group noted that most recent campaign was focused on impersonating venture capital firms. APT38 previously attacked SWIFT exchanges as well as cryptocurrency.

Both have a goal to steal money but the spoofing of venture capital companies is new and different,” said he.

The researchers claim that North Korean hackers used 18 malicious server to spread malware during March 2022. The spoofing of popular cloud services and cryptocurrency exchanges as well as private investment firms was used to trick potential victims into opening malicious files or revealing their login credentials.

By targeting firms in the investment banking sector and venture capitalism, this group hopes to “expose sensitive or confidential information about these entities or customers that could result in legal action or regulation, endanger pending negotiations or agreements, reveal information damaging to investment portfolios, or jeopardize pending deals or negotiations.”

Insikt Group has found another three IP addresses linked to the group. This was during a recent campaign that ran from January 20, 2023 until March 20, 2023.

These addresses included domains for software like “doc-share”, “autoprotect” and others that purportedly be from financial institutions located in Japan.

Kaspersky researchers have connected several IP addresses of hacking groups with financial motives.

As a result, crippling financial restrictions are expected to encourage North Korea’s hackers to carry out more financially motivated attacks.

You may have missed

Salem carwash roof ripped off by wind

Salem carwash roof ripped off by wind

December 22, 2023
West Park neighbors speak up after a home explosion shocks the neighborhood

West Park neighbors speak up after a home explosion shocks the neighborhood

December 22, 2023
A house catches fire in Jadewood Circle. Damage is limited to the attic

A house catches fire in Jadewood Circle. Damage is limited to the attic

December 21, 2023
Eat My Catfish to reopen Breckenridge restaurant that was hit by tornado

Eat My Catfish to reopen Breckenridge restaurant that was hit by tornado

December 16, 2023
Storm Ciaran has still not fully recovered the sports clubs that were affected.

Storm Ciaran has still not fully recovered the sports clubs that were affected.

December 15, 2023
Stockton accident: Man taken to hospital and roof of car removed.

Stockton accident: Man taken to hospital and roof of car removed.

December 12, 2023