Topic Collection / Korea Signals
Korea APT & Malware Monitoring
English-language monitoring for Korean APT, malware, ransomware, phishing, dark-web, vulnerability, KISA/KrCERT, and AhnLab security signals. This page turns Korea records into a reusable analyst entry point instead of leaving them buried in the live tracker.
Server-Rendered Workflow Proof
Korea APT and malware workflow is backed by source-linked database records.
Workflow pages now render a live proof panel before JavaScript runs. The panel uses the public database summary plus a capped matching record slice, so external checks see a working monitoring product rather than a static article.
Summary generated 2026-06-11 02:19. Slice regions 1, source families 0. Public exports are capped; full feeds and historical access remain request-only.
Workflow Status
Korea APT/malware workflow
This page is a saved tracker-backed workflow for Korea threat monitoring. A zero-record state means no public tracker records matched this rendered slice, not that Korea source monitoring is disabled.
Rendered records are capped public samples from the tracker. Use exports or API access for repeat monitoring, and verify source-linked records before operational decisions.
What this collection covers
Korea security records from KISA/KrCERT, AhnLab, and related public sources. The collection emphasizes domestic Korean threat reports, malware activity, vulnerability notices, dark-web intelligence, phishing/smishing campaigns, ransomware, and Korean infrastructure or enterprise-security context that global English feeds may miss.
How analysts should use it
Start with the highest-priority records, then filter by entity, sector, or keyword. Treat the page as a recurring monitoring workflow: export records for weekly reviews, subscribe to the RSS preset, and open source-linked articles when a signal requires deeper context.
23 rendered Korea records. Source data remains tracker-first; only strong records become articles.
Priority Korea signals
ASEC Weekly Report Flags Ransomware on Nova and Dark Web Code Leak Claims in South Korea
ASEC’s Ransom & Dark Web Issues report for week 3 of May 2026 details a ransomware attack on South Korean cosmetics firm Nova, alleged data leakage from an open-source visualization platform attributed to CoinbaseCartel, and claimed source-code theft and sale from a developer platform by TeamPCP, based on AhnLab TIP monitoring.
2026-05-20 / Korea / Korean / CoinbaseCartel, Nova, TeamPCPWindows Web Server Exploitation Trends: Analysis of Q1 2026 Attack Patterns
AhnLab SEcurity intelligence Center (ASEC) reports persistent targeting of Windows-based IIS and Apache Tomcat servers in Q1 2026. Attackers, notably the Larva-26001 threat actor, utilize web shell command execution, privilege escalation exploits like JuicyPotato, and port-forwarding tools to seize control of infected systems through RDP-mediated access and internal network lateral movement.
2026-04-12 / Korea / English or source unknown / AhnLab, Microsoft, Apache Software FoundationAhnLab April 2026 Dark Web Intelligence: High-Value Defense and Aerospace Data Leak Trends
The April 2026 dark web landscape was dominated by the leak of critical aerospace, defense, and military intelligence, including Boeing Artemis and Virginia-class submarine data. Notable activity from threat groups like ShinyHunters and the resurgence of BreachForums highlighted high-risk exposure across technology, financial, and government sectors, alongside the increasing commoditization of Phishing-as-a-Servic...
2026-05-10 / Korea / English or source unknown / Boeing, Cisco, ADT Inc.AhnLab April 2026 Report Highlights Surge in Targeted Critical Infrastructure Ransomware Attacks
The April 2026 Ransomware Threat Trend Report from AhnLab reveals a significant shift in ransomware operations, with groups increasingly focusing on critical infrastructure sectors. The report details heighted activity in the manufacturing, healthcare, and finance industries globally, alongside the emergence of new threat groups and sustained campaigns by established actors like Qilin and INC Ransom.
2026-05-11 / Korea / English or source unknown / AhnLab, Qilin, DragonForceTrojan and Phishing Dominate Korean Phishing Email Attachments in April 2026
In April 2026, Trojan malware accounted for 47% of phishing email attachments in South Korea, followed by phishing payloads at 39%, according to ASEC analysis. Attackers used social engineering lures like fake tax invoices and logistics notifications, with Trojans often delivered via double-extension files and phishing via HTML spoofs. The share of phishing malware rose from 21% to 39% month-over-month.
2026-05-13 / Korea / KoreanKISA Issues Urgent Warning on Smishing Exploiting Breached Travel Platform Data
South Korea's internet security agency, KISA, has issued an urgent advisory regarding highly targeted smishing attacks. Cybercriminals are using stolen data from hacked travel platforms, such as accommodation reservation details, to impersonate hotel staff. These attacks aim to deceive travelers into entering credit card information on fraudulent sites to avoid supposed booking cancellations, posing significant se...
2026-05-12 / Korea / Korean / KISA, KrCERT/CCTop entities
Top sectors
Searchable Korea records
ASEC Weekly Report Flags Ransomware on Nova and Dark Web Code Leak Claims in South Korea
ASEC’s Ransom & Dark Web Issues report for week 3 of May 2026 details a ransomware attack on South Korean cosmetics firm Nova, alleged data leakage from an open-source visualization platform attributed to CoinbaseCartel, and claimed source-code theft and sale from a developer platform by TeamPCP, based on AhnLab TIP monitoring.
- Entities
- CoinbaseCartel, Nova, TeamPCP
- Sectors
- cybersecurity, manufacturing, technology
- Tags
- ASEC, AhnLab, South Korea, cosmetics, dark web, data leak, ransomware, source code leak
Windows Web Server Exploitation Trends: Analysis of Q1 2026 Attack Patterns
AhnLab SEcurity intelligence Center (ASEC) reports persistent targeting of Windows-based IIS and Apache Tomcat servers in Q1 2026. Attackers, notably the Larva-26001 threat actor, utilize web shell command execution, privilege escalation exploits like JuicyPotato, and port-forwarding tools to seize control of infected systems through RDP-mediated access and internal network lateral movement.
- Entities
- AhnLab, Microsoft, Apache Software Foundation
- Sectors
- Cybersecurity, Cloud Computing, Information Technology
- Tags
- Apache Tomcat, IIS, Larva-26001, Port Forwarding, Privilege Escalation, RDP, Web Shell
AhnLab April 2026 Dark Web Intelligence: High-Value Defense and Aerospace Data Leak Trends
The April 2026 dark web landscape was dominated by the leak of critical aerospace, defense, and military intelligence, including Boeing Artemis and Virginia-class submarine data. Notable activity from threat groups like ShinyHunters and the resurgence of BreachForums highlighted high-risk exposure across technology, financial, and government sectors, alongside the increasing commoditization of Phishing-as-a-Servic...
- Entities
- Boeing, Cisco, ADT Inc., 7-Eleven, Coinbase Global Inc., Vercel Inc.
- Sectors
- Aerospace & Defense, Technology, Government, Finance, Healthcare, Energy
- Tags
- Cybersecurity, Dark Web, Data Breach, Infostealer, Malware-as-a-Service, Military Intelligence, ShinyHunters, Threat Intelligence
AhnLab April 2026 Report Highlights Surge in Targeted Critical Infrastructure Ransomware Attacks
The April 2026 Ransomware Threat Trend Report from AhnLab reveals a significant shift in ransomware operations, with groups increasingly focusing on critical infrastructure sectors. The report details heighted activity in the manufacturing, healthcare, and finance industries globally, alongside the emergence of new threat groups and sustained campaigns by established actors like Qilin and INC Ransom.
- Entities
- AhnLab, Qilin, DragonForce, INC Ransom
- Sectors
- Manufacturing, Healthcare, Finance, Cybersecurity, Critical Infrastructure
- Tags
- DLS, Data Breach, Dedicated Leak Sites, Global Security Trends, Ransomware, South Korea, Threat Intelligence
Trojan and Phishing Dominate Korean Phishing Email Attachments in April 2026
In April 2026, Trojan malware accounted for 47% of phishing email attachments in South Korea, followed by phishing payloads at 39%, according to ASEC analysis. Attackers used social engineering lures like fake tax invoices and logistics notifications, with Trojans often delivered via double-extension files and phishing via HTML spoofs. The share of phishing malware rose from 21% to 39% month-over-month.
- Sectors
- energy, government, logistics, manufacturing
- Tags
- ASEC, South Korea, Trojan, email security, malware, phishing
KISA Issues Urgent Warning on Smishing Exploiting Breached Travel Platform Data
South Korea's internet security agency, KISA, has issued an urgent advisory regarding highly targeted smishing attacks. Cybercriminals are using stolen data from hacked travel platforms, such as accommodation reservation details, to impersonate hotel staff. These attacks aim to deceive travelers into entering credit card information on fraudulent sites to avoid supposed booking cancellations, posing significant se...
- Entities
- KISA, KrCERT/CC
- Sectors
- Cybersecurity, Hospitality, Travel & Tourism, Financial Services
- Tags
- Booking Scams, Identity Theft, Personal Information Leak, Phishing, Smishing, South Korea
cPanel and WP Squared Address Critical Security Vulnerabilities in Global Update
cPanel has released urgent security updates for cPanel & WHM and WP Squared to address three critical vulnerabilities: improper input validation, code injection, and symbolic link following. These flaws affect numerous legacy and current versions, potentially allowing unauthorized system access. Administrators should immediately verify their software versions and apply the recommended patches to mitigate the risk ...
- Entities
- cPanel, WebPros
- Sectors
- Cloud Infrastructure, Web Hosting, Cybersecurity
- Tags
- CVE-2026-29201, CVE-2026-29202, CVE-2026-29203, Infrastructure Security, Patch Management, Vulnerability Management
Ollama Issues Security Update to Patch Critical Out-of-Bounds Read Vulnerability
Ollama has released a critical security update to address CVE-2026-7482, an out-of-bounds read vulnerability. KISA has issued an advisory recommending that users upgrade to version 0.17.1 or higher. The flaw could allow unauthorized memory access, necessitating immediate patching or temporary mitigation by restricting external API access and rotating keys.
- Entities
- Ollama
- Sectors
- Artificial Intelligence, Cybersecurity, Cloud Infrastructure
- Tags
- API Security, KISA, Large Language Models, Memory Safety, Vulnerability
Cisco Unity Connection Security Update Addresses Critical Path Traversal and SSRF Vulnerabilities
Cisco has released critical security patches for Cisco Unity Connection to address vulnerabilities including Path Traversal (CVE-2026-20034) and Server-Side Request Forgery (CVE-2026-20035). These flaws affect versions 12.5 through 15.0, potentially allowing unauthorized system access. Organizations are advised to upgrade to version 15SU4 or 14SU5 to mitigate these infrastructure risks.
- Entities
- Cisco, KISA
- Sectors
- Information Technology, Telecommunications, Cybersecurity
- Tags
- CVE-2026-20034, CVE-2026-20035, Network Infrastructure, Path Traversal, SSRF, Unified Communications, Vulnerability Management
KISA Issues Security Advisory for Critical Out-of-Bounds Write Vulnerability in Palo Alto Networks PAN-OS
Palo Alto Networks has released critical security updates addressing CVE-2026-0300, an out-of-bounds write vulnerability in its PAN-OS software. Affecting versions 10.2 through 12.1, the flaw poses significant risks to network infrastructure security. The Korea Internet & Security Agency (KISA) strongly recommends that organizations apply the specific hotfixes and maintenance releases provided to mitigate potentia...
- Entities
- Palo Alto Networks, Korea Internet & Security Agency (KISA)
- Sectors
- Cybersecurity, Cloud Infrastructure, Government, Enterprise Software
- Tags
- CVE-2026-0300, KISA, Network Security, Out-of-Bounds Write, PAN-OS, Vulnerability Management
Cisco Security Advisory Addresses Critical Vulnerabilities in Crosswork, NSO, and ESA Systems
Cisco has released urgent security updates to address significant vulnerabilities in its networking and security product lines. The advisories cover denial-of-service risks in the Crosswork Network Controller and Network Services Orchestrator (NSO), as well as long-standing resource management issues in Cisco Email Security Appliance (ESA) running legacy AsyncOS software.
- Entities
- Cisco, KISA
- Sectors
- Cybersecurity, Infrastructure, Network Automation, Information Technology
- Tags
- CVE-2022-20653, CVE-2026-20188, Denial of Service, Email Security, Network Automation, Patch Management, Vulnerability Management
ShinyHunters Claims U.S. Retail and Software Breaches; New Extortion Group Prinz Eugen Emerges
In Week 4 of April 2026, ShinyHunters claimed responsibility for data breaches targeting a major U.S. convenience store chain and a U.S. software development firm, while a new data extortion group, Prinz Eugen, emerged on the dark web, according to ASEC Blog.
- Entities
- Prinz Eugen, ShinyHunters
- Sectors
- cybercrime, retail, software development
- Tags
- ASEC, AhnLab, Prinz Eugen, ShinyHunters, dark web, data breach, extortion, ransomware
South Korea APT Campaigns in March 2026 Rely on LNK Files and Multi-Stage Scripting
In March 2026, AhnLab observed South Korea-targeted APT attacks primarily using spear-phishing emails with LNK files to deploy malware via PowerShell, curl, HTA, and scripting chains, leading to info-stealers, keyloggers, and memory-resident backdoors.
- Entities
- AhnLab
- Sectors
- Critical Infrastructure, Cybersecurity, Government
- Tags
- APT, AutoIt, Backdoor, HTA, InfoStealer, Keylogger, LNK, PowerShell
New Ransomware Strains TiMC, BlackWater, Lamashtu Emerge Amid DDoS Claims and Social Engineering Campaigns
ASEC reports three new ransomware variants—TiMC, BlackWater, and Lamashtu—alongside NoName05716’s claimed DDoS attacks on South Korean public and private entities and the VECT·TeamPCP campaign targeting a Dutch travel booking platform via social engineering.
- Sectors
- Financial, Healthcare, Medical Device, Public Institution, Travel Booking Service
- Tags
- BlackWater, DDoS, Lamashtu, Netherlands, NoName05716, Ransomware, Social Engineering, South Korea
ASEC Q1 2026 Report Reveals Larva-26002’s Shift to Go-Based ICE Cloud Scanner via BCP Exploitation
ASEC’s analysis of ASD logs for Q1 2026 shows persistent attacks on Windows-based MS-SQL and MySQL servers, with a temporary decline in February followed by a March rebound. The Larva-26002 threat actor was observed deploying the Go-written ICE Cloud scanner via BCP exploitation on mismanaged MS-SQL systems, continuing prior use of Trigona and Mimic ransomware. Turkish-language strings in the scanner align with ea...
- Sectors
- cloud infrastructure, database administration, enterprise IT, managed security services
- Tags
- BCP exploitation, Go-language malware, ICE Cloud scanner, Larva-26002, MS-SQL, MySQL, Turkish-language strings, Windows Server
Japanese Automaker Data Breach and South Korean Steel Ransomware Attack Highlight East Asia Cyber Threats
In March 2026, a Japanese automaker suffered a personal data breach via unauthorized external access, while INC Ransom targeted a South Korean steel manufacturer in a ransomware attack. Simultaneously, the administrator of the LeakBase dark web forum was arrested in Russia. These incidents underscore ongoing cyber risks to manufacturing sectors in Japan and South Korea, with implications for supply chain security ...
- Sectors
- automotive, manufacturing, steel manufacturing
- Tags
- INC Ransom, Japan, LeakBase, South Korea, dark web, data breach, ransomware, threat actor arrest
CVE-2026-24498: EFM-Networks ipTIME Routers Vulnerable to Wi-Fi Password Exposure
A security bypass vulnerability (CVE-2026-24498) in EFM-Networks ipTIME wireless routers allows unauthorized actors to extract Wi-Fi passwords in plaintext. Impacting multiple models including the T5008 and AX-series, the flaw bypasses internal security controls. Users must update to firmware version 15.27.2 or higher to remediate the risk of local credential theft.
- Entities
- EFM-Networks, KISA
- Sectors
- Consumer Electronics, Critical Infrastructure, Cybersecurity
- Tags
- CVE-2026-24498, Information Disclosure, Router Security, South Korea, Wi-Fi, ipTIME
CVE-2026-24497: Critical Buffer Overflow in SimTech Systems ThinkWise Facilitates Remote Code Execution
A high-severity buffer overflow vulnerability (CVE-2026-24497) has been identified in SimTech Systems' ThinkWise mind-mapping software. Affecting versions 7 through 22, the flaw allows remote attackers to execute arbitrary code. Users are urged to upgrade to ThinkWise 23 immediately to mitigate the risk of complete system compromise via malicious file formats.
- Entities
- SimTech Systems, KISA
- Sectors
- Software, Cybersecurity, Infrastructure
- Tags
- Buffer Overflow, CVE-2026-24497, CWE-121, Enterprise Productivity, Remote Code Execution, South Korea Security, ThinkWise
KISA Issues Warning for Type Confusion Vulnerability in Hancom Office
South Korea's KISA and KrCERT/CC have disclosed a high-severity type confusion vulnerability (CVE-2025-29867) in Hancom Office. The flaw resides in the DOC file processing logic, potentially allowing remote attackers to execute arbitrary code. Users of Hancom Office versions 2018 through 2024 must apply security updates to mitigate risks of system compromise through malicious documents.
- Entities
- Hancom, KISA, KrCERT/CC
- Sectors
- Cybersecurity, Public Sector, Software Development
- Tags
- CVE-2025-29867, Hancom Office, Remote Code Execution, South Korea Security, Type Confusion, Vulnerability
ALZip Vulnerability CVE-2025-29864 Bypass Windows Mark of the Web Defenses
A vulnerability in ESTsoft ALZip versions 12.01 through 12.29 fails to propagate 'Mark of the Web' (MoTW) Zone.Identifier streams when extracting files. This flaw, tracked as CVE-2025-29864, allows malicious content to bypass Windows security warnings, potentially leading to unauthorized code execution if users are tricked into opening unflagged malicious files.
- Entities
- ESTsoft, KISA, KrCERT/CC
- Sectors
- Cybersecurity, Software Development
- Tags
- ALZip, CVE-2025-29864, Mark of the Web, MoTW, South Korea, Vulnerability Disclosure
CVE-2025-29866: Critical Improper Privilege Validation in Tagfree X-Free Uploader
A high-severity vulnerability (CVE-2025-29866) has been identified in Tagfree's X-Free Uploader, allowing unauthorized attackers to delete arbitrary files. With a CVSS score of 8.8, this improper privilege validation flaw enables data tampering and system disruption. South Korea's KISA recommends immediate patching to versions 1.0.1.0085 or 2.0.1.0035 to mitigate operational risks.
- Entities
- Tagfree, KISA, KrCERT/CC
- Sectors
- Software Development, Cybersecurity, Infrastructure
- Tags
- CVE-2025-29866, Data Tampering, File Management Security, Privilege Escalation, South Korea Security, Vulnerability
CVE-2025-29865: Arbitrary File Download Vulnerability in Tagfree X-Free Uploader
KISA and KrCERT/CC have identified a high-severity arbitrary file download vulnerability in Tagfree X-Free Uploader. Designated as CVE-2025-29865, the flaw stems from insufficient validation of server communication parameters. If exploited, attackers could leak sensitive information or download arbitrary files. Users are urged to update to XFU versions 1.0.1.0085 or 2.0.1.0035.
- Entities
- Tagfree, KISA, KrCERT/CC
- Sectors
- Cybersecurity, Infrastructure Software
- Tags
- CVE-2025-29865, File Download Vulnerability, Information Leak, Software Supply Chain, X-Free Uploader
Genians NAC SQL Injection Vulnerability Exposes Network Infrastructure to Data Disclosure
Genians has addressed CVE-2024-23843, a SQL injection vulnerability in its Genian NAC management console. The flaw stems from insufficient validation of user-supplied search parameters, potentially allowing unauthorized data exposure. Organizations using Genian NAC V5.0 or its LTS variants should upgrade to the latest versions to mitigate the risk of database compromise within their security infrastructure.
- Entities
- Genians, KISA, KrCERT/CC
- Sectors
- Cybersecurity, Infrastructure Software, Government
- Tags
- CVE-2024-23843, Information Disclosure, NAC, Network Access Control, SQL Injection, Vulnerability Management