OceanLotus (AKA APT32) is a threat actor group known to be one of the most sophisticated threat actors originating out of south east Asia.
This blog will cover a new custom downloader malware family we’ve named “KerrDown” which OceanLotus have been actively using since at least early 2018.
Unit 42’s research on Smoke Loader, a malware that encrypts network traffic and files with various keys to avoid analysis
Unit 42 takes a look at how Bisonal Malware was used in attacks against Russia and South Korea. Read the full report.
Sign up to receive the latest news, cyber threat intelligence and research from Unit 42
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.
Recently, Palo Alto Networks Unit 42 discovered the Tick group targeted a specific type of secure USB drive created by a South Korean defense company
Unit 42 uncovers UBoatRAT, a new custom Remote Access Trojan navigating through East Asia.
New Unit 42 research on the “Tick” group’s espionage attacks targeting organizations in Japan and Korea.
Unit 42 analyzes the Ursnif banking Trojan.
(This blog post is also available in Japanese.) In June 2016, Unit 42 published the blog post “Tracking Elirks Variants in Japan: Similarities to Previous Attacks”, in which we described the resemblance of attacks using the Elirks malware family in Japan and Taiwan. Since then, we continued tracking this threat using Palo Alto Networks AutoFocus
A recent, well-publicized attack on a Japanese business involved two malware families, PlugX and Elirks, that were found during the investigation. PlugX has been used in a number of attacks since first being discovered in 2012, and we have published several articles related to its use, including an analysis of an attack campaign targeting Japanese
Online banking services have been a prime target of cyber criminals for many years and attacks continue to grow. Targeting online banking users and stealing their credentials has yielded huge profits for the criminals behind these campaigns. Unit 42 has been tracking “KRBanker” AKA ‘Blackmoon’, since late last year. This campaign specifically targets banks of
On December 24, 2015, Unit 42 identified a targeted attack, delivered via email, on a high profile Indian diplomat, an Ambassador to Afghanistan. The body and content of the email suggest that it was crafted and spoofed to look like it was sent by the current Defence Minister of India, Mr. Manohar Parrikar, commending the