SYMBOLCOMMON_NAMEaka. SYNONYMS

Larva-24005  (Back to overview)


Larva-24005 is a threat actor that breaches servers in Korea to establish a web server and PHP environment for phishing attacks, primarily targeting individuals involved with North Korea and university professors researching the regime. They exploit the BlueKeep vulnerability for initial access and utilize RDPWrap and a custom keylogger post-compromise. Phishing emails are crafted to appear as legitimate communications, often containing malicious URLs or compressed files. The actor has been observed storing phishing pages in the IIS_USER account and XAMPP home folder, although traces of these pages were later deleted.


Associated Families

There are currently no families associated with this actor.


References
2025-02-27AhnLabASEC
Phishing Email Attacks by the Larva-24005 Group Targeting Japan
Larva-24005

Credits: MISP Project