Close Menu
  • Latest News
    • Bitcoin
    • Ethereum
    • Altcoins
    • Meme Coins
  • Tech
    • Blockchain
    • Security and Privacy
  • Web 3
    • Gaming
  • Legal
    • Legal and Regulatory
    • Adoption
  • Analysis
  • Learn
    • Education
    • Wallets and Exchanges
  • Tools
    • Market Overview
    • Exchange Tool
What's Hot

South Korea’s 8% stock crash set up a crypto rotation but Upbit volume rose just 4%

July 15, 2026

U.S. CFTC moves to stop Kalshi from canceling trades as ordered by Michigan court

July 15, 2026

Bitcoin Market Outlook: Opportunities Ahead

July 15, 2026
Facebook X (Twitter) Instagram
  • Contact
  • Privacy Policy
  • Terms & Conditions
  • Disclosure
Facebook X (Twitter) Instagram
Free.cc (Free Cryptocurrency)Free.cc (Free Cryptocurrency)
  • Latest News
    1. Bitcoin
    2. Ethereum
    3. Altcoins
    4. Meme Coins
    5. View All

    U.S. CFTC moves to stop Kalshi from canceling trades as ordered by Michigan court

    July 15, 2026

    China’s Prosecutors Move To Treat Crypto Mixers As Evidence Of Money Laundering

    July 15, 2026

    Inside U.S. Government’s $20.6B crypto wallet stash and what comes next

    July 15, 2026

    Bitcoin Price Crash to $48K? Analyst Warns 200-Week EMA Breakdown Could Trigger Deeper Selloff

    July 15, 2026

    ETH Price Eyes $2,163 Target as Double Bottom Completes on Daily Chart

    July 15, 2026

    Ethereum falls to $1.7K – Will a $153 mln whale push help ETH bounce back?

    July 14, 2026

    Ethereum Bullish Signals Strengthen as Whale Accumulation, Lean Ethereum Roadmap Fuel Optimism

    July 13, 2026

    Which way is Ethereum headed? What to expect as bulls and bears fight for ETH

    July 13, 2026

    NEAR Governance Vote To Scrap Gas Rebates Puts Developer Incentives Under Review

    July 15, 2026

    Derive [DRV] gains 40% on Upbit news – THIS zone marks next major hurdle

    July 15, 2026

    LAB token sinks 99% from ATH: 3 reasons behind the collapse

    July 14, 2026

    Coinbase Smart Wallet Verification Upgrade Targets The Multi-Chain UX Problem

    July 14, 2026

    $1.2 Billion Exits Memecoins: Binance Data Signals Heavy Sell-Off

    July 14, 2026

    CASHCAT Soars 1,600% Amid Robinhood Memecoin Frenzy

    July 8, 2026

    Crypto Market Sectors Retreat as Meme Tokens Lead Daily Declines

    July 7, 2026

    Why Memecoins May Never Return to Their All-Time Highs

    July 4, 2026

    South Korea’s 8% stock crash set up a crypto rotation but Upbit volume rose just 4%

    July 15, 2026

    U.S. CFTC moves to stop Kalshi from canceling trades as ordered by Michigan court

    July 15, 2026

    Bitcoin Market Outlook: Opportunities Ahead

    July 15, 2026

    NEAR Governance Vote To Scrap Gas Rebates Puts Developer Incentives Under Review

    July 15, 2026
  • Tech
    1. Blockchain
    2. Security and Privacy
    3. View All

    Merck and Hashgraph Group launch Hedera-based product passport for EU compliance

    June 12, 2026

    COTI and Midnight Foundation Partner to Advance the Global Privacy Ecosystem

    June 11, 2026

    Cardano Gets Exposure From Olympics Committee

    June 11, 2026

    How Privacy and Composability Trade-Offs Differ

    June 11, 2026

    Robinhood Chain tokens are reportedly vanishing from wallets causing buyers to lose funds

    July 14, 2026

    One crypto wallet tied to a 20-year-old fraudster processed over $122M before Interpol closed in

    July 13, 2026

    Convicted scammer’s “seized” crypto moves to unknown wallets while in prison as DOJ failed to secure funds

    July 13, 2026

    Relay Protocol Warns of Robinhood Chain Honeypot Coins

    July 10, 2026

    South Korea’s 8% stock crash set up a crypto rotation but Upbit volume rose just 4%

    July 15, 2026

    U.S. CFTC moves to stop Kalshi from canceling trades as ordered by Michigan court

    July 15, 2026

    Bitcoin Market Outlook: Opportunities Ahead

    July 15, 2026

    NEAR Governance Vote To Scrap Gas Rebates Puts Developer Incentives Under Review

    July 15, 2026
  • Web 3
    1. Gaming
    2. View All

    Yield Guild Games Sunsets YGG Play Publishing Unit, Cuts 35 Jobs

    July 7, 2026

    GO1 and Xiaohai Set up Potential Rematch at EWC 2026 Fatal Fury Bracket in Paris

    July 6, 2026

    CoinIQ Crypto Analysis: The Anti-FOMO Crypto App That Grades Coins Before You Buy

    July 3, 2026

    Hur Blockchain och NFT-teknologi Förändrar Kasinobranschen för Alltid

    June 29, 2026

    South Korea’s 8% stock crash set up a crypto rotation but Upbit volume rose just 4%

    July 15, 2026

    U.S. CFTC moves to stop Kalshi from canceling trades as ordered by Michigan court

    July 15, 2026

    Bitcoin Market Outlook: Opportunities Ahead

    July 15, 2026

    NEAR Governance Vote To Scrap Gas Rebates Puts Developer Incentives Under Review

    July 15, 2026
  • Legal
    1. Legal and Regulatory
    2. Adoption
    3. View All

    North Carolina Enacts Strict Rules for Crypto ATMs to Combat Fraud

    July 15, 2026

    The next currency crisis could turn $300 billion in stablecoins into national currencies

    July 14, 2026

    Trump Pushes Senators To Pass Clarity Act in Wake of Lindsey Graham’s Death As Crypto Bill’s Polymarket Odds Dwindle

    July 14, 2026

    After MiCA deadline, majority of Binance users sent funds to self-custody not other compliant exchanges

    July 13, 2026

    Banks are building the rails to profit from 13.9 million BTC they do not own

    July 14, 2026

    Crypto exchanges are becoming the new distribution channel for Wall Street assets

    July 14, 2026

    Tether’s $20 billion mountain of gold – equal to a national reserve

    July 13, 2026

    A $407 million Treasury fund reveals how Wall Street is building crypto’s missing collateral layer

    July 12, 2026

    South Korea’s 8% stock crash set up a crypto rotation but Upbit volume rose just 4%

    July 15, 2026

    U.S. CFTC moves to stop Kalshi from canceling trades as ordered by Michigan court

    July 15, 2026

    Bitcoin Market Outlook: Opportunities Ahead

    July 15, 2026

    NEAR Governance Vote To Scrap Gas Rebates Puts Developer Incentives Under Review

    July 15, 2026
  • Analysis

    Bitcoin Market Outlook: Opportunities Ahead

    July 15, 2026

    Bitcoin pushes toward $65,000 on US inflation relief that may already be fading

    July 15, 2026

    DRV Price Soars 70% After Upbit Listing as Derive Sees Rising Network Activity

    July 15, 2026

    Is a Bitcoin whale from 2018 about to cash in after awakening to transfer $188 million?

    July 14, 2026

    Uniswap Price Rallies After Fee Switch Proposal—Can UNI Hit $5 Next?

    July 14, 2026
  • Learn
    1. Education
    2. Wallets and Exchanges
    3. View All

    What Is Robinhood Chain? The Ethereum Layer-2 Network for Tokenized Stocks

    July 12, 2026

    What Is BChat? The Decentralized Messaging App Built for Privacy

    June 2, 2026

    What Is an AI Prompt Injection Attack? The Hidden Threat Hijacking Your Chatbots

    May 31, 2026

    What Is AI Jailbreaking? A Beginner’s Guide to the Cat-and-Mouse Game Behind Every Chatbot

    May 17, 2026

    South Korea’s 8% stock crash set up a crypto rotation but Upbit volume rose just 4%

    July 15, 2026

    Hong Kong gives crypto platforms one year to ditch one-time passwords or cover user losses

    July 11, 2026

    Coinbase World Cup error shows prediction markets still have a proof problem

    July 7, 2026

    Coinbase helped build USDC – Why is it now backing the stablecoin trying to replace it, Open USD?

    July 3, 2026

    South Korea’s 8% stock crash set up a crypto rotation but Upbit volume rose just 4%

    July 15, 2026

    U.S. CFTC moves to stop Kalshi from canceling trades as ordered by Michigan court

    July 15, 2026

    Bitcoin Market Outlook: Opportunities Ahead

    July 15, 2026

    NEAR Governance Vote To Scrap Gas Rebates Puts Developer Incentives Under Review

    July 15, 2026
  • Tools
    • Market Overview
    • Exchange Tool
Free.cc (Free Cryptocurrency)Free.cc (Free Cryptocurrency)
Home»Security and Privacy»Template Injection Attacks: Nefarious Actors Lie in Wait in North Korea
Template Injection Attacks: Nefarious Actors Lie in Wait in North Korea
Security and Privacy

Template Injection Attacks: Nefarious Actors Lie in Wait in North Korea

October 9, 2025No Comments5 Mins Read
Share
Facebook Twitter LinkedIn Pinterest Email

Several cybercrime predictions have been made for 2023.

Thales, for example, has outlined 16 potential trends to watch, stating that attackers could begin to target standalone 5G networks and space tech such as satellites, major cryptocurrencies and deepfake technologies more actively. While attackers will undoubtedly evolve their methods to catch potential victims off guard, we’re also likely to see them leaning further into those tried and tested techniques that have recently caused major havoc. 

At Menlo Security, we expect this to be the case with template injection attacks – a topic discussed in my previous two Infosecurity Magazine columns. 

In October, we initially looked at how weaponized template injection documents work and how organizations can combat them. The Menlo Labs research team expanded its studies into template injection attacks – efforts that led us to uncover several weaponized documents using an interesting camouflage technique covered in a second column. 

If you are new to the topic, I recommend reading both of those first. We’ll now dive deeper into new findings that explore which parties may be responsible for the current wave of weaponized document attacks.

Lokibot and a Range of Similar Samples

During this latest analysis, we noticed that North Korean threat actors have been using tactics, techniques and procedures (TTPs) similar to those seen in previous threats, sharing many indicators of compromise (IOCs).

We came across a 2020 article by Fortinet, which revealed that they had previously been leveraging a seemingly benign Microsoft Word document that outlined South Korea’s supposed response to COVID-19 – this was designed to trick victims into downloading the BabyShark malware through the use of a malicious macro. 

See also  CoffeeMiner Forces Coffee Shop Visitors to Mine for Monero

In another campaign, North Korean threat actors previously sent falsified emails impersonating global delivery specialist FedEx, encouraging targets to open an executable disguised as a PDF to exfiltrate data. Critically, this IOC was used by LokiBot in other similar attacks dating back to 2018.

We also uncovered a sample of similar attacks on Joe Sandbox that showed that the standard North Korean language, Munhwaŏ, was the common resource language for both LokiBot and a similar URL structure. These were also similar to those analyzed in my previous columns. 

Looking at the malicious documents, we found that the metadata was repeated in all 57 samples analyzed. While some used camouflaged URLs with periods and others did not, all samples used template injection TTPs and exploited the CVE-2017-0199 vulnerability.

BlueNoroff’s SnatchCrypto Campaign

The repetition doesn’t end there. Kaspersky’s Securelist blog also highlights the use of similar TTPs by BlueNoroff – a North Korean APT group that typically targets cryptocurrency firms.

In a recent SnatchCrypto campaign, the attack group analyzed the inner workings of successful cryptocurrency startups to understand interactions between individuals. This, in turn, allowed the attackers to manipulate trust in internal communications and execute high-quality social engineering attacks. 

Using these tactics, BlueNoroff has successfully leveraged macro-enabled documents or older exploits, including CVE-2017-0199, that initially allows for the automatic execution of a remote script linked to a weaponized document. 

How does this execution work in practice? Essentially, it happens in three steps.

First, exploiting CVE-2017-0199 sees the retrieval of remote content via an embedded URL inside one of the document meta files. This contains two Base64-encoded binary objects – one for 32-bit Windows and one for 64-bit Windows. 

See also  North Korean Hackers Use Fake Coding Tasks to Steal Crypto

Next, this document fetches a second remote template containing a VBA macro that extracts one of these objects, enabling the spawn of a new process (notepad.exe) to inject and execute the binary code.

Third, the VBA macro does a clean-up by removing the binary objects and any reference to the remote template from the original document and saving it to the same file, essentially de-weaponizing the document.

Similar TTPs Used in a Malicious Email Campaign

Alongside the BlueNoroff example, there is evidence to suggest that a North Korean threat actor used similar TTPs in a malicious email campaign that spoofed reach outs from job recruiters. 

Each spoofed email housed malicious documents designed to again exploit CVE-2017-0199 by executing a malicious dynamic link library (DLL) to steal victim information. In this example, data would be exfiltrated, compressed, encrypted and Base64 encoded before being transmitted to a command-and-control server. 

It was identified that the threat actors were exfiltrating the data to malicious domains, such as shopandtravelusa[.]com, while they also hosted a webmail login that appeared to be a phishing site. In other words, it is possible that this could have been a multi-use command-and-control server – something that North Korean threat actors have a track record for. 

On 27 June 2022, for example, Twitter user ‘Phantom XSec’ reported that a North Korean phishing site with a link containing a (naver[.]challengedrive[.]42web.io) was targeting “defectors” in South Korea, showcasing a link that contained a Base64-encoded Google drive URL and victim email. Here, the site would ask users to identify themselves before they became able to download the malicious Google drive link.

See also  North Korea's Lazarus Group Suspected of $100m Harmony Hack

Today’s Threats Will Persist

Our research shows that many of the TTPs used by weaponized document attacks were not only similar but had identical footprints and IOCs, enabling us to attribute the metadata to a single threat actor. 

Given the methods used and the trail of data points uncovered, it is highly likely that each of the weaponized document attack methods discussed here can be attributed to a threat actor operating out of North Korea, likely tied to the infamous Lazarus group.

Indeed, North Korean cyber-criminals are renowned for their continued reliance on aging malicious infrastructure.

Moving forward, we don’t expect this to change. While threat actors will continue evolving their malware and infrastructure, the overlap in TTPs will ensure we keep a close eye on attacks from North Korean actors. 

Actors Attacks injection Korea Lie Nefarious North Template Wait
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

North Carolina Enacts Strict Rules for Crypto ATMs to Combat Fraud

July 15, 2026

Robinhood Chain tokens are reportedly vanishing from wallets causing buyers to lose funds

July 14, 2026

One crypto wallet tied to a 20-year-old fraudster processed over $122M before Interpol closed in

July 13, 2026

Convicted scammer’s “seized” crypto moves to unknown wallets while in prison as DOJ failed to secure funds

July 13, 2026
Add A Comment
Leave A Reply Cancel Reply

Top Posts

CBDC debate continues in US as Congress returns from recess

September 9, 2025

Here’s When To Buy And When To Sell

April 18, 2026

Stay ahead with the latest crypto news, market updates, blockchain insights, and trends. Your trusted source for everything happening in the digital asset world.


We're social. Connect with us:

Facebook X (Twitter) Instagram Pinterest YouTube
Top Insights

South Korea’s 8% stock crash set up a crypto rotation but Upbit volume rose just 4%

July 15, 2026

U.S. CFTC moves to stop Kalshi from canceling trades as ordered by Michigan court

July 15, 2026

Bitcoin Market Outlook: Opportunities Ahead

July 15, 2026
Get Informed

Subscribe to Updates

Get the latest creative news From Free.cc directly in your Inbox!

  • Contact
  • Privacy Policy
  • Terms & Conditions
  • Disclosure
© 2026 free.cc - All rights reserved.

Type above and press Enter to search. Press Esc to cancel.