One Intelligence. Born from Real Threats.
Genians Security Center
Genians Security Center (GSC) is the dedicated threat intelligence and threat-hunting unit inside Genians’ Endpoint Security R&D Division. Based in South Korea, GSC analyzes APT, ransomware, and fileless attacks as live operational threats, then converts every insight into enforceable controls across Genian NAC, ZTNA, and EDR.
Who We Are
Korea-Led Threat Research
GSC delivers field-driven threat intelligence shaped by decades of tracking North Korea’s most advanced operators, giving it the technical depth and operational intelligence to outpace global adversaries across any threat surface.
Frontline threat-hunting and intelligence
- Counters high-volume malware, long-term APT activity, stealth techniques, and live intrusion attempts across Korea and global regions.
- Tracks nation-state operators, C2 ecosystems, supporting infrastructure, and shifts in attack tradecraft.
Genians’ central threat-intelligence hub
- Collects and analyzes malware, scripts, loader chains, cloud-based implants, phishing systems, and persistent TTP patterns across campaigns.
- Maintains ATT&CK-aligned detection logic, behavioral models, and correlation rules that scale across environments.
Real-time defensive feedback loop
- Converts indicators, behaviors, and tactics into updated detection engines, segmentation rules, and session controls across NAC + ZTNA + EDR.
- Keeps Zero Trust policies in sync with active intrusion patterns through continuous platform-wide updates.
What We Do
Intelligence in Action
Proactive Threat Hunting & Adversary Tracking
Scenario-based BMT and PoC-driven tuning of signatures and behavior rules to resist common evasion tactics.
Cross-layer correlation of LNK, PowerShell, AutoIt, MSI, cloud-service activity, kernel signals, and session anomalies through XBA.
Reconstruction of multi-step attack flows to support accurate incident triage and root-cause analysis.
Detection & Response Analysis Framework
Scenario-based BMT, PoC validation, and evasion-resilient signature and behavior rule tuning.
Behavior correlation (XBA) across LNK, PowerShell, AutoIt, MSI, Dropbox/pCloud activity, kernel anomalies, and session deviation patterns.
Attack Story Line reconstruction for incident root-cause analysis.
Publishing Intelligence & Practitioner Guidance
Ongoing publication of threat-intel reports through Genians Insights and the Korean threat-intel series.
Concise guidance to help public-sector, financial, and enterprise teams apply intelligence in practice.
Recommendations aligned with DPI, NAC, ZTNA, and EDR workflows for quick operational adoption.
Deep Adversary Research
Core Research Areas & Representative Work
Deep Coverage of North Korean APT Ecosystem
GSC is one of the most experienced organizations in South Korea specializing in North Korea–linked APT activity, including:
Kimsuky and associated clusters
Campaigns such as Suky Castle, Triple Combo, FlowerPower, deepfake-driven impersonation, diplomatic lures, MSC-based loaders, BabyShark/ReconShark variants, and long-term credential harvesting chains.
APT37 (ScarCruft) & Konni operations
Lures involving human rights organizations, political commentary, K-Messenger, energy/market reports, and fake webinars.
Analysis of RoKRAT, XenoRAT, TutorialRAT, AutoIt droppers, and cloud-based C2 pipelines.
Socio-political lure clusters
North Korean economy forecasts, political crisis documents, martial law misinfo packages, cryptocurrency market reports, and national-policy lures.
AI Deepfake Attacks & Advanced Social Engineering Operations
Analysis of a deepfake military ID scam used by Kimsuky to target Korean public agencies and research institutions.
Full reconstruction of LNK–PowerShell–batch chain, payload staging, and C2 infrastructure.
Tracking campaigns abusing trending domestic Korean social, political, or economic events.
Linux Backdoors, OT Intrusions & Stealth Server Attacks
Reverse engineering of BPFdoor, a Linux backdoor using BPF filters to hide network traffic and maintain long-term stealth.
Analysis of timestamp tampering, RC4-encrypted payloads, disguised processes, covert beaconing, and kernel-level anomaly markers.
OT and critical-infrastructure detection playbooks for energy, manufacturing, and transport sectors.
Multi-channel Messenger & Cloud Abuse Attack Campaigns
Tracking attacks across Facebook, Telegram, K-Messenger, email, video-meeting invitations.
Identifying threat actor use of Dropbox, pCloud, OneDrive, and other SaaS platforms for payload hosting and covert C2 communications.
Behavior-based detection logic designed to catch these patterns even when signatures fail.
