This campaign involves the compromise of a South Korean VPN provider's website to distribute malware, attributed to the Larva-24010 threat actor active since 2023. The attack vector begins with a trojanized VPN installer that, once executed, runs PowerShell scripts to download and deploy multiple payloads. Among these are several backdoors: MeshAgent, a legitimate remote management tool abused for persistence and control; gs-netcat, a lightweight network utility for tunneling; and NKNShell, a newly identified backdoor written in Go. NKNShell uniquely uses the NKN (New Kind of Network) blockchain-based protocol and MQTT messaging protocol for its command and control (C2) communications, enabling stealthy and resilient control channels that are difficult to detect or block. The malware also attempts to bypass Windows security features such as AMSI (Antimalware Scan Interface) and UAC (User Account Control) to evade detection and elevate privileges. The deployment of SQLMap indicates the attackers may be probing for or exploiting SQL injection vulnerabilities on infected systems or networks. The campaign demonstrates a multi-stage infection process with layered payloads and advanced evasion techniques, targeting VPN users primarily in South Korea but potentially affecting any users of the compromised VPN software. The use of blockchain-based networking for C2 is an emerging tactic that complicates traditional network defense mechanisms.

For European organizations, the direct impact is currently limited due to the campaign's focus on a South Korean VPN provider and Korean user base. However, European users of the compromised VPN service or those who download the trojanized installer could become infected, leading to unauthorized remote access, data theft, and potential lateral movement within corporate networks. The backdoors installed enable attackers to exfiltrate sensitive information, deploy additional tools like SQLMap for further exploitation, and maintain persistent control over infected hosts. The use of advanced evasion techniques increases the difficulty of detection and remediation. If the malware spreads beyond its initial target region, European organizations could face risks to confidentiality, integrity, and availability of their systems. Additionally, the use of blockchain-based C2 channels may bypass conventional network monitoring tools, requiring enhanced detection capabilities. The campaign underscores the risk of supply chain compromises via VPN providers, which are widely used in Europe for secure remote access, especially post-pandemic.

European organizations should verify the integrity of VPN software installers and avoid downloading VPN clients from unofficial or untrusted sources. Implement strict application whitelisting and code signing verification to prevent execution of trojanized installers. Enhance endpoint detection and response (EDR) capabilities to identify behaviors associated with MeshAgent, gs-netcat, and NKNShell, including unusual MQTT or NKN protocol network traffic. Monitor for PowerShell script execution and attempts to bypass AMSI or UAC, using behavioral analytics to detect anomalies. Network defenses should be updated to detect and block suspicious MQTT traffic and connections to known malicious domains such as broker.mqtt.cool and kttelecom.duckdns.org. Conduct regular threat hunting for indicators of compromise (IoCs) including the provided file hashes and domain names. Employ multi-factor authentication and least privilege principles to limit the impact of potential backdoor access. Finally, educate users about the risks of downloading software from compromised websites and maintain up-to-date backups to recover from potential ransomware or data destruction attacks that could follow initial compromise.