Threats Tagged 'dprk'

This analysis documents a third Vultr Seoul VPS (158.247.210.58) associated with Kimsuky operations, featuring over 60 domains across an 18-month period of systematic credential harvesting infrastructure. The actor demonstrates deliberate rotation through seven DDNS providers to evade blocklisting while maintaining the same backend VPS since at least September 2020. The domains systematically impersonate Naver, Korean National Tax Service (HomeTax), and government portals using prefixes like nid-user, n-store, nts-auth, and htax-login. Currently, 31 domains actively resolve while web ports remain closed, indicating a parked and ready operational posture. The infrastructure sits in AS20473 alongside two previously documented Vultr Seoul boxes, demonstrating the actor's clear preference for this provider and geographic proximity to South Korean targets.

Investigation of DPRK-linked fake IT worker infrastructure began after cryptocurrency researcher ZachXBT identified domain luckyguys[.]site connected to illicit payments. Analysis of 30 days of network activity associated with IP 163.245.219[.]19 revealed concentrated VPN usage patterns, with Astrill VPN (37.5%), Mullvad (32.25%), and Proton VPN (6.25%) being prominent. American and Latvian residential IPs communicated with the infrastructure, showing frequent Astrill VPN usage and connectivity to Gmail, ChatGPT, and Workana freelance platform. A second IP, 216.158.225[.]144, was discovered through X509 certificate analysis. Traffic dropped sharply following public exposure, consistent with adversary behavior of abandoning attributed infrastructure. The activity suggests a distributed network of remote IT workers participating in sanctions evasion workflows, leveraging AI tools and freelance platforms to obtain employment under false identities.

MediumCampaignUnited StatesLatvia#dprk#astrill vpn#vpn infrastructure

On April 11, 2026, researchers analyzed a CHM file (api_reference.chm) tagged as Kimsuky that initiated a three-stage attack chain. The C2 server at check[.]nid-log[.]com had directory listing enabled, allowing recovery of complete source code for all payload stages: a 6,338-byte VBScript performing system reconnaissance and establishing persistence via scheduled task, a 449-byte VBScript bridge to PowerShell, and a 6,234-byte PowerShell keylogger with clipboard monitoring and timed exfiltration. The infrastructure included 79+ domains across 5 C2 IPs spanning Korean VPS providers. The server responded with "Million OK !!!!" signature, matching previously documented Kimsuky infrastructure while showing upgraded Apache/PHP stack. The operation targeted Korean Naver users through credential phishing and tax authority impersonation, with infrastructure linked to previously documented Kimsuky campaigns via shared DAOU Technology subnets.

On April 10, 2026, a malicious npm package named sleek-pretty@1.0.0 was published, targeting developers running automated trading bots on Polymarket, a prediction market platform with $477 million in open interest. The package executes four attack chains upon import: system fingerprinting, SSH backdoor installation on Linux hosts, filesystem exfiltration, and targeted theft of Polymarket CLOB API credentials and Ethereum/Polygon wallet private keys. The payload runs at require() time without install hooks and specifically hunts SDK source files like createClobClient.ts and clob.ts. An SSH public key is written to authorized_keys for persistent access. The attacker can drain USDC balances directly using stolen L1 private keys. Attribution points to DPRK's Famous Chollima (Lazarus Group) based on TTPs matching the TraderTraitor campaign and publisher email correlation with known DPRK infrastructure.

The Contagious Trader campaign is a sophisticated malware operation targeting cryptocurrency users, attributed to North Korea with high confidence. It involves malicious cryptocurrency trading bot projects on GitHub that exfiltrate sensitive data and private keys using various techniques, including malicious npm dependencies. The campaign demonstrates overlaps with known North Korean tactics, particularly those of FAMOUS CHOLLIMA, including the use of GitHub, npm, and Vercel infrastructure, Base64-encoded payload URLs, and anonymizing VPNs for npm package publishing. The operation represents a shift in tactics, expanding beyond the previous Contagious Interview campaign to target a broader range of cryptocurrency users.

MediumMalwareUnited StatesSouth KoreaJapan+7#pylangghost#invisibleferrett#bigsquatrat

A new malicious campaign involving seventeen npm packages has been identified, utilizing Pastebin and text steganography as a dead-drop resolver. The attackers employ a complex decoding mechanism to extract C2 URLs from seemingly benign text on Pastebin. The malware targets multiple platforms, including Windows, macOS, and Linux, downloading and executing platform-specific payloads. The infection chain involves multiple fallback domains hosted on Vercel, demonstrating a sophisticated approach to maintain persistence. This novel technique, along with other recent developments, indicates an accelerated pace of testing and development by the threat actor, suggesting continued iterations in their infection methodologies.

MediumCampaignUnited StatesSouth KoreaJapan+7#pastebin#steganography#stager

APT37, a DPRK-backed threat group, has launched a new campaign called Ruby Jumper, utilizing Windows shortcut files to initiate attacks with newly discovered tools. These tools include RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK, which work together to deliver surveillance payloads like FOOTWINE and BLUELIGHT. The campaign leverages removable media to infect and communicate with air-gapped systems. Key features include the use of Ruby for shellcode-based payloads, abuse of cloud storage services for command and control, and sophisticated techniques for bypassing network isolation. The malware demonstrates advanced capabilities in system reconnaissance, data exfiltration, and persistent surveillance.

MediumCampaignUnited StatesSouth KoreaJapan+7#ruby#air-gapped networks#surveillance

The LABYRINTH CHOLLIMA threat group has split into three distinct adversaries: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and core LABYRINTH CHOLLIMA. Each subgroup has specialized malware, objectives, and tradecraft. GOLDEN CHOLLIMA and PRESSURE CHOLLIMA focus on cryptocurrency entities, while core LABYRINTH CHOLLIMA continues espionage operations targeting industrial, logistics, and defense companies. Despite operating independently, these groups share tools and infrastructure, indicating coordinated resource allocation within North Korea's cyber ecosystem. The evolution stems from the KorDLL malware framework, which spawned several malware families. Recent operations demonstrate cloud-focused tradecraft and the use of zero-day vulnerabilities to deliver malware.

MediumMalwareGermanyFranceUnited Kingdom+6#fintech#manuscrypt#cloud

The XCTDH Crypto Heist Part 4 is a medium-severity cyber threat linked to North Korean actors targeting software supply chains and development tools. It involves compromising software dependencies and development environments to facilitate unauthorized access or manipulation, leveraging application layer protocols for communication or data exfiltration. Although no specific affected product versions or patches are identified, the threat highlights risks associated with supply chain attacks. European organizations relying on affected software development tools or dependencies could face risks of intellectual property theft, operational disruption, or unauthorized access. Mitigation requires enhanced supply chain security practices, including rigorous code and dependency auditing, network segmentation, and monitoring for anomalous application layer traffic. Countries with significant software development sectors and historical exposure to North Korean cyber activities, such as the UK, Germany, and France, are more likely to be impacted. Given the medium severity, the threat poses a moderate risk that demands proactive defense but does not indicate immediate critical exploitation. Defenders should prioritize supply chain security and monitor for related attack patterns to reduce exposure.

MediumUnknownGermanyFranceNetherlands+2#misp-galaxy:country="north korea"#misp-galaxy:mitre-attack-pattern="compromise software dependencies and development tools - t1195.001"#misp-galaxy:mitre-attack-pattern="compromise software supply chain - t1195.002"

A new campaign by Kimsuky involves distributing malicious mobile apps through QR codes and phishing websites. The apps, masquerading as delivery services, VPNs, and cryptocurrency tools, decrypt an embedded APK to deploy a RAT with extensive capabilities. The malware uses a native decryption function and diverse decoy behaviors. Infrastructure overlaps and Korean language comments link this activity to Kimsuky. The threat actor employs sophisticated phishing techniques and leverages QR codes to redirect victims to malicious downloads. The malware requests extensive permissions and implements keylogging, audio recording, and data exfiltration. Multiple C&C servers were identified, some hosting Naver and Kakao phishing sites.

MediumMalwareGermanyFranceUnited Kingdom+4#mobile malware#qr code#rat