{ "id": "20649884-ffe0-4fa6-aa3a-6e4e28d041c8", "created_at": "2026-04-06T00:11:51.753813Z", "updated_at": "2026-04-10T03:38:20.315093Z", "deleted_at": null, "sha1_hash": "26616b75591bd213ba4a0c5508755481f0a74bbc", "title": "North Korean hackers are skimming US and European shoppers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 661539, "plain_text": "North Korean hackers are skimming US and European shoppers\r\nBy Sansec Forensics Team\r\nArchived: 2026-04-05 14:33:13 UTC\r\nPreviously, North Korean hacking activity was mostly restricted to banks and South Korean crypto\r\nmarkets^cryptohack, covert cyber operations that earned hackers $2 billion, according to a 2019 United Nations\r\nreport^twobillion. As Sansec's new research shows, they have now extended their portfolio with the profitable\r\ncrime of digital skimming.\r\nSansec researchers have attributed the activity to HIDDEN COBRA^hiddencobra because infrastructure from\r\nprevious operations was reused. Furthermore, distinctive patterns in the malware code were identified that linked\r\nmultiple hacks to the same actor.\r\nDigital skimming, also known as Magecart^magecart, is the interception of credit cards during online store\r\npurchases. This type of fraud has been growing since 2015 and was traditionally dominated by Russian-^russian\r\nand Indonesian-speaking^successgan hacker groups. This is no longer the case, as the incumbent criminals now\r\nface competition from their North Korean counterparts.\r\nIn order to intercept transactions, an attacker needs to modify the computer code that runs an online store.\r\nHIDDEN COBRA managed to gain access to the store code of large retailers such as international fashion chain\r\nClaire's^claires. How HIDDEN COBRA got access is yet unknown, but attackers often use spearphishing attacks\r\n(booby-trapped emails) to obtain the passwords of retail staff.\r\nUsing the unauthorized access, HIDDEN COBRA injects its malicious script into the store checkout page. The\r\nskimmer waits for keystrokes of unsuspecting customers. Once a customer completes the transaction, the\r\nintercepted data - such as credit card numbers - are sent to a HIDDEN COBRA-controlled collection server.\r\nItalian model agency as money mule\r\nCuriously, HIDDEN COBRA used the sites of an Italian modeling agency and a vintage music store from Tehran\r\nto run its global skimming campaign.\r\nhttps://sansec.io/research/north-korea-magecart\r\nPage 1 of 7\n\nTo monetize the skimming operations, HIDDEN COBRA developed a global exfiltration network. This network\r\nutilizes legitimate sites, that got hijacked and repurposed to serve as disguise for the criminal activity. The\r\nnetwork is also used to funnel the stolen assets so they can be sold on dark web markets. Sansec has identified a\r\nnumber of these exfiltration nodes, which include a modeling agency^lux from Milan, a vintage music\r\nstore^darvish from Tehran and a family run book store^signedbooks from New Jersey.\r\nTechnical analysis\r\nSansec monitors millions of online stores for skimming activity and typically finds 30 to 100 infected stores per\r\nday. Many cases have a common modus operandi, such as shared infrastructure or striking features in\r\nprogramming style. These traits can be obvious, such as the debug message \"Success bro\" that led to the arrest of\r\nthree Indonesians in December^successgan. However, sometimes they are more subtle, as is the case with\r\nHIDDEN COBRA.\r\nhttps://sansec.io/research/north-korea-magecart\r\nPage 2 of 7\n\nSansec research has identified multiple, independent links between recent skimming activity and previously\r\ndocumented North Korean hacking operations. The following diagram shows (a small subset of) victim stores in\r\ngreen and HIDDEN COBRA controlled exfiltration nodes in red. Yellow indicates a uniquely identifying modus\r\noperandi (or TTP), which will be discussed next.\r\nThe first campaign: clienToken=\r\n\u003cscript src=\"https://www.luxmodelagency.com/wp-includes/js/customize-gtag.min.js\"\u003e\u003c/script\u003e\r\nOn June 23rd, 2019, Sansec discovered a skimmer on a US truck parts store that uses a compromised Italian\r\nmodeling site^jit to harvest payment data. The injected script customize-gtag.min.js ^lux1 is scrambled with a\r\npopular Javascript obfuscator^obfuscator. Hidden in the code, the string WTJ4cFpXNTBWRzlyWlc0OQ== is found,\r\nwhich is the double-base64 encoded representation of clientToken= . This particular keyword is later used as\r\nHTTP GET parameter to send the stolen payload to the collector exfiltration node. The specific encoding and the\r\nattempt to disguise the stolen payload as \"clientToken\" form a uniquely identifying characteristic.\r\nhttps://sansec.io/research/north-korea-magecart\r\nPage 3 of 7\n\nThe malware was removed within 24 hours but a week later, the very same malware resurfaced on the same store.\r\nThis time, it used a New Jersey book store to harvest credit cards^jit2:\r\n\u003cscript src=\"https://www.signedbooksandcollectibles.com/js/gmaps.min.js\"\u003e\u003c/script\u003e\r\nDuring the following months, Sansec discovered the same malware on several dozen stores. Each time, it uses one\r\nof these hijacked sites as loader and card collector:\r\nstefanoturco.com (between 2019-07-19 and 2019-08-10)\r\ntechnokain.com (between 2019-07-06 and 2019-07-09)\r\ndarvishkhan.net (between 2019-05-30 and 2019-11-26)\r\nareac-agr.com (between 2019-05-30 and 2020-05-01)\r\nluxmodelagency.com (between 2019-06-23 and 2020-04-07)\r\nsignedbooksandcollectibles.com (between 2019-07-01 and 2020-05-24)\r\nThe second campaign: __preloader\r\nIn February and March 2020, several domain names were registrered that closely resemble popular consumer\r\nbrands:\r\n2020-02-10 PAPERS0URCE.COM\r\n2020-02-26 FOCUSCAMERE.COM\r\n2020-03-21 CLAIRES-ASSETS.COM\r\nSubsequently, Sansec found the web stores of the three corresponding brands compromised with payment\r\nskimming malware installed. The anonymously registered domains were used as loader and card\r\ncollector^focuscamera.\r\nThe three malware cases not only share infrastructure (domain registrar \u0026 DNS service), but they also share a\r\nparticularly odd code snippet, that Sansec has not observed anywhere else. The three relevant malware segments\r\nare displayed below for reference. Common behavior: upon form submission a hidden, dynamic image is added to\r\nthe page with the deceptive name __preloader . The image address is controlled by the attacker, and the\r\nintercepted and encoded payload is sent as argument to this image, along with several random numbers.\r\nImmediately, the dynamic image is removed from the page, so the theft is invisible to the customer. Sansec has\r\npreviously discussed this exfiltration method when it first reported on the Claire's hack on June 15th^claires.\r\nhttps://sansec.io/research/north-korea-magecart\r\nPage 4 of 7\n\n(code slightly modified for readability)\r\nThe common code, behavior, registrar and DNS server are unique traits that link these cases to the same source.\r\nThe North Korean link\r\nAs the diagram above shows, Sansec has established multiple, independent links to previously documented North\r\nKorean hacking activity. We will discuss each link separately.\r\ntechnokain.com\r\nSouth Korea based EST Security has published two articles^alyac2416 ^alyac2418 documenting a North Korea-attributed attack where a malicious loader is embedded in Korean office documents. The loader installs remote\r\naccess software for Windows on the victim's computer, which is downloaded from this address:\r\n2019-07-12 https://technokain.com/ads/adshow1.dat\r\nAdditionally, US-based security firm Rewterz reported a spearphishing attack targeting attendees of the annual\r\nConsumer Electronics Show in Las Vegas^rewterz. This attack uses malware from the same address.\r\nThese attacks took place on July 11 and 12th, less than a week after the placement of a skimmer on the same site:\r\n2019-07-06 https://technokain.com/vendor/jquery.validate.min.js\r\ndarvishkhan.net\r\nBoth Fortiguard Labs^forti and EST Security^alyac2397 document a DPRK-attributed spearphishing campaign\r\nthat took place between June 26th and July 2nd 2019. The campaign used malicious Korean office documents\r\ncontaining malware installers, where remote access software was downloaded from:\r\nhttps://sansec.io/research/north-korea-magecart\r\nPage 5 of 7\n\n2019-06-27 https://darvishkhan.net/wp-content/uploads/2017/06/update6.dat\r\nTwo weeks earlier, multiple digital skimmers were launched from the same site, harvesting credit cards from\r\nseveral US, UK and Australia-based stores:\r\n2019-06-12 https://darvishkhan.net/wp-includes/js/hotjar.min.js\r\n2019-06-14 https://darvishkhan.net/wp-includes/js/dist/gtm.min.js\r\nareac-agr.com\r\nOn October 25, Beijing-based Netlab360 discovered a novel remote access trojan (RAT) that showed multiple\r\nsimilarities with previously DPRK attributed malware^dacls. Components of the tool were loaded from\r\n2019-10-25 http://www.areac-agr.com/cms/wp-content/uploads/2015/12/check.vm\r\nBefore and after the presence of this malware, digital skimmers were hosted on the same site, that would intercept\r\npayments from multiple American stores:\r\n2019-08-16 https://www.areac-agr.com/cms/wp-includes/Requests/Security1.3.min.js\r\n2020-05-01 https://www.areac-agr.com/cms/wp-includes/Requests/Utility/json.min.js\r\npapers0urce.com\r\nThe three malware domains from the __preloader campaign use distinct IPs. One of them - papers0urce.com -\r\nuses an address from Dutch ISP Leaseweb, 23.81.246.179 . This IP is not known to have been used for other\r\ndomain names since 2015^papers0urcevt, however, it is featured in the same North Korea research as the\r\npreviously discussed areac-agr.com ^dacls. The IP is hardcoded in the RAT, and used as a command and control\r\n(C2) server.\r\nDiscussion\r\nDoes the usage of common loader sites, and the similarity in time frame, prove that the DPRK-attributed\r\noperations are run by the same actor as the skimming operations? Theoretically, it is possible that different\r\nnefarious actors had simultaneous control over the same set of hijacked sites, but in practice, this would be\r\nextremely unlikely. First, thousands of sites get hacked each day^sophos, making an overlap highly coincidental.\r\nSecondly, when a site gets hacked, it is common practice for a perpetrator to close the exploited vulnerability after\r\ngaining access, in order to shield the new asset from competitors.\r\nConclusion\r\nSansec has found proof of global skimming activity that has multiple, independent links to previously\r\ndocumented, North Korea attributed hacking operations. Sansec believes that North Korean state sponsored actors\r\nhttps://sansec.io/research/north-korea-magecart\r\nPage 6 of 7\n\nhave engaged in large scale digital skimming activity since at least May 2019.\r\nRead more\r\nMass PolyShell attack wave hits 471 stores in one hour\r\nNovel WebRTC skimmer bypasses security controls at $100+ billion car maker\r\nPolyShell: unrestricted file upload in Magento and Adobe Commerce\r\nDigital skimmer hits global supermarket chain\r\nBuilding a faster YARA engine in pure Go\r\nSource: https://sansec.io/research/north-korea-magecart\r\nhttps://sansec.io/research/north-korea-magecart\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://sansec.io/research/north-korea-magecart" ], "report_names": [ "north-korea-magecart" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434311, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/26616b75591bd213ba4a0c5508755481f0a74bbc.pdf", "text": "https://archive.orkl.eu/26616b75591bd213ba4a0c5508755481f0a74bbc.txt", "img": "https://archive.orkl.eu/26616b75591bd213ba4a0c5508755481f0a74bbc.jpg" } }