{ "id": "6d55e1e7-a645-4433-9e07-fa0613ac7f90", "created_at": "2026-04-06T00:15:01.281907Z", "updated_at": "2026-04-10T03:38:19.047889Z", "deleted_at": null, "sha1_hash": "34399febaf90cde2f9df7aca450dda1c7f81d75c", "title": "Acronis TRU Alliance {Hunt.io}: Hunting DPRK threats - New Global Lazarus \u0026 Kimsuky campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 83242, "plain_text": "Acronis TRU Alliance {Hunt.io}: Hunting DPRK threats - New\r\nGlobal Lazarus \u0026 Kimsuky campaigns\r\nArchived: 2026-04-05 16:42:47 UTC\r\nIntroduction\r\nThe Acronis TRU Alliance Series highlights collaborative research analysis between the Acronis Threat Research\r\nUnit (TRU) and other leading threat intelligence teams. By combining the expertise of multiple research groups,\r\nthe series dives deep into emerging attack campaigns and adversary techniques. Through these collaborations, we\r\naim to share actionable insights, strengthen collective defense and advance understanding of evolving threat\r\nactors.ted to map ongoing DPRK infrastructure activity, including Lazarus and Kimsuky.\r\nThis report is the result of a collaborative investigation between Hunt.io and TRU, in which both teams\r\ncollaborated to map ongoing DPRK infrastructure activity, including Lazarus and Kimsuky.  \r\nThroughout the analysis, we surfaced clusters of operational assets that had not been connected publicly before,\r\nrevealing active tool-staging servers, credential theft environments, FRP tunneling nodes, and certificate-linked\r\necosystems controlled by DPRK operators.\r\nThese findings help outline how different parts of the DPRK ecosystem continue to intersect across campaigns\r\nand provide defenders with clearer visibility into the infrastructure habits these actors rely on.\r\nResearch overview\r\nNorth Korean state-sponsored attackers run one of the most active operations globally, using hacking for\r\nintelligence, revenue, and access. Groups like Lazarus, Kimsuky, and other subgroups make up the DPRK threat\r\necosystem, each running its own playbook ranging from espionage and financial operations to destructive\r\nactivities. Despite differences in each group’s playbook and motivation, they often share toolkits like credential\r\nharvesting tools and malware, have similar infrastructure patterns, and malware delivery lures.\r\nAcross their multiple campaigns over the years, DPRK threat actors follow consistent operational patterns that\r\nmake their activity detectable despite evolving malware and lures. One of the most reliable ways to track these\r\nactors is through the infrastructure they leave behind. Even when malware families change, the groups often reuse\r\nthe same infrastructure from their previous campaign. This pattern makes it possible to pivot across indicators,\r\nuncover related infrastructures, tooling, and activity that tie their operations together.\r\nIn this research, we used the Hunt.io Threat Actor intelligence to pivot across several DPRK-linked cases to\r\nuncover a broader network of DPRK activities. The hunting process is focused on pivoting through IPs, open\r\ndirectories, certificates, and hashes, revealing operator habits across different campaigns. This approach reveals\r\nhow separate incidents are connected and highlights the consistent operational behaviors of DPRK threat actors.\r\nFig. 01: Overview of DPRK operational IOCs on the Hunt.io dashboard\r\nhttps://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/\r\nPage 1 of 13\n\nOperational patterns overview\r\nAcross the four hunts, we encountered the same DPRK habits: open directories used as quick staging nodes,\r\nrepeated deployment of credential theft kits, FRP tunnels running on identical ports across multiple VPS hosts,\r\nand certificate reuse that links separate clusters back to the same operators. These patterns stay stable even when\r\nthe malware or lures change.\r\nFrom a MITRE ATT\u0026CK perspective, the exposed toolkits fall under Credential Access and Resource\r\nDevelopment, the FRP activity aligns with Command and Control, and the certificate pivots reflect the\r\ninfrastructure choices DPRK groups use for Defense Evasion and long-term access. Once you look at their\r\noperations through infrastructure instead of payloads, their workflow becomes much clearer.\r\nThese recurring signals are why these clusters can be tracked. Shared hashes, identical directory layouts,\r\ncertificate patterns, and repeated hosting choices often reveal new infrastructure before it is used in a campaign.\r\nThe hunts below walk through how these patterns surfaced in practice.\r\nThese patterns guided the first hunt into recent Kimsuky and Lazarus activity.\r\nHunt #1 — Infrastructure pivoting on DPRK clusters: Linking Kimsuky and\r\nLazarus activity\r\nWe started hunting DPRK APTs using IOC Hunter, applying the Lazarus Group filter. Then, we picked up a blog\r\n“DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant” that highlights a recent\r\ninvestigation linked to the Lazarus Group.\r\nFig. 02: IOC Hunter showing the source article data for ‘DPRK’s Playbook: Kimsuky’s HttpTroy\r\nand Lazarus’s New BLINDINGCAN Variant’\r\nGen Digital’s Threat Labs dissected two recent cyber-espionage campaigns conducted by the Kimsuky and\r\nLazarus Group. The first campaign, attributed to Kimsuky, leveraged a VPN-invoice themed ZIP lure to drop a\r\nloader (“MemLoad”) and a new backdoor dubbed “HttpTroy”.\r\nThe second, attributed to Lazarus Group, captured a multistage intrusion chain culminating in an enhanced version\r\nof their BLINDINGCAN remote access tool, signifying the group’s continued evolution in obfuscation and\r\nstealth.\r\nUsing Hunt.io, we tracked one of the IP addresses “23.27.140[.]49” that has an open directory on port 8080. This\r\nserver was captured by AttackCapture on 2025-11-03, prior to other researchers began reporting related indicators.\r\nThe open directory shows a single ELF file:\r\nFile name: nvd\r\nSHA256:a3876a2492f3c069c0c2b2f155b4c420d8722aa7781040b17ca27fdd4f2ce6a9\r\nSize: 96 KB.\r\nhttps://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/\r\nPage 2 of 13\n\nFig. 03: AttackCapture showing IP 23.27.140[.]49 open directory data on port 8080\r\nUpon analysis, the ELF exhibits similar behavior to the BADCALL backdoor that was previously seen in the 3CX\r\nsupply chain attack by Lazarus. The command-and-control server “23.27.177[.]183” linked with APT Lazarus as\r\nmentioned in Hunt.io IP Details.\r\nFig. 04: Hunt.io IP intelligence data for 23.27.177[.]183\r\nAnalysis of new Linux variant of Badcall backdoor\r\nThe Badcall backdoor has been one of the recognizable malware associated with Lazarus-linked operations. It\r\nplayed a visible part in several of their campaigns over the years, including the 2023 3CX supply-chain attack,\r\nwhere the first Linux version of Badcall was deployed as part of the post-exploitation chain.\r\nThe new Linux variant of Badcall was found being hosted on 23.27.140[.]49. We analyzed the sample and found a\r\nsmall but important update in this variant.\r\nFig. 05: New Linux Variant of Badcall Backdoor, Main Function\r\nLike the previous variant of Badcall, the first part of the program checks for a command-line argument, simulates\r\na “kill” command passing the integer specified by the argument as process ID with the Fake_Cmd() function, and\r\nproceeds to daemonize itself and start its main operation.\r\nThe main difference in this variant is the addition of a log file in the /tmp/ directory named “sslvpn.log”. This\r\ngives the operators a way to track Badcall’s operations using the log file.\r\nFig. 06: Badcall logMessage() Function\r\nThe logMessage() function writes a timestamped entry into the log file by getting the current local time and writes\r\nit in [YYYY-MM-DD HH:MM:SS] \u003cmessage\u003e format.\r\nFig. 07: Xref list of logMessage() function\r\nThe figure above shows a screenshot of all cross-references from other functions to the logMessage function. This\r\nhighlights that Badcall now logs its activity across different malware routines.\r\nFig. 08: Sample logMessage() calls and log entries\r\nAs seen in the screenshot above, the log entries are short numeric codes that change depending on the operation\r\nbeing done by the malware. This helps the attacker confirm that the malware is running properly and allows them\r\nto monitor its behavior throughout the intrusion.\r\nFrom an operational standpoint, the development of this new Linux variant indicates Lazarus is continuously\r\nimproving Badcall to better support upcoming operations. Even a small functional update like this can indicate an\r\neffort to improve operational efficiency and update their malware arsenal.\r\nHunt #2 — Lazarus “DeceptiveDevelopment / ClickFix” cluster: Credential-theft\r\ntoolkits exposed across open directories\r\nhttps://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/\r\nPage 3 of 13\n\nRecent analysis on the DeceptiveDevelopment campaign revealed a sophisticated Lazarus Group attack disguised\r\nas an NVIDIA-themed hiring assessment update. Using the hashes provided in the report as a starting point, we\r\nextracted two SHA-256 IoCs of credential-recovery utilities, “MailPassView” and “WebBrowserPassView”, both\r\nused by the Lazarus group for credential harvesting.\r\nPivoting over these hashes in Hunt.io AttackCapture exposed open directories hosting these tools.\r\nFig. 09: IOC Hunter showing Lazarus group threat actor data\r\nThe first pivot over MailPassView hash\r\n(bc7bd27e94e24a301edb3d3e7fad982225ac59430fc476bda4e1459faa1c1647) in Hunt.io revealed two open\r\ndirectories located at:\r\nFig. 10: AttackCapture search results for the SHA256\r\nbc7bd27e94e24a301edb3d3e7fad982225ac59430fc476bda4e1459faa1c1647\r\nAnalysis for 207.254.22[.]248:8800\r\nThis directory exposed a large credential-theft toolkit, containing 21 files organized into 2 subdirectories, totaling\r\n112 MB. The toolset includes password recovery utilities and extraction tools (MailPassView, PasswordFox,\r\nChromePass.exe, WebBrowserPassView, NetPass, MSPass.exe, Dialupass, PstPassword, IEPV), Large data\r\nexfiltration and profile-parsing utilities (hack-browser-data), and a data transfer tool (rclone binaries).\r\nFig. 11: AttackCapture data 207.254.22[.]248:8800\r\nAnalysis for host 207.254.22[.]248 shows the IP Address operating under AS30377 (MacStadium, Inc.) in Dublin,\r\nIreland. Hunt.io’s intelligence reports it as a Mythic C2 server on port 7443 in August 2025, and the IP has a\r\nrecorded historical malicious open directory in July 2025, corresponding to the same directory referenced earlier,\r\nindicating the infrastructure has been repeatedly used in malicious activities.\r\nFig. 12: Hunt.io’s intelligence reporting IP 207.254.22[.]248 running a Mythic C2 server on port\r\n7443\r\nAnalysis for 149.28.139[.]62:8080\r\nThis open directory node exposed a much larger toolkit, consisting of 201 total files, 42 subdirectories, and over\r\n270 MB of content. The files include a Quasar RAT infrastructure (Quasar.exe, Quasar.Common.dll, quasar.p12,\r\nprofiles, clients, config files), Credential harvesting tools (mailpv.exe, cli.exe, client.bin, multiple DLLs) and File-transfer and persistence utilities (pscp.exe, protobuf-net.dll, etc).\r\nFig. 13: Directory view of 149.28.139[.]62:8080 exposing Quasar RAT tooling\r\nAnalysis for host 149.28.139[.]62 shows the IP Address is hosted under AS20473 (The Constant Company, LLC /\r\nVultr) in Singapore. Our platform identifies a distinctive Quasar RAT on port 1888 documented between\r\nSeptember and October 2023.\r\nFig. 14: Hunt.io intelligence showing Quasar RAT activity on 149.28.139[.]62\r\nhttps://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/\r\nPage 4 of 13\n\nBoth investigated infrastructure nodes demonstrate clear indicators of malicious behavior. The first host\r\n(207.254.22[.]248) shows active 2025 usage, Mythic exposure, and a broad credential-exfiltration suite matching\r\ncontemporary Lazarus TTPs. The second host (149.28.139[.]62) represents older but relevant infrastructure,\r\ncontaining extensive Quasar RAT tooling and supporting binaries consistent with Lazarus' earlier-stage operations.\r\nAcross both servers, the repeated presence of MailPassView, browser credential extractors, and exfiltration\r\nutilities demonstrates a persistent DPRK pattern of using open directories as tool staging nodes, enabling rapid\r\ndeployment during intrusions while maintaining minimal operational friction.\r\nThe pivot over the second hash (36541fad68e79cdedb965b1afcdc45385646611aa72903ddbe9d4d064d7bffb9)\r\nreveals two exposed open directories on Hunt.io. The first directory “207.254.22[.]248:8800” is already known\r\nfrom prior tracking and contains a large Quasar RAT operator environment, consistent with previously observed\r\nDPRK tradecraft.\r\nFig. 15: AttackCapture directory listing for 154.216.177[.]215\r\nAnalysis for 154.216.177.215\r\nThe host “154.216.177[.]215”, operating under AS135377 (LARUS Limited) in Hong Kong, exposes an\r\nexceptionally large and sensitive open directory containing 10,731 files, 1,222 subdirectories, and nearly 2 GB of\r\noperational data. The files include offensive security tooling (sqlmap, masscan, nmap, hping, tcpdump, ngrok,\r\ngost, microsocks, frpc/frps, impacket) and Nuclei (7,820 templates), alongside browser password-stealers,\r\nprivilege-escalation binaries, packet capture tools, RDP configs, and multiple Python environments.\r\nThe presence of development artifacts, Burp Suite keygen links, Privoxy configs, Mimikatz folder stubs, and raw\r\ncamera-roll/screenshot directories suggests the machine may be a compromised Windows workstation repurposed\r\nas an operator machine or an attacker’s tooling environment.\r\nThe IoC-linked WebBrowserPassView.exe (421 KB) found here aligns directly with the Lazarus\r\nDeceptiveDevelopment cluster, and the breadth of tools combined with personal artifacts, logs, and credential-extraction utilities illustrates an active threat actor operations hub, likely used for reconnaissance, credential theft,\r\nLPE testing, and offensive development workflows.\r\nFig. 16: AttackCapture open directory view for 154.216.177[.]215\r\nOnce the pivots move from payloads to infrastructure, the separation between DPRK subgroups becomes less\r\ndistinct and shared operational habits start to surface.\r\nHunt #3 — Lazarus FRP infrastructure hunt — 3CX supply chain linkage\r\nFrom IOC Hunter, we picked up another article titled “Three Lazarus RATs coming for your cheese”, which\r\nhighlights the use of Fast Reverse Proxy (FRP) within DPRK-linked APT campaigns.\r\nThis directly aligns with earlier findings from 2023, when Google Cloud’s threat intelligence team analyzed\r\nthe 3CX software supply-chain compromise and discovered that the Lazarus Group had incorporated FRP\r\ncomponents into their multistage intrusion chain.\r\nhttps://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/\r\nPage 5 of 13\n\nAcross DPRK-linked intrusions, FRP usually sits between the compromised host and the operator, giving Lazarus\r\na dependable way to maintain access even when outbound traffic is filtered or restricted.\r\nIn that incident, the attack began with a trojanized 3CX desktop client and progressed through several stages of\r\ncompromise, marking one of the earliest publicly observed uses of FRP by Lazarus. Together, these insights\r\nreinforce the group’s continued reliance on FRP tooling across different campaigns and timelines.\r\nFig. 17: IOC Hunter entry for the FRP-related Lazarus campaign\r\nPivoting on the FRP hash 24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a, Our\r\nplatform surfaced eight hosting instances (182.136.123[.]102, 119.6.56[.]194, 182.136.120[.]52, 118.123.54[.]71,\r\n61.139.89[.]11, 125.67.171[.]158, 125.65.88[.]195, and 119.6.121[.]143) over the same port “9999”.\r\nFig. 18: AttackCapture results for FRP hash\r\n24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a\r\nThe uniformity across these nodes is notable. All eight servers returned the same FRP binary, with identical file\r\nsize and configuration patterns. This consistency suggests that the operators are provisioning these nodes in a\r\nscripted or automated way, rather than configuring each server manually. Each node served a 10 MB FRP binary,\r\nindicating widespread deployment of identical tunneling infrastructure likely used to proxy internal footholds back\r\nto operator-controlled servers.\r\nThis pattern strongly aligns with Lazarus Group’s operational practice of deploying uniform FRP instances across\r\nrotating Chinese and APAC-region VPS hosts to support covert C2 communications in extended campaigns. FRP\r\ngives the operators a stable way to maintain access even when more traditional C2 channels are blocked or\r\nsinkholed.\r\nThe concentration of these nodes on regional VPS providers, mostly within the same geographic footprint,\r\nmatches earlier Lazarus clusters that relied on inexpensive and short-lived infrastructure. Running multiple\r\nidentical FRP nodes in parallel also hints at simultaneous operations or at a rotating pool of redirectors used to\r\nsupport different intrusion paths.\r\nHunt #4 — Pivoting into APT Lazarus certificate\r\nThe hunt began by selecting the domain secondshop[.]store from Hunt.io’s IOC Hunter using the Lazarus Group\r\nfilter.\r\nFig. 19: IOC Hunter showing secondshop[.]store linked to Lazarus Group\r\nThe domain resolved to the IP Address “23.254.128[.]114” which is the part of AS54290 (Hostwinds LLC.).\r\nAccording to our data, the IP carried a High-Risk reputation with explicit labeling as Lazarus Group and exhibited\r\nhistorical TLS/HTTP activity on port 443, consistent with typical Lazarus infrastructure patterns.\r\nFig. 20: Hunt.io IP intelligence for 23.254.128[.]114\r\nTo widen the view beyond a single domain, we pivoted from the certificate associated with the IP using the field\r\nsubject.common_name == \"hwc-hwp-7779700\" using HuntSQL query. The result shows 12 IP Addresses all\r\nhttps://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/\r\nPage 6 of 13\n\nexposed with port 3389 since January 2025.\r\nSELECT\r\n  ip,\r\n  port\r\nFROM\r\n  certificates\r\nWHERE\r\n  subject.common_name == \"hwc-hwp-7779700\"\r\n  AND  timestamp gt '2025-01-01'\r\nGROUP BY\r\n  ip,\r\n  port\r\nExample output:\r\nFig. 21: HuntSQL results showing 12 IPs tied to certificate subject “hwc-hwp-7779700”\r\nThe consistent exposure of RDP across these hosts suggests they are not passive servers but systems intended for\r\noperator access or staging. This behavior aligns with earlier Lazarus infrastructure, where exposed RDP has\r\nrepeatedly been used for operator logins and hands-on management of distributed C2 nodes.\r\nTo validate whether these IPs were linked to actual malicious operations, we queried our Hunt.io malware\r\ndatabase for all 12 IP addresses. The results show that ten of the queried IPs were directly associated with\r\n“Lazarus Group” malware on port 443, confirming active operational infrastructure.\r\nSELECT\r\n  ip,\r\n  port,\r\n  malware.name\r\nFROM\r\n  malware\r\nWHERE\r\n  (\r\nhttps://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/\r\nPage 7 of 13\n\nip = '104.168.198.145'\r\n    OR ip = '23.254.164.50'\r\n    OR ip = '192.236.146.20'\r\n    OR ip = '142.11.209.109'\r\n    OR ip = '192.119.116.231'\r\n    OR ip = '192.236.233.162'\r\n    OR ip = '192.236.176.164'\r\n    OR ip = '192.236.236.100'\r\n    OR ip = '192.236.146.22'\r\n    OR ip = '23.254.128.114'\r\n    OR ip = '192.236.233.165'\r\n    OR ip = '104.168.151.116'\r\n  )\r\n  AND timestamp gt '2025-01-01'\r\nGROUP BY\r\n  ip,\r\n  port,\r\n  malware.name\r\nOutput example:\r\nFig. 22: Malware dataset results correlating 10 of 12 certificate-linked IPs to Lazarus samples\r\nThe remaining two IP addresses, 104.168.151[.]116 and 192.119.116[.]231, were manually enriched using\r\nHunt.io’s asset intelligence. Both belonged to Hostwinds’ Seattle infrastructure with multiple pivots linking them\r\nto Bluenoroff (APT38) tracking campaigns.\r\nThe overlap with Bluenoroff at this stage is meaningful. Even though Lazarus and Bluenoroff operate with\r\ndifferent mission profiles, shared infrastructure elements like certificates or hosting providers often reveal where\r\ntheir operational workflows intersect. These small overlaps act as early markers of broader DPRK ecosystems that\r\nremain active behind individual campaigns.\r\nFig. 23: Hostwinds infrastructure node with pivots into Bluenoroff-linked activity.\r\nhttps://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/\r\nPage 8 of 13\n\nFig. 24: Asset intelligence enrichment for 104.168.151[.]116\r\nThe analysis confirms that the secondshop[.]store acts as an entry point into a much broader and still-active\r\nLazarus ecosystem, revealing both mature C2 nodes and auxiliary proxy infrastructure.\r\nThese observations point to a few concrete signals defenders can use to stay ahead of this activity.\r\nDefender and hunting guidance\r\nThe infrastructure uncovered across the four hunts highlights several reliable signals defenders can use to track\r\nDPRK activity, even when payloads or lures shift.\r\nOpen directory exposure\r\nMultiple staging servers hosted credential theft tools, Quasar environments, Linux backdoors, rclone binaries, and\r\noffensive toolkits. These directories tend to recur across different nodes with almost identical layouts. Monitoring\r\nfor exposed directories that contain these repeating toolsets can reveal new infrastructure tied to the same\r\noperators.\r\nRepeated FRP deployments\r\nThe same FRP binary appeared across eight VPS hosts, all serving the same 10 MB file on the same port. This\r\ncreates a predictable footprint that can be monitored across providers where DPRK operators tend to host\r\ninfrastructure.\r\nCertificate reuse\r\nThe Lazarus-linked certificate that surfaced twelve IP addresses showed how certificate pivots can expose entire\r\ninfrastructure clusters. Tracking newly exposed hosts that reuse the same certificate profile or appear on the same\r\nRDP or TLS ports can uncover new operational nodes before they are used in active campaigns.\r\nHistorical telemetry on shared VPS providers\r\nThroughout the hunts, the same hosting providers reappeared in different campaigns. Watching for recurring\r\ncombinations of provider, certificate profile, port exposure, and FRP artifacts can help surface new infrastructure\r\neven before malware begins communicating with it.\r\nThese signals help defenders move from reactive identification of DPRK activity to a more proactive view of how\r\nthe operators prepare and maintain their infrastructure.\r\nConclusion\r\nAcross all four hunts, the same operational habits kept surfacing. The FRP nodes deployed in identical\r\nconfigurations, the recurring credential-theft toolkits exposed in open directories, and the reuse of certificates and\r\nVPS providers all point back to a tightly patterned workflow inside the broader DPRK ecosystem. These stable\r\nbehaviors make their infrastructure easier to track than the shifting payloads or lures used in individual campaigns.\r\nhttps://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/\r\nPage 9 of 13\n\nFor defenders, the signals that consistently appeared in this investigation remain the most reliable: repeated FRP\r\nbinaries on port 9999, credential harvesting kits staged on exposed HTTP directories, certificate subjects reused\r\nacross clusters of RDP-enabled hosts and infrastructure repeatedly provisioned through the same regional\r\nproviders. Watching for these patterns gives teams an advance look into DPRK activity as it forms, not only after\r\nan intrusion is underway.\r\nIndicators of Compromise (IOCs)\r\nThe following list gathers all indicators surfaced during the hunts, including hashes, infrastructure nodes, and\r\nassociated DPRK-linked assets.\r\na3876a2492f3c069c0c2b2f155b4c420d8722aa7781040b17ca27fdd4f2ce6a9\r\nNew Linux Variant of Badcall Backdoor\r\ncc307cfb401d1ae616445e78b610ab72e1c7fb49b298ea003dd26ea80372089a\r\nOld Linux Variant of Badcall Backdoor\r\na5350b1735190a9a275208193836432ed99c54c12c75ba6d7d4cb9838d2e2106\r\nPoolrat\r\nff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9\r\nPoolrat\r\n85045d9898d28c9cdc4ed0ca5d76eceb457d741c5ca84bb753dde1bea980b516\r\nPoolrat\r\nbc7bd27e94e24a301edb3d3e7fad982225ac59430fc476bda4e1459faa1c1647\r\nMailPassView\r\n36541fad68e79cdedb965b1afcdc45385646611aa72903ddbe9d4d064d7bffb9\r\nWebBrowserPassView\r\n24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a\r\nFastReverseProxy\r\n23.27.140[.]49:8080\r\nBadcall Host URL\r\n23.27.177[.]183\r\nBadcall C2 server\r\nhttps://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/\r\nPage 10 of 13\n\n23.254.211[.]230\r\nBadcall C2 server\r\n207.254.22[.]248:8800\r\nOpendir\r\n149.28.139[.]62:8080\r\nOpendir\r\n154.216.177.215:8080\r\nOpendir\r\n182.136.123[.]102:9999\r\nFRP Host URL\r\n119.6.56[.]194:9999\r\nFRP Host URL\r\n182.136.120[.]52:9999\r\nFRP Host URL\r\n118.123.54[.]71:9999\r\nFRP Host URL\r\n61.139.89[.]11:9999\r\nFRP Host URL\r\n125.67.171[.]158:9999\r\nFRP Host URL\r\n125.65.88[.]195:9999\r\nFRP Host URL\r\n119.6.121[.]143:9999\r\nFRP Host URL\r\nsecondshop[.]store\r\nLazarus-linked pivot domain\r\nhttps://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/\r\nPage 11 of 13\n\n23.254.128[.]114\r\nLazarus certificate-linked infrastructure\r\n104.168.198[.]145\r\nLazarus certificate-linked infrastructure\r\n23.254.164[.]50\r\nLazarus certificate-linked infrastructure\r\n192.236.146[.]20\r\nLazarus certificate-linked infrastructure\r\n142.11.209[.]109\r\nLazarus certificate-linked infrastructure\r\n192.236.233[.]162\r\nLazarus certificate-linked infrastructure\r\n192.236.176[.]164\r\nLazarus certificate-linked infrastructure\r\n192.236.236[.]100\r\nLazarus certificate-linked infrastructure\r\n192.236.146[.]22\r\nLazarus certificate-linked infrastructure\r\n192.236.233[.]165\r\nLazarus certificate-linked infrastructure\r\n192.119.116[.]231\r\nLazarus infrastructure with Bluenoroff overlap\r\n104.168.151[.]116\r\nLazarus infrastructure with Bluenoroff overlap\r\nDetection by Acronis\r\nhttps://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/\r\nPage 12 of 13\n\nAs part of this joint work, the Acronis Threat Research Unit reviewed the activity described in this report from the\r\nendpoint perspective. Their EDR/XDR telemetry surfaced the same behaviors seen in the infrastructure layer,\r\nincluding the latest Badcall variant, credential harvesting tools, and several of the Lazarus-linked nodes\r\nhighlighted above.\r\nThis gives an additional confirmation path: the infrastructure we observed being prepared and used by DPRK\r\noperators also appeared as endpoint-level detections inside Acronis’ visibility. It reinforces the relationship\r\nbetween the external infrastructure pivots and the on-host activity defenders may see during similar intrusions.\r\nSource: https://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/\r\nhttps://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.acronis.com/en/tru/posts/acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns/" ], "report_names": [ "acronis-tru-alliance-huntio-hunting-dprk-threats-new-global-lazarus-and-kimsuky-campaigns" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434501, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/34399febaf90cde2f9df7aca450dda1c7f81d75c.pdf", "text": "https://archive.orkl.eu/34399febaf90cde2f9df7aca450dda1c7f81d75c.txt", "img": "https://archive.orkl.eu/34399febaf90cde2f9df7aca450dda1c7f81d75c.jpg" } }