{
	"id": "4af5583a-5ce6-4792-840b-57fbf484ae1b",
	"created_at": "2026-04-18T02:20:57.367356Z",
	"updated_at": "2026-04-18T02:22:37.396099Z",
	"deleted_at": null,
	"sha1_hash": "7cbe9bab8403ec2b15b86d1f9a119be31d5fe310",
	"title": "North Korea Turns Against New Targets?!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 108706,
	"plain_text": "North Korea Turns Against New Targets?!\r\nBy deugenio\r\nPublished: 2019-02-19 · Archived: 2026-04-18 02:06:48 UTC\r\nIntroduction\r\nOver the past few weeks, we have been monitoring suspicious activity directed against Russian-based companies\r\nthat exposed a predator-prey relationship that we had not seen before. For the first time we were observing what\r\nseemed to be a coordinated North Korean attack against Russian entities. While attributing attacks to a certain\r\nthreat group or another is problematic, the analysis below reveals intrinsic connections to the tactics, techniques\r\nand tools used by the North Korean APT group – Lazarus.\r\nThis discovery came about as we were tracking multiple malicious Office documents that were designed and\r\ncrafted specifically for Russian victims. Upon closer examination of these documents, we were able to discern that\r\nthey belonged to the early stages of an infection chain which ultimately led to an updated variant of a versatile\r\nLazarus backdoor, dubbed KEYMARBLE by the US-CERT.\r\nSometimes referred to as Hidden Cobra, Lazarus is one of the most prevalent and active APT groups in the world\r\ntoday. The infamous group, which is known to be a North Korean sponsored threat actor, is believed to be behind\r\nsome of the largest security breaches of the last decade.\r\nThis includes the Sony Pictures Entertainment hack, the Bangladesh bank heist, and numerous other high stakes\r\noperations, such as the theft of millions of dollars worth in cryptocurrencies from at least five different\r\ncryptocurrency exchange services worldwide.\r\nWhile our campaign’s timeline seems to overlap with last week’s ESTsecurity report on the “Operation Extreme\r\nJob” campaign targeting South Korean security companies, we have observed different tactics, techniques and\r\nprocedures (TTPs) employed in the two operations.\r\nIt is long believed among the security community that Lazarus is divided into at least two subdivisions: the first\r\nnamed Andariel which focuses primarily on attacking the South Korean government and organizations, and the\r\nsecond, Bluenoroff, whose main focus is monetization and global espionage campaigns.\r\nThe differences between the two campaigns, which were conducted at the same time, provides wind once again to\r\nthe theory that multiple divisions are at work here.\r\nThis incident, however, represents an unusual choice of victim by the North Korean threat actor. Usually, these\r\nattacks reflect the geopolitical tensions between the DPRK and nations such as the U.S, Japan and South Korea. In\r\nthis case, though, it is probably Russian organizations who are the targets.\r\nInfection Chain\r\nDuring our analysis we encountered two different infection flows.\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 1 of 18\n\nThe main infection flow consists of the following three main steps:\r\n1. A ZIP file which contains two documents: a benign decoy PDF document and a malicious Word document\r\nwith macros.\r\n2. The malicious macro downloads a VBS script from a Dropbox URL, followed by the VBS script\r\nexecution.\r\n3. The VBS script downloads a CAB file from the dropzone sever, extracts the embedded EXE file\r\n(backdoor) using Windows’ “expand.exe” utility, and finally executes it.\r\nAt first, the infection chain consisted of all the above stages, but at a certain point, the attackers decided to skip on\r\nthe second stage of the infection chain and the malicious Word macros were modified to directly “download and\r\nexecute” the Lazarus Backdoor in stage three.\r\nFig 1: The Infection Flow\r\nLure Office Documents\r\nAll documents related to this campaign were uploaded to VirusTotal from different sources in Russia during the\r\nweek of 26-31/01/19, with what looks like their original file names.\r\nAll the documents also included similar metadata, with “home” as the author name, and a Korean code page.\r\nDuring the campaign, the attackers utilized multiple lure images in order to convince the victims to click the\r\n“Enable Content” button and trigger the malicious macro code.\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 2 of 18\n\n“2018.11.2~2019.1.26_ErrorDetail.doc”\r\nFirst Submission: 2019-01-31 13:45:04\r\nCode Page: Korean\r\nAuthor: home\r\nNotes: Cyrillic looking characters in the image\r\nSHA-1: 088c6157d2bb4238f92ef6818b9b1ffe44109347\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 3 of 18\n\n“Serial_Numbers.xls”\r\nFirst Submission: 2019-01-31 06:56:00\r\nCode Page: Korean\r\nAuthor: home\r\nSHA-1: 4cd5a4782dbed5b8e337ee402f1ef748b5035709\r\n“LosAngeles_Court_report.doc”\r\nFirst Submission: 2019-01-26 09:59:50\r\nCode Page: Korean\r\nAuthor: home\r\nSHA-1: e89458183cb855118539373177c6737f80e6ba3f\r\nMalicious Macros\r\nThe campaign exhibits very similar macro code in both the XLS and DOC variants of the dropper.\r\nThe macros themselves are very simple and straightforward, but in this case, keeping the macros simple and\r\nwithout any advanced obfuscation tricks, resulted in malicious documents that were able to pass undetected by\r\nmany reputable security vendors on Virus Total.\r\nAn interesting part of the download stage in one of the documents, is the unexplained usage of a Dropbox “Host”\r\nfield in the HTTP request header.\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 4 of 18\n\nFig 2: A dropbox “Host” field in the HTTP request header\r\nThe mystery was solved, however, once we located another related sample, which actually downloaded the next\r\nstage of the infection chain from Dropbox itself, making it pretty clear that Dropbox was the original source for\r\nthe second stage of the infection, during this campaign.\r\nFig 3: The code responsible for downloading the second stage of the infection from DropBox\r\nDecoy Document\r\nDuring this campaign, at least one of the malicious Office documents was originally distributed via a ZIP file,\r\nalong with another PDF decoy document named NDA_USA.pdf.\r\nFig 4: The decoy and malicious files contained within the distributed ZIP file\r\nThe benign document tries to make the files look legitimate, and contains an NDA for StarForce technologies – a\r\nRussian based company which provides software copy-protection solutions.\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 5 of 18\n\nFig 5: The benign document sent to decoy victims\r\nThe Dropzone\r\nThe Lazarus Group is known to utilize an array of compromised servers for its operations, and this time is no\r\ndifferent.\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 6 of 18\n\nThe final payload in this campaign is downloaded from a compromised server in the form of a CAB file, which is\r\nlater expanded into the KEYMARBLE backdoor. It is important to note the CAB file is disguised as a JPEG\r\nimage on the compromised host (http://37.238.135[.]70/img/anan.jpg).\r\nA closer look at the compromised server shows an unconvincing website for the “Information Department” of the\r\n“South Oil Company”. The server is located in Iraq and hosted by EarthLink Ltd. Communications\u0026Internet\r\nServices.\r\nFig 6: The Iraqi compromised server\r\nThe KEYMARBLE Backdoor\r\nKEYMARBLE is as a general purpose backdoor that was described in a report by NCCIC last August. The\r\nmalware is a remote administration tool (RAT) that provides its operators with basic functionality to retrieve\r\ninformation from the victim’s machine. Once executed, it conducts several initializations, contacts a C\u0026C server\r\nand waits indefinitely for new commands from it. Each received command is processed by the backdoor and\r\nhandled within an appropriate function, which in turn collects a piece of information or conducts an action on the\r\ntarget machine.\r\nAV Detection\r\nAs part of the infection flow we previously described, all of the malicious documents mentioned downloaded\r\nKEYMARBLE, compressed inside a CAB file.\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 7 of 18\n\nIt is interesting to note, that by encapsulating the backdoor in a CAB file, the attackers were able to lower the\r\ndetection rate of this sample from five vendors to a mere two vendors, who detected this file as malicious on\r\nVirusTotal:\r\nFig 7: vendor detection results in Virus Total\r\nVersion Comparison\r\nThis instance of the malware resembles its predecessor from last year in flow and functionality. Both operate in\r\ntwo main stages – an initialization phase that sets up necessary data structures and contacts the C\u0026C server, and\r\nthe main command dispatch loop that receives commands from the server and passes them on to their\r\ncorresponding handlers. Particular mechanisms within these stages also appear in other pieces of malware that\r\noriginate from North Korea, a lot of which are attributed to the infamous Lazarus Group.\r\nHaving said that, there are particular differences in this variant from the previously reported sample of the same\r\nfamily. For one, the authors used wolfSSL, an open source code repository used to authenticate the client’s\r\nidentity to the C2 server and encrypt communication. This is not the first time this library is used in North Korean\r\nmalware. Intezer described a different RAT that leveraged it in an attack against cryptocurrency exchanges last\r\nyear. Additionally, while most of the command codes handled by the backdoor overlap in both the new and old\r\nversion, some of the codes were omitted from the recent sample and several others were modified, so as the\r\nfunctionality of their handlers.\r\nIn the upcoming paragraphs we will outline the key features of KEYMARBLE, focusing on both correlations and\r\ndistinctions from the previous sample reported by the US-CERT.\r\nInitialization\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 8 of 18\n\nBoth backdoor variants start with an action of dynamic Win32 API functions resolution. This is a very typical\r\ninitial stage that appears across multiple North Korean malwares, whereby a list of function names is decrypted\r\nduring runtime and then resolved to a global table in memory. The addresses from that table will be used\r\nsubsequently to invoke any calls to the desired API functions.  One of the features in this mechanism that\r\ndistinguishes this malware family from others is perhaps the usage of the open source McbDES2 code to\r\nimplement function name decryption with the DES algorithm.\r\nFigure 8: Comparison of API resolution logic in both versions of KEYMARBLE\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 9 of 18\n\nFigure 9: API function name decryption using the open source McbDoDES template library\r\nFollowing this, KEYMARBLE will start preparing the data structures required for communicating with the C\u0026C\r\nserver. This will include both initiation of WolfSSL related structures as well as initial contact with the server. For\r\nthe former, the malware will drop a hardcoded PEM certificate to the disk under %TEMP% with the file name\r\n“Thumbss.db”, which will have its data read and passed to an internal WolfSSL function called ProcessFile. This\r\nwill in turn parse it and assign data derived from the certificate to a global context structure used for\r\ncommunication. The used certificate in this sample can be found in the IOC section below.\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 10 of 18\n\nFigure 10: Initialization of communication using wolfSSL, and outline of a proprietary structure that comprises\r\nsome of the key structures required for the malware’s communication.\r\nAs for initiating contact with the C2 server, the malware will create a socket, set it to be non-blocking by invoking\r\nioctlsocket with the command argument set to 0x8004667E, and attempt to connect to the hardcoded IP address\r\n194\\.45\\.8\\.41 over port 443. This will happen indefinitely with 30 minute intervals between each connection\r\nattempt until success, at which point the malware will break from the loop and continue its execution.\r\nCommunication Protocol\r\nEach message exchanged between the malware and the server will have a predefined structure (as outlined in\r\nfigure 4) which resembles a TLS application record. As mentioned before, the malware leverages SSL for\r\ncommunication, hence each such message will be encrypted with a key exchanged during the SSL handshake\r\nbetween client and server, and the action of sending or receiving data will be handled by wolfSSL functions\r\ndesignated for this purpose (SendData and ReceiveData accordingly).\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 11 of 18\n\nFigure 11: Custom protocol message structure. Resembles a TLS record.\r\nAfter initiating the first connection with the C2 server, KEYMARBLE will issue a beacon message. This message\r\nis meant to carry the machine’s UID, which is a result of the operation:\r\nMD5(ProductID|MAC), where the first field is obtained by querying the SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\ProductId registry key, and the second is the MAC address obtained by invoking the function\r\nGetAdaptersInfo. However, this UID will be retrieved only after an explicit request from the server, and until\r\nthat’s done the data field in the beacon will be left blank.\r\nFigure 12: calculation of UUID as a result of MD5 on ProductID and MAC address.\r\nAfter the initial beacon the malware will enter an infinite loop where it will anticipate to get command codes from\r\nthe server. These will be passed on to a dispatcher function, where each command will be handled by an\r\nappropriate handler. The command is received in two parts – first the server will send a message carrying the\r\ncommand’s data length, and only then it will issue the actual command code.\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 12 of 18\n\nFigure 13: beacon and main message loop\r\nBackdoor Commands\r\nThe command dispatcher is a very basic mechanism that uses a switch case in order to pass control to the\r\ncorresponding function. The command codes range from 0x1234556 to 0x1234578 and most overlap with\r\ncommands that appeared in the older version of the backdoor. However, this version carries a smaller number of\r\ncommands (18 vs. 22) and few of them differ in code and functionality from the older version. Also, much like\r\nwith receiving the command code, each command argument sent (if such is required) will be preceded with a\r\nlength message to indicate what buffer size should be allocated for the sent argument.\r\nFigure 14: command dispatch function comparison between the old and new version of KEYMARBLE\r\nAll of the commands, their logic and response are summarized in the table below:\r\nCommand\r\ncode\r\nMeaning Response data\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 13 of 18\n\n0x1234556\r\nReceives a message with arbitrary data, ignores it and just sends\r\na blank message back. Probably used to test the backdoor.\r\nSends a response with\r\nthe data field set to 0.\r\n0x1234558\r\nReceives a path to a directory, enumerates it and builds an array\r\nof data structures that conveys various information fields on each\r\nfile in it (e.g. file size, last write time etc.). Once all data from the\r\ndirectory is retrieved, the array will be sent to the server. See\r\nappendix for more details.\r\nIf succeeds, responds\r\nwith the command code\r\nafter sending all the data,\r\notherwise if the path\r\nwasn’t found it will send\r\nback a message with a\r\nblank data field.\r\n0x1234559\r\nReceives a command to execute on Windows and runs it with the\r\nfollowing command line:\r\ncmd.exe /c “[received_cmd_line] \u003e\r\n%TEMP%\\PM[GetTempFileNameW_generated_name]” \u003e2\u00261.\r\nThe output of the execution, which will be written to the\r\n%TEMP% directory and prefixed with “PM” will be sent in\r\nchunks of 16KB to the server. A maximum of 60 chunks can be\r\nsent while the command is still executing. Subsequently, the\r\ngenerated temporary file we be deleted and the cmd.exe process\r\nterminated. The residual data that was not sent yet after\r\ntermination will be forwarded on to the server.\r\nSends a response with\r\nthe data field set to 0.\r\n0x123455A\r\nRetrieves information on running processes in the system,\r\ngathers it into a buffer and issues it to the server.\r\n–\r\n0x123455B Gets a name of a process as an argument and terminates it.\r\nIf succeeds, responds\r\nwith the command code.\r\n0x123455C\r\nReceives a file name and number of iterations as an argument,\r\noverwrites the file’s content, renames and deletes it. The\r\noverwrite happens with a stream generated by the libc rand\r\n function (with the current tick count as seed), and the new file\r\nname is generated as a 3-10 character name that is also a result of\r\na similar stream. The process of data garbling and renaming takes\r\nplaces for the amount of iterations specified by the server, after\r\nwhich the file is deleted.\r\nSends the result of\r\nGetLastError as data\r\nafter the DeleteFileW\r\noperation.\r\n0x123455D\r\nCollects various pieces of information on the system and network\r\nof the attacked machine (e.g. MAC address, free space on disk,\r\nOS build info etc.), builds them into a single buffer and sends it\r\nas response. See appendix for more details.\r\nIf succeeds, responds\r\nwith the command code\r\nafter sending the buffer.\r\n0x123455E Scans all drive letters and checks for the existence of fixed, non-root or removable drives. For each found drive a buffer is created –\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 14 of 18\n\nand initialized with the drive’s numeric type, the drive’s letter\r\nand the underlying volume’s name. for the last parameter, if the\r\ndrive has no name and it’s fixed or non-root the name will be\r\nassigned as “Local Disk”, otherwise if it’s removable it will be\r\nassigned as “CD Drive”. All such buffers are appended together\r\nand sent to the C2..\r\n0x123455F\r\nGets a file path and length of data, after which data is sent from\r\nthe server in chunks of 16KB and written to that path.\r\nIf succeeds, responds\r\nwith the command code,\r\notherwise sends back the\r\nlast error.\r\n0x1234560\r\nGets a file path and attempts to get a handle to it. If succeeds,\r\nretrieves file size and sends the file content to the server in\r\nchunks of 16KB.\r\nIf succeeds, responds\r\nwith the command code,\r\notherwise sends back the\r\nlast error.\r\n0x1234565 Sends an uninitialized global buffer of size 448 to the server. –\r\n0x123456E\r\nSends the current directory (result of GetCurrentDirectoryW) to\r\nthe server.\r\n–\r\n0x123456F\r\nReceives a directory path as argument and sets it to be the current\r\none (using SetCurrentDirectoryW).\r\nSends the result of\r\nGetCurrentDirectoryW\r\nas a response to the\r\nserver.\r\n0x1234574\r\nReceives a path to a directory as an argument, iterates over all\r\nfiles in it and zips them using the open source TZip library. The\r\narchive is located at %TEMP% and its name is prefixed with\r\n‘DWS00’. Upon successful zip, the archive will be sent to the\r\nserver, otherwise any created file will be deleted.\r\nIf succeeds, responds\r\nwith the command code.\r\n0x1234575\r\nReceives 2 arguments – an application path and a\r\nwShowWindow parameter (determines if the process window is\r\nvisible or not) and creates a new process for it.\r\nIf succeeds, responds\r\nwith the command code.\r\n0x1234576\r\nReceives 2 paths – a source path and a destination path. The\r\nmalware will move the file from the source to destination path.\r\nIf succeeds, responds\r\nwith the command code.\r\n0x1234577\r\nReceives 2 file names – a source and destination. The malware\r\nwill get the file time of the source and set the destination file’s\r\ntime to be the same.\r\nSends the last error if one\r\nof the operations fails,\r\notherwise sends 0.\r\n0x1234578 Retrieves the current file name and sends it to the server. –\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 15 of 18\n\nCheck Point protects against this attack through its SandBlast threat prevention solutions.\r\nIOCs\r\n2b4fb64c13c55aa549815ec6b2d066a75ccd248e (New KEYMARBLE sample)\r\nd1410d073a6df8979712dd1b6122983f66d5bef8 (Old KEYMARBLE sample)\r\n088c6157d2bb4238f92ef6818b9b1ffe44109347 (Maldoc)\r\n4cd5a4782dbed5b8e337ee402f1ef748b5035709 (Maldoc)\r\ne89458183cb855118539373177c6737f80e6ba3f (Maldoc)\r\na5b2c704c5cff550e6c47454b75393add46f156f (ZIP file containing decoy PDF)\r\n194\\.45\\.8\\.41:443 (KEYMARBLE C2)\r\nhxxp://37\\.238\\.135\\.70/img/anan.jpg (Dropzone server)\r\nPEM Certificate:\r\n—–BEGIN CERTIFICATE—–\r\nMIIDYjCCAkqgAwIBAgIIAZAXmK+UHF4wDQYJKoZIhvcNAQELBQAwZjELMAkGA1UE\r\nBhMCVVMxGTAXBgNVBAoMEEdsb2JhbFNpZ24gbnYtc2ExPDA6BgNVBAMMM0dsb2Jh\r\nbFNpZ24gT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gQ0EgLSBTSEEyNTYgLSBHMjAi\r\nGA8yMDE4MDkwMjE0NDgwOVoYDzIwMjAwMTE2MTQ0ODA5WjBmMQswCQYDVQQGEwJV\r\nUzEZMBcGA1UECgwQR2xvYmFsU2lnbiBudi1zYTE8MDoGA1UEAwwzR2xvYmFsU2ln\r\nbiBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBDQSAtIFNIQTI1NiAtIEcyMIIBIjAN\r\nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwzKLRSyHoRCW804H0ryTXUQ8bY1\r\nn9/KfQOY06zeA2buKvHYsH1uB1QLEJghTYDLEiDnzE/eRX3Jcncy6sqQu2lSEAMv\r\nqPOVxfGLYlYb72dvpBBBla0Km+OlwLDScHZQMFuo6AgsfO2nonqNOCkcrMft8nyV\r\nsJWCfUlcOM13Je+9gHVTlDw9ymNbnxW10x0TLxnRPNt2Osy4fcnlwtfaQG/YIdxz\r\nG0ItU5z+Gvx9q3o2P5jehHwFZ85qFDiHqfGMtWjLaH9xICv1oGP1Vi+jJtK3b7Fa\r\nF9c4mQj+k1hv/sMTSQgWC6dNZwBSMWcjTpjtUUUduQTZC+zYKLNLve02eQIDAQAB\r\noxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBRe7BnZbn005fj\r\nP5in0Pv6FMWy9x7kzjI2e6JcxXr+LuEisfxACkw2g2yFrQAzZguTSGYiSIDtwURE\r\nA+ALRoZFa9gVwtqKQFOQOBcDYINZIqI8Ma7eprcF/O+tAOzHIRoifyYYpv0Is89x\r\n6xI8og9hRzVTyov5eYK0tqjdMZwRWSQz2hmghhqXx43YlRw0f69iKjJ7MpHtv/Ru\r\nuMPlbwo/VRXY8kywL/GkFG3nPxWKXm7T4nBFp5/sYCvfakPpZDuzEN7igXhOWaqL\r\nTwkCOWQf3m6oX56DDpzeHJmLYEukX7QNjVBF3mTW7LIuPT5rR3nJFYJA9Tf0umvd\r\nB30JttH5\r\n—–END CERTIFICATE—–\r\nReferences\r\nNCCIC KEYMARBLE report from August 2018: https://www.us-cert.gov/ncas/analysis-reports/AR18-\r\n221A\r\nIntezer report on cryptocurrency exchange attacks by Lazarus group from March 2018:\r\nhttps://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/\r\nWolfSSL on Github: https://github.com/wolfSSL/wolfssl\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 16 of 18\n\nMcbDes2 project code:\r\nhttp://read.pudn.com/downloads198/sourcecode/crypt/ca/930917/McbDES2.hpp__.htm\r\nTZip library: https://graphics.stanford.edu/~mdfisher/Code/WebPagePreprocessor/zip.cpp\r\nAppendix:\r\nStructure used for each file and directory enumerated during execution of handler for code 0x1234558:\r\nThe buffer used for collection system and network info in the handler for code 0x123455D will have the following\r\noutline:\r\nwhere\r\ninfo_item is a FAM of the following structure:\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 17 of 18\n\nand system_info has the following structure:\r\nSource: https://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nhttps://research.checkpoint.com/north-korea-turns-against-russian-targets/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/north-korea-turns-against-russian-targets/"
	],
	"report_names": [
		"north-korea-turns-against-russian-targets"
	],
	"threat_actors": [],
	"ts_created_at": 1776478857,
	"ts_updated_at": 1776478957,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7cbe9bab8403ec2b15b86d1f9a119be31d5fe310.pdf",
		"text": "https://archive.orkl.eu/7cbe9bab8403ec2b15b86d1f9a119be31d5fe310.txt",
		"img": "https://archive.orkl.eu/7cbe9bab8403ec2b15b86d1f9a119be31d5fe310.jpg"
	}
}