{
	"id": "fca16fd9-b14f-4afc-9de1-9e398de708e9",
	"created_at": "2026-04-06T00:15:20.822106Z",
	"updated_at": "2026-04-10T03:35:14.259555Z",
	"deleted_at": null,
	"sha1_hash": "8bed87552a104856c488a9f534c9151d88c64c60",
	"title": "Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4877833,
	"plain_text": "Russian Infrastructure Plays Crucial Role in North Korean\r\nCybercrime Operations\r\nBy By: Feike Hacquebord, Stephen Hilt Apr 23, 2025 Read time: 14 min (3796 words)\r\nPublished: 2025-04-23 · Archived: 2026-04-05 12:59:51 UTC\r\nSummary\r\nTrend Research has identified multiple IP address ranges in Russia that are being used for cybercrime\r\nactivities aligned with North Korea. These activities are associated with a cluster of campaigns related to\r\nthe Void Dokkaebi intrusion set, also known as Famous Chollima.\r\nThe Russian IP address ranges, which are concealed by a large anonymization network that uses\r\ncommercial VPN services, proxy servers, and numerous VPS servers with RDP, are assigned to two\r\ncompanies in Khasan and Khabarovsk. Khasan is a mile from the North Korea-Russia border, and\r\nKhabarovsk is known for its economic and cultural ties with North Korea.\r\nTrend Research assesses that North Korea deployed IT workers who connect back to their home country\r\nthrough two IP addresses in the Russian IP ranges and two IP addresses in North Korea. Trend Micro’s\r\ntelemetry strongly suggests these DPRK aligned IT workers work from China, Russia and Pakistan, among\r\nothers.\r\nBased on Trend Research’s assessment, North Korea-aligned actors use the Russian IP ranges to connect to\r\ndozens of VPS servers over RDP, then perform tasks like interacting on job recruitment sites and accessing\r\ncryptocurrency-related services. Some servers involved in their brute-force activity to crack cryptocurrency\r\nwallet passwords fall within one of the Russian IP ranges.\r\nInstructional videos have also been found with what it looks like non-native English text, detailing how to\r\nset up a Beavertail malware command-and-control server and how to crack cryptocurrency wallet\r\npasswords. This makes it plausible that North Korea is also working with foreign conspirators.\r\nIT professionals in Ukraine, US, and Germany have been targeted in these campaigns by fictitious\r\ncompanies that lure them into fraudulent job interviews. Trend Research assesses that the primary focus of\r\nVoid Dokkaebi is to steal cryptocurrency from software professionals interested in cryptocurrency, Web3,\r\nand blockchain technologies.\r\nTrend Vision One™ detects and blocks the IOCs discussed in this blog. Trend Vision One customers can\r\nalso access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest\r\nupdates on Void Dokkaebi.\r\nInternet access is scarce in North Korea; their national network only has 1,024 IP addresses assigned to itopen on\r\na new tab, yet the country’s role in cybercrime is significant. Multiple high-profile campaigns were publicly\r\nattributed to North Korean actors by international law enforcement, one of the latest being the US$1.5 billion\r\nBybit hackopen on a new tab. Naturally, to scale cybercrime to the levels attributed to North Korea, a lot more\r\ninternet resources are needed than the 1,024 IP addresses. One way to achieve this is to send or hire significant\r\nnumbers of IT workers abroadopen on a new tab and let them work from there. Additionally, large-scale\r\nhttps://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html\r\nPage 1 of 15\n\nanonymization networks are being used to conceal campaigns linked to North Korea; these anonymization layers\r\nhide the origin of malicious traffic and make attribution harder.\r\nIn this blog entry, we will discuss how some of the campaigns linked to North Korea originate from five Russian\r\nIP ranges. These IP ranges are hidden from plain sight by a VPN layer, a proxy layer, or an RDP layer. They have\r\nbeen assigned to two organizations in Khasan and Khabarovsk, Russia. We assess that campaigns linked to North\r\nKorea also make use of the internet infrastructure in other countries.  \r\nKhasan is a small town in Russia that is only one mile away from the border with North Korea and China. It is\r\nhome to a railway bridge called the Korea-Russia Friendship bridge. Khabarovsk is known for its economic and\r\ncultural ties with North Korea. Therefore, these two towns are a natural fit for the home of cybercrime operations\r\nthat are aligned with the objectives of North Korea. We found that the Russian IP ranges connect to numerous\r\nVPS servers around the world using RDP and then do tasks from there, like communicating through apps like\r\nSkype, Telegram, Discord and Slack, contacting foreign IT professionals on job recruitment sites and connecting\r\nto cryptocurrency-related websites, for example, to empty stolen cryptocurrency wallets or launder money.\r\nForeign IT professionals are contacted as part of a common social engineering tactic that involves enticing\r\nsoftware developers with fake job interviews. In this scheme, developers apply for positions advertised on\r\nplatforms like LinkedIn and other recruitment sites. The supposed recruiter requests the applicant to complete\r\nspecific tasks as part of the interview process. These tasks may involve debugging or enhancing code that the\r\napplicant must download from reputable code repositories such as GitHub, GitLab, Bitbucket, or private GitLab\r\nsites.  While these repositories often do not host malicious code directly, they may contain code that injects\r\nobfuscated, harmful scripts hosted on third-party websites. When the applicant runs the downloaded code on their\r\npersonal computer or a production system, rather than in an isolated virtual environment, the attacker gains access\r\nto the applicant's system.\r\nOnce inside, the attacker might install other malware that will automatically look for sensitive data like passwords\r\nand cryptocurrency wallets. They may then proceed to try to empty the cryptocurrency wallets and steal other\r\nsensitive data too. Some compromised devices get integrated into the attacker's anonymizing infrastructure by\r\ninstalling legitimate proxy software like CCProxy.\r\nIn another scheme, North Korean IT workers secure IT-related jobs at Western companies and utilize laptop farms\r\noperated by co-conspirators residing in the West. By using these laptop farms, North Korean IT workers can\r\nconceal the fact that they are working remotely for a foreign country from their victim companiesopen on a new\r\ntab. Trend Research assesses that this scheme is closely related to Beavertail malware campaigns.\r\nThis blog entry also explores clusters of Beavertail malware campaigns attributed to Void Dokkaebi (also known\r\nas Famous Chollima). We focused on a fictitious company called BlockNovas, which has a website and a presence\r\non several job recruitment platforms, including LinkedIn and Upwork. Hundreds of applicants have responded to\r\nBlockNovas' job postings, with several of them getting infected with malware during the interview process.\r\nBlockNovas posted job openings targeting Web3 and blockchain experts in Ukraine, US, Germany and other\r\ncountries. BlockNovas has utilized Beavertail and Invisible Ferret malware, as well as employed tactics where\r\napplicants are enticed to download and execute malware to solve a fictitious problem with their laptop camera\r\nduring an automated job interviewing process.\r\nhttps://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html\r\nPage 2 of 15\n\nWhile investigating BlockNovas, we discovered that lower levels of the anonymization layers are IP ranges in\r\nRussia, which we mentioned earlier in this introduction. Another cluster of Beavertail command-and-control\r\n(C\u0026C) servers has been administered through VPN, proxies and RDP sessions from the same Russian IP ranges as\r\nwell.\r\nThis leads us to an intriguing hypothesis: Key North Korean offensive cyber activities are conducted from or\r\nthrough internet infrastructure located in the Russian towns of Khasan and Khabarovsk; such infrastructure has\r\nbeen set up since 2017 and increased in size since 2023.\r\nBlockNovas\r\nOne of the fictitious companies used to lure victims into these fraudulent interviews is BlockNovas[.]com, which\r\npresents itself with a modern designed website and claims to be active in blockchain technologies (Figure 1). It\r\nmaintains a presence on social media platforms such as Facebook, X (formerly known as Twitter), LinkedIn, and\r\nvarious job recruitment websites. This online presence is designed to enhance its credibility and attract\r\nunsuspecting software developers into applying for non-existent positions.\r\nBlockNovas is likely using artificial intelligence (AI) to help them create online personas and conduct the\r\ninterview process. A lot of legitimate job interviews in the technology space are held online, and this may have\r\nresulted in more job applicants letting their guard down. We observed BlockNovas for some time on LinkedIn and\r\nother recruitment sites, and found that fictious new BlockNovas employees at key positions – like a chief\r\ntechnology officer (CTO) – popped up from seemingly nowhere. However, these profiles often had some history\r\non the social media network and usually hundreds of followers. Occasionally, compromised accounts were also\r\nused to amplify new job postings. With what seems like a credible online presence at first sight, BlockNovas has\r\nprobably reached hundreds of job applicants. \r\nIn December 2024, BlockNovas advertised an open position for a senior software engineer on LinkedIn,\r\nspecifically targeting Ukrainian IT professionals (Figure 2). Additionally, it posted job openings aimed at IT\r\nworkers in the United States, Germany, Ecuador and other regions. As of Spring 2025, BlockNovas kept on\r\nposting new job openings on LinkedIn and Freelancer. \r\nhttps://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html\r\nPage 3 of 15\n\nFigure 2. BlockNovas recruiting a senior software engineer in Ukraine in December 2024\r\nWe can relate BlockNovas to Beavertail C\u0026C servers directly through technical indicators and have found that a\r\nBlockNovas automated job interview website (Figure 4) tried to lure applicants into installing Beavertail-related\r\nmalware.\r\nWe assess that the primary objective remains the theft of cryptocurrency from IT professionals who are interested\r\nin crypto, Web3, blockchain technologies, and programming. However, there is also the possibility that when\r\ninitial access is established by the threat actor, access gets handed over to another team that is more interested in\r\nstealing information. For example, we have found that companies in the energy industry were also targeted. When\r\ninitial access is established for those industries and the threat actor does not find cryptocurrency to steal, handing\r\nover that initial access to teams more interested in espionage is a logical step for the threat actor to do.\r\nIn March, we went through BlockNovas[.]com's automated interview process, during which we received a\r\nmessage that our camera needed a software update (Figure 3). That software update is malware known as\r\nFrostyFerret in Mac and GolangGhost in Windowsopen on a new tab, although the C\u0026C server involved is used\r\nby both Beavertail and FrostyFerret.\r\nhttps://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html\r\nPage 4 of 15\n\nFigure 3. Message prompting a camera software update\r\nFigure 4. Application website for BlockNovas created in early March 2025\r\nBlockNovas[.]com was created on July 16, 2024, so this is a fairly new domain. The South Carolina address stated\r\non its website leads to an empty lot. We also found that there is no such company as BlockNovas listed in the\r\nstate’s Business Entities Online systemopen on a new tab.\r\nhttps://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html\r\nPage 5 of 15\n\nBlockNovas had a status page that showed the online status of websites, among which are the BlockNovas GitLab\r\nand a known Beavertail malware C\u0026C domain (Figure 5). BlockNovas’ GitLab hosted known Beavertail\r\nmalware, both on their private GitLab and their real GitLab page. We also found Hashtopolis, a tool to crack\r\npasswords, on the mail[.]BlockNovas[.]com (167[.]88[.]39[.]141) website (Figure 11).  \r\nFigure 5. BlockNovas status page that shows the online status of websites\r\nOn April 23, the BlockNovas domain was seized by the Federal Bureau of Investigation (FBI) as part of a law\r\nenforcement action against North Korean cyber actors. \r\nFigure 6. Current contents of BlockNovas domain\r\nAnonymization layers\r\nhttps://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html\r\nPage 6 of 15\n\nUpon analyzing the anonymization layers used in  campaigns linked to North Korea, we found that certain\r\nRussian IP addresses were repeatedly utilized in the deeper, more concealed layers. Using Team Cymru’s Real-time Threat Intelligence Platform, Pure Signal Reconopen on a new tab, we found that these Russian IP addresses\r\nalso occasionally connected to remote management portals and the C\u0026C systems associated with Beavertail-related IP addresses. These IP addresses also frequently used Astrill VPN. It is known that several  campaigns\r\nlinked to North Korea heavily rely on Astrill VPN to obscure the origin of their attacksopen on a new tab.\r\nTherefore, our assessment is that North Korea-aligned actors sometimes failed to use a VPN service or proxy and\r\nthen leaked their real IP addresses in Russia. \r\nTo obfuscate the usage of Russian IP ranges, other anonymization methods are employed as well (Figure 6). In\r\naddition to Astrill VPN, the use of RDP is notably prevalent. Dozens of RDP VPS servers are accessed from the\r\nRussian IP ranges, and these servers are then used to connect to service providers that are typically used by Void\r\nDokkaebi. These services include communication platforms like Discord, Mattermost, Microsoft Teams, Skype,\r\nSlack, and Telegram. Additionally, various cryptocurrency related services and job recruitment websites like\r\nLinkedIn and Upwork are frequently accessed. Coding-related websites like Visual Code and GitHub are also\r\nvisited. Given the probable geographical spread of Void Dokkaebi-associated cybercriminals, it’s likely that\r\nadditional origins and anonymization techniques will be employed.\r\nFigure 7. Anonymization scheme associated with Void Dokkaebi\r\nOn one occasion, we obtained explicit proxy logs from January 2025, originating from a CCProxy installation\r\nfound on a compromised cloud instance. The proxy logs revealed activity consistent with North Korean\r\noperations. The proxy was accessed by IP address 188[.]43[.]33[.]251 in Russia, which we had already flagged for\r\nhttps://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html\r\nPage 7 of 15\n\npotential North Korean cybercrime activity. This IP address had been accessing internet services typically utilized\r\nby North Korean actors, such as:\r\nAptos @ Sui Wallet\r\nAstrill VPN\r\nDeBank\r\nDropbox\r\nExodus Wallet\r\nGitHub\r\nKeplr Wallet\r\nRabby Wallet\r\nReown\r\nSMSPool\r\nSkype\r\nSprig\r\nTelegram\r\nTerabox\r\nUpwork\r\nVisual Studio\r\nWe list the Russian IP ranges that have been used in suspected North Korea-related campaigns in Table 1.  \r\nIP ranges ASN Network name Created Region\r\n80.237.84.0/24 20485 KPOST-NET\r\nSeptember 7,\r\n2024\r\nKhasan, Russia\r\n80.237.87.0/24 20485\r\nSKYFREIGHT-NETDecember 11,\r\n2024\r\nKhasan, Russia\r\n83.234.227.0/24 20485\r\nSKYFREIGHT-NET\r\nJune 2, 2023 Khasan, Russia\r\n188.43.136.0/24 20485 KPOST-NET2\r\nSeptember 12,\r\n2017\r\nKhabarovsk,\r\nRussia\r\n188.43.33.249 188.43.33.250\r\n188.43.33.251 188.43.33.252\r\n188.43.33.253\r\n20485\r\n(Generic network\r\nname)\r\nUndetermined Undetermined\r\nTable 1. Russian IP ranges with suspected North Korean cybercrime activities. Geolocation based on RIPE whois\r\ndata.\r\nWe also assess with low confidence that two IP addresses in 188[.]43[.]136[.]0/24 are frequently used by North\r\nKorean-aligned IT workers to report back to their homeland. These two IP addresses exhibit similar patterns as\r\ntwo other IP addresses in 175[.]45[.]176[.]0/22 that are assigned to the autonomous system network (ASN) of\r\nhttps://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html\r\nPage 8 of 15\n\nNorth Korea. We suspect these two North Korean IP addresses are also used to connect back from foreign sites\r\nwhere North Korean workers have been deployed for offensive cyber-attacks. More concrete we have evidence\r\nthat these IP addresses were connected to from China, Russia, Pakistan and other regions, that also exhibited\r\nNorth Korea-aligned cyber activity. We assess that the following IP addresses are used to connect back to North\r\nKorea by North Korean-aligned actors abroad; a related assessment was made hereopen on a new tab:\r\n175[.]45[.]176[.]21\r\n175[.]45[.]176[.]22\r\n188[.]43[.]136[.]115\r\n188[.]43[.]136[.]116\r\nThe Russian IP ranges in Table 1 belong to ASN AS20485, which belongs to TransTelecom in Russia.\r\nTransTelecom has acted like a second upstream internet provider for North Korea since 2017. It has been reported\r\nthat a fiber optic cable has been put over the Korea-Russia Friendship Bridge near Khasanopen on a new tab in\r\n2017 (Figure 7) to form a second upstream provider for North Korea. The IP range 188[.]43[.]136[.]0/24 was\r\nregistered in RIPE just around the time that TransTelecom started as an upstream provider for North Korea.\r\nAdditionally, two more recent IP ranges are assigned to organizations in Khasan, Russia. Since 2022, increased\r\nactivity in Khasan has been observed through satellite imagery. The railway station in Khasan is believed to\r\nfacilitate the transport of people and freight over the bridge into North Koreaopen on a new tab. \r\nFigure 8. Korea-Russia Friendship Bridge near Khasan, Russia\r\ninetnum:        80.237.84.0 - 80.237.84.255\r\nnetname:        KPOST-NET\r\ndescr:          (MS002204) TTK-DV,\r\ndescr:          Hasan, Russia\r\ninetnum:        80.237.87.0 - 80.237.87.255\r\nnetname:        SKYFREIGHT-NET\r\ndescr:          (MS009388) SKYFREIGHT,\r\ndescr:          Hasan, Russia\r\nhttps://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html\r\nPage 9 of 15\n\ncountry:        RU\r\nadmin-c:        AMIK1-RIPE\r\ntech-c:         AMIK1-RIPE\r\nstatus:         ASSIGNED PA\r\nmnt-by:         TRANSTELECOM-MNT\r\ncreated:        2024-09-07T12:17:04Z\r\nlast-modified:  2024-09-07T12:17:04Z\r\nsource:         RIPE # Filtered\r\ncountry:        RU\r\nadmin-c:        AMIK1-RIPE\r\ntech-c:         AMIK1-RIPE\r\nstatus:         ASSIGNED PA\r\nmnt-by:         TRANSTELECOM-MNT\r\ncreated:        2024-12-11T11:32:17Z\r\nlast-modified:  2024-12-11T11:32:17Z\r\nsource:         RIPE\r\ninetnum:        188.43.136.0 - 188.43.136.255\r\nnetname:        KPOST-NET2\r\ndescr:          (MS003584) TTK-DV,\r\ndescr:          Khabarovsk, Russia, Russia\r\ncountry:        RU\r\nadmin-c:        AMIK1-RIPE\r\ntech-c:         AMIK1-RIPE\r\nstatus:         ASSIGNED PA\r\nmnt-by:         TRANSTELECOM-MNT\r\ncreated:        2017-09-12T08:09:54Z\r\nlast-modified:  2017-09-12T08:09:54Z\r\nsource:         RIPE # Filtered\r\ninetnum:        83.234.227.0 - 83.234.227.255\r\nnetname:        SKYFREIGHT-NET\r\ndescr:          (MS009388) Skyfreight_Limited,\r\ndescr:          Hasan, Russia\r\ncountry:        RU\r\nadmin-c:        KTTK-RIPE\r\ntech-c:         KTTK-RIPE\r\nstatus:         ASSIGNED PA\r\nmnt-by:         TRANSTELECOM-MNT\r\ncreated:        2023-06-02T15:31:08Z\r\nlast-modified:  2023-06-02T15:31:08Z\r\nsource:         RIPE # Filtered\r\nTable 2. Whois information from RIPE\r\nAnother IP range is allocated to Khabarovsk, Russia (Table 2). Khabarovsk is approximately 435 miles from the\r\nNorth Korean border, maintains cultural and economic ties with North Korea, and has a North Korean minority\r\nresiding there (Figure 8). This leads us to an intriguing hypothesis that some of the North Korean cybercrime\r\nactivities are conducted through internet infrastructure located in the Russian towns of Khasan and Khabarovsk.\r\nhttps://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html\r\nPage 10 of 15\n\nFigure 9. North Korea’s proximity to Khasan and Khabarovsk in Russia\r\nInstruction videos\r\nWe obtained seven videos with what it appears like non-native English text, which painstakingly explain how to\r\nset up components of the Beavertail C\u0026C server (Table 3). This reinforces our theory that these videos are aimed\r\nat less skilled conspirators outside the core actor group. Among other things, the videos detail how to set up\r\nDropbox accounts on those servers and change code. The videos were likely created during an RDP session to the\r\nBeavertail C\u0026C server 95[.]164[.]18[.]177 at the end of January 2025 by someone who is logged in with a\r\nBlockNovas[.]com account. In the videos, it is visible that a new free Dropbox account is created with another\r\nBlockNovas[.]com e-mail address and the confirmation e-mail from Dropbox arrives on the system instantly, as\r\ncould be seen in a new e-mail notification on screen (Figure 9). We think it likely that the creator of the video was\r\nconnected to the Beavertail C\u0026C server from the IP address 188[.]43[.]33[.]251 in Russia. We were not able to\r\ndetermine whether the person was in the same geolocation as the IP address 188[.]43[.]33[.]251, but we think this\r\nis a plausible option. In one of the videos, it was also explained how to crack cryptocurrency wallet passwords.\r\nOne of the servers that was set up to assist in these computationally expensive tasks was IP address\r\n188[.]43[.]33[.]250.\r\nhttps://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html\r\nPage 11 of 15\n\nFigure 10. Video stills from instruction videos that were recorded during an RDP session into the\r\nBeavertail C\u0026C server 95[.]164[.]18[.]177 on January 28, 2025 by someone using a BlockNovas\r\naccount\r\nFigure 11. Still about Hashtopolis from one of the videos recorded by someone with a BlockNovas\r\naccount\r\nVideo Summary of contents\r\nVideo\r\n1\r\nInstructions on how to use node.js and adapt some code. Instructions on how to sign up for\r\nDropbox.\r\nVideo\r\n2\r\nInstructions on how to install and use Dropbox. \r\nInstructions on how to set up an FTP server.\r\nhttps://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html\r\nPage 12 of 15\n\nVideo\r\n3\r\nAn explanation of the scripts on Beavertail malware C\u0026Cs. \r\nInstructions on how to decode C\u0026C scripts, replace hardcoded C\u0026Cs, and then encode the\r\nscripts again.\r\nVideo\r\n4\r\nInstructions on how to access infected hosts through a websocket \r\nInstructions on how to upload stolen information on cryptocurrency wallets to Dropbox \r\nInstructions on how to check the balance of cryptocurrency wallets\r\nVideo\r\n5\r\nInstructions on how to use passwords stored in a browser and how to crack passwords of\r\ncryptocurrency wallets\r\nVideo\r\n6\r\nInstructions on how to install Windows Internet Information Services (IIS)\r\nVideo\r\n7\r\nDetailed explanation of how to use Hashcat and Hastopolis to crack passwords\r\nTable 3. Contents of the seven videos\r\nOutlook and conclusions\r\nWe believe the primary motive of Void Dokkaebi remains theft of cryptocurrency from victims' wallets. We assess\r\nthat not all Beavertail-related campaigns employ identical infrastructure setups. This suggests the existence of\r\ndifferent cells of cybercriminals who operate with slight variations in their methods and infrastructure used. Some\r\nclusters of Void Dokkaebi-related campaigns appear to originate from IP ranges in Russia; others might originate\r\nfrom China, South America or Pakistan. Public reports have mentioned that North Korea sends IT workers abroad\r\nto commit cybercrime from there. We suspect that forkers are recruited by North Korea to perform simple tasks,\r\ntoo. The instruction videos in English that we have found give further evidence for this. This suggests that while\r\nthe skills needed to set up Void Dokkaebi campaigns are not necessarily advanced, the campaigns are highly\r\neffective and scale well.\r\nWe anticipate that the scope of Void Dokkaebi attacks will eventually expand to include more espionage-like\r\nactivities. Given that a significant portion of the deeper layers of the  North Korean actors' anonymization network\r\nis in Russia, it is plausible, with low to medium confidence, that some form of intentional cooperation or\r\ninfrastructure sharing exists between North Korea and Russian entities. A logical next step in this potential\r\ncooperation would be handing over initial access to victim’s organizations to groups that are more interested in\r\ncyber espionage.\r\nTo help mitigate threats like Void Dokkaebi, it's crucial that IT professionals ensure the code is never executed on\r\na production server or on any corporate or personal laptops when they are asked to perform a code review or\r\ncomplete a coding test as part of an interview. Instead, these tasks should be conducted within an isolated virtual\r\nhttps://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html\r\nPage 13 of 15\n\nenvironment. This setup prevents access to any private or sensitive information, safeguarding against potential\r\ndata exfiltration. Once the test is completed, the virtual environment should be securely destroyed to maintain\r\nconfidentiality.\r\nDuring the interview process, candidates should also remain vigilant for any indications of deepfakes or AI-generated responses from the interviewers. For instance, if the interviewer consistently provides vague or general\r\nanswers before addressing the question directly, it may be a sign of the interviewer using AI to formulate the\r\nanswers. Being aware of these nuances can help ensure a more secure and genuine interview.\r\nProactive security with Trend Vision One™ \r\nOrganizations can protect themselves from threats like these with Trend Vision One™open on a new tab – the\r\nonly AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security\r\noperations, and robust layered protection. This comprehensive approach helps you predict and prevent threats,\r\naccelerating proactive security outcomes across your entire digital estate. Backed by decades of cybersecurity\r\nleadership and Trend Cybertron, the industry's first proactive cybersecurity AI, it delivers proven results: a 92%\r\nreduction in ransomware risk and a 99% reduction in detection time. Security leaders can benchmark their posture\r\nand showcase continuous improvement to stakeholders. With Trend Vision One, you’re enabled to eliminate\r\nsecurity blind spots, focus on what matters most, and elevate security into a strategic partner for innovation.\r\nTrend Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and\r\nThreat Insights. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to\r\nprepare for emerging threats by offering comprehensive information on threat actors, their malicious activities,\r\nand their techniques. By leveraging this intelligence, customers can take proactive steps to protect their\r\nenvironments, mitigate risks, and effectively respond to threats. \r\nTrend Vision One Intelligence Reports App [IOC Sweeping]\r\nRussian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations\r\nTrend Vision One Threat Insights App\r\nThreat Actors: Void Dokkaebiopen on a new tab\r\nEmerging Threats:  Russian Infrastructure Plays Crucial Role in North Korean Cybercrime\r\nOperationsopen on a new tab\r\nHunting Queries \r\nTrend Vision One Search App\r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.    \r\nBeavertail Malware Detection Query\r\nhttps://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html\r\nPage 14 of 15\n\nmalName: *BEAVERTAIL* AND eventName:MALWARE_DETECTION AND LogType: detection\r\nMore hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabledone-platform.\r\nIndicators of Compromise (IOCs)\r\nThe indicators of compromise for this entry can be found hereopen on a new tab.\r\nWith additional insights from Fyodor Yarochkin\r\nSource: https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html\r\nhttps://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY",
		"ETDA"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html"
	],
	"report_names": [
		"russian-infrastructure-north-korean-cybercrime.html"
	],
	"threat_actors": [
		{
			"id": "7187a642-699d-44b2-9c69-498c80bce81f",
			"created_at": "2025-08-07T02:03:25.105688Z",
			"updated_at": "2026-04-10T02:00:03.78394Z",
			"deleted_at": null,
			"main_name": "NICKEL TAPESTRY",
			"aliases": [
				"CL-STA-0237 ",
				"CL-STA-0241 ",
				"DPRK IT Workers",
				"Famous Chollima ",
				"Jasper Sleet Microsoft",
				"Purpledelta Recorded Future",
				"Storm-0287 ",
				"UNC5267 ",
				"Wagemole "
			],
			"source_name": "Secureworks:NICKEL TAPESTRY",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d05e8567-9517-4bd8-a952-5e8d66f68923",
			"created_at": "2024-11-13T13:15:31.114471Z",
			"updated_at": "2026-04-10T02:00:03.761535Z",
			"deleted_at": null,
			"main_name": "WageMole",
			"aliases": [
				"Void Dokkaebi",
				"WaterPlum",
				"PurpleBravo",
				"Famous Chollima",
				"UNC5267",
				"Wagemole",
				"Nickel Tapestry",
				"Storm-1877"
			],
			"source_name": "MISPGALAXY:WageMole",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434520,
	"ts_updated_at": 1775792114,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8bed87552a104856c488a9f534c9151d88c64c60.pdf",
		"text": "https://archive.orkl.eu/8bed87552a104856c488a9f534c9151d88c64c60.txt",
		"img": "https://archive.orkl.eu/8bed87552a104856c488a9f534c9151d88c64c60.jpg"
	}
}