{ "id": "141cc6d8-083c-4ba4-a426-f04119a37b67", "created_at": "2026-04-06T00:11:53.650127Z", "updated_at": "2026-04-10T03:36:36.814906Z", "deleted_at": null, "sha1_hash": "9463c0539a98c3ee14aae08b45dda1afac5b1a49", "title": "OSINT Reporting Regarding DPRK and TA505 Overlap – One Night in Norfolk", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 278945, "plain_text": "OSINT Reporting Regarding DPRK and TA505 Overlap – One\r\nNight in Norfolk\r\nPublished: 2019-04-10 · Archived: 2026-04-05 19:59:12 UTC\r\nYesterday, at SAS2019, BAE Systems presented findings related to DPRK SWIFT heist activity that took place in\r\n2018. As part of this research (a leaked video of the presentation is available online), BAE included two key\r\npoints not previously disclosed in the public domain:\r\n– The existence of a PowerShell backdoor attributable to DPRK, which the researchers dubbed PowerBrace\r\n– A possible overlap between TA505 intrusions and DPRK intrusions, suggesting a possible hand-off between the\r\ntwo groups.\r\nThis blog will leave a full analysis of those two points and the supporting context to the people that found them, as\r\nit’s theirs to share; however, data that may support such conclusions have been available in open source for quite\r\nsome time.\r\nIn early January, VNCert issued an alert regarding attacks targeting financial institutions, containing a mix of\r\nDPRK IOCs (including a keylogger referred to as PSLogger previously analyzed by this blog), TA505 IOCs\r\n(previously published by 360 TIC), and a handful of PowerShell scripts that are generally identical aside from a\r\nhandful of configuration changes. Furthermore, the aforementioned keylogger was first uploaded by a submitter\r\n(fabd7a52) in Pakistan in December 2018. That same submitter acted as the first uploader for one of the\r\nPowerShell samples identified below (b88d4d72fdabfc040ac7fb768bf72dcd), further corroborating a possible\r\nlink.\r\nGiven the multi-sourced reporting overlaps and the additional Pakistan findings mentioned above, this blog\r\nassesses that the PowerShell scripts in question likely belong to the same family of DPRK-attributable malware\r\nreported by BAE systems.\r\nA listing of selected IOCs is below the fold, alongside a few brief notes (and a script) for how to analyze the\r\nPowerShell malware.\r\nIOCs from VNCert\r\nTA505:\r\nThese contain infrastructure overlaps with reporting from the same month found here:\r\nhttps://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/\r\nMD5: 5B7244C47104F169B0840440CDEDE788\r\nMD5: cc29adb5b78300b0f17e566ad461b2c7\r\nMD5: E00499E21F9DCF77FC990400B8B3C2B5\r\nMD5: 53F7BE945D5755BB628DEECB71CDCBF2\r\nMD5: 9c35e9aa9255aa2214d704668b039ef6\r\nhttps://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/\r\nPage 1 of 4\n\nMD5: 2e0d13266b45024153396f002e882f15\r\nMD5: 26f09267d0ec0d339e70561a610fb1fd\r\nMD5: 09e4f724e73fccc1f659b8a46bfa7184\r\nDPRK:\r\nHSMBalance.exe MD5:34404a3fb9804977c6ab86cb991fb130 – Keylogger\r\nICAS.ps1 MD5: b12325a1e6379b213d35def383da2986 – Possible PowerBrace\r\nMD5: 8a41520c89dce75a345ab20ee352fef0 – Possible PowerBrace\r\nMD5: 7c651d115109fd8f35fddfc44fd24518 – Possible PowerBrace\r\nMD5: b88d4d72fdabfc040ac7fb768bf72dcd – Possible PowerBrace\r\nMD5: 3be75036010f1f2102b6ce09a9299bca – Possible PowerBrace\r\nSeveral hashes were omitted: these were EML files that belong to specific financial organizations. Others were not\r\non VirusTotal or were not read properly by OCR.\r\nA Few Notes on the PowerShell Backdoor\r\nMD5 Used: b12325a1e6379b213d35def383da2986 (ICAS.ps1)\r\nC2: 192.95.14.128\r\nAs previously mentioned, this blog will not be publishing a full analysis of this backdoor in deference to the\r\npeople who first found it; however, in the interest of helping analysts who need the data, there are a few key points\r\nto mention:\r\n– The backdoor uses a configuration file that includes two C2 servers and a series of Base64 encoded commands\r\n– Most of the malware’s function names have been replaced with MD5 hashes\r\nA snippet of the encoded configuration and obfuscated functions. Right click and open in a\r\nnew tab to expand.\r\nA script below has been included that performs the Base64 transformation on values where it can find them. To\r\nanalyze this script, this blog then recommends the following process:\r\n1) Using an easily identifiable command name (decoded by the script), locate that command’s use in a function\r\n2) Identify references between that command and other functions\r\nhttps://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/\r\nPage 2 of 4\n\n3) Rename those other functions\r\n4) Repeat\r\nAn example of decoded data (with variables and functions renamed manually) is below:\r\nA portion of the partially decoded and deobfuscated PowerShell backdoor\r\nA script to assist with this is here:\r\nimport base64\r\nimport re\r\nc = open(\"c:\\\\users\\\\[username]\\\\desktop\\\\[filename]\").readlines()\r\nline_list = []\r\nfor line in c:\r\n #print(line)\r\n try:\r\n enc = re.search(\"(?\u003c=\\$\\(\\[Text.Encoding\\]::Unicode.GetString\\(\\[Convert\\]::FromBase64String\\().*?(?=\\))\r\nprint(line)\r\nprint(enc)\r\nd = ('\"' + base64.b64decode(enc) + '\"')\r\ne = (re.sub(\"\\$\\(\\[Text.Encoding\\]::Unicode.GetString\\(\\[Convert\\]::FromBase64String\\(.*?\\)\\)\\\r\nf = re.sub(\"\\0\",\"\",e)\r\nline_list.append(f)\r\n \r\n except:\r\n line_list.append(line)\r\nwith open(\"c:\\\\users\\\\[username]\\\\desktop\\\\laz_decoded.ps1\",\"wt\") as t:\r\n for unit in line_list:\r\n t.write(unit)\r\nhttps://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/\r\nPage 3 of 4\n\nPost navigation\r\nSource: https://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/\r\nhttps://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/" ], "report_names": [ "osint-reporting-on-dprk-and-ta505-overlap" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434313, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9463c0539a98c3ee14aae08b45dda1afac5b1a49.pdf", "text": "https://archive.orkl.eu/9463c0539a98c3ee14aae08b45dda1afac5b1a49.txt", "img": "https://archive.orkl.eu/9463c0539a98c3ee14aae08b45dda1afac5b1a49.jpg" } }