{ "id": "e35e63d5-62f2-4067-8a39-2d2461ed26a3", "created_at": "2026-04-06T00:16:01.405424Z", "updated_at": "2026-04-10T03:21:55.373756Z", "deleted_at": null, "sha1_hash": "b66786b425913ea7676f96e24e8bd5cd73deaf44", "title": "DPRK Malware Targeting Security Researchers – One Night in Norfolk", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1067050, "plain_text": "DPRK Malware Targeting Security Researchers – One Night in\r\nNorfolk\r\nPublished: 2021-01-26 · Archived: 2026-04-05 23:37:27 UTC\r\nEarlier today, Adam Weidemann from Google’s Threat Analysis Group (TAG) published research regarding a\r\nthreat actor targeting security analysts following a social engineering campaign. Google attributes this activity to\r\nDPRK threat actors. This blog has no evidence to corroborate or refute this claim, but considers Google to be a\r\nreputable source of information.\r\nAccording to the published research, the threat actors would engage in a social engineering effort in which they\r\nwould attempt to collaborate with security analysts on a Visual Studio project, ultimately leading to them\r\ndelivering a malicious DLL that the researcher would unknowingly launch.\r\nThis post examines that DLL and parts of its second-stage workflow.\r\nTechnical Analysis\r\nMD5: 56018500f73e3f6cf179d3b853c27912\r\nSHA-1: a3060a3efb9ac3da444ef8abc99143293076fe32\r\nSHA-256: 4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244\r\nThis file is a DLL that expects to be executed under the following conditions to initiate the malicious workflow:\r\n– The operating system must be 64-bit\r\n– The correct export must be called\r\n– Exactly two additional command line arguments must be supplied alongside this export\r\nAlthough Google provided multiple hashes, the file above was selected as a starting point because its exports\r\nmatched the export shown in an image in Google’s post (CMS_dataFinal). The post used this image how the\r\nmalware would execute in normal circumstances, which in turn allows us to supply two additional critical\r\nparameters to the file:\r\n– Bx9yb37GEcJNK6bt\r\n– 4901\r\nUnder the attacker’s workflow, these would have been supplied through a PowerShell command initiated through\r\na Visual Studio Build Event, but these can also be supplied through a normal command line.\r\nOnce executed under the specified conditions, the malware will move an encoded set of strings into memory and\r\ndecode them.\r\nhttps://norfolkinfosec.com/dprk-malware-targeting-security-researchers/\r\nPage 1 of 6\n\nThe malware uses these strings to call the CreateDirectory API at C:\\ProgramData\\VMWare and later to specify a\r\nfilename at this location for a dropped payload (vmnat-update.bin). These decoded strings also contain an export\r\nand an additional parameter for this dropped payload.\r\nAfter this, the malware enumerates running processes via NtQuerySystemInformation and checks for the presence\r\nof avp.exe (Kaspersky) and avastui.exe (Avast). If either of these two processes are found, the malware will\r\ngracefully exit. If not, it continues with its workflow.\r\nhttps://norfolkinfosec.com/dprk-malware-targeting-security-researchers/\r\nPage 2 of 6\n\nNtQuerySystemInformation Resolution (top and avp.exe and avastui.exe (bottom)\r\nFollowing this step, the malware decodes a second set of strings. These are used to create persistence via the\r\nCurrentVersion\\Run key under an entry named “OneDrive Update.”\r\nhttps://norfolkinfosec.com/dprk-malware-targeting-security-researchers/\r\nPage 3 of 6\n\nOnce the malware has created persistence key, it writes a second-stage DLL to the “C:\\ProgramData\\VMWare\\”\r\ndirectory and calls it using the previously decoded parameters.\r\nSecond Stage\r\nAnalysis of the second-stage payload is in-flight and additional details beyond what is listed below will be\r\nprovided when available. It is possible (and perhaps likely, due to time constraints) that another researcher will\r\ncomplete this analysis before I do, in which case those details will be corroborated and added below for\r\ncompleteness, along with the appropriate credit.\r\nMD5 – f5475608c0126582081e29927424f338\r\nSHA-1 – 8e88fd82378794a17a4211fbf2ee2506b9636b02\r\nSHA-256 – a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855\r\nThe second-stage malware performs a similar command line check to verify that it is running with two supplied\r\nparameters. The first of these parameters, lxUi5CZ0IV45j89Y, is used as to create a mutex to ensure that only one\r\ncopy of the malware is running at a time. If the mutex already exists, the malware will exit.\r\nThe malware then resolves a long list of API calls before jumping in to a section in memory. While this list is\r\nextensive, they indicate potential functionality, including C2 operations (HttpOpenRequest,\r\nHttpAddRequestHeaders, etc) and host-based operations (GetDesktopWindow, WriteFile).\r\nThe sample examined contains multiple C2 domains and URLs, each of which contain a different endpoint for\r\ncommunication.\r\nhxxps:// codevexillium[.]org/image/download/download.asp\r\nhxxps:// www.dronerc[.]it/shop_testbr/upload/upload.php\r\nhxxps:// transplugin[.]io/upload/upload.asp\r\nhttps://norfolkinfosec.com/dprk-malware-targeting-security-researchers/\r\nPage 4 of 6\n\nThe malware uses the OpenSSL library and communicates to these endpoints via POST request:\r\nHTTP request (right click and open in new tab to zoom in)\r\nAs part of the POST request, the malware transmits the date and time of the malware’s execution to the C2 server\r\n(encoded in Base64 format). This may be used for additional filtering by the attackers, to ensure that too much\r\ntime hasn’t passed between the malware’s execution and communication (which could be indicative of an active\r\ndebugging/reverse engineering effort).\r\nAt this stage, the actions available to the malware as a response to this POST request remain under analysis,\r\nalthough the malware presumably at a minimum provides basic reconnaissance and a channel for command-line\r\nexecution (either directly or through creation of another payload). These are assumptions based on common\r\nmalware characteristics, however, and not observed activity.* (Updated below)\r\n*Update (1/26):\r\nOver the course of the last 24 hours, a lot of great research and analysis came to light from various parties. Most\r\nnotably, I’d like to direct readers to three posts that offer additional context and demonstrate that the final action\r\nafter this POST request is to download an additional payload onto the disk:\r\n360 Threat Intelligence Center provides additional operational context for these attacks, including\r\nsocial engineering. This may be particularly valuable for threat hunters or threat intelligence\r\npractitioners. It also offers more details regarding the POST request and next-stage DLL in similar\r\nsamples.\r\nQi’anxin Threat Intelligence Center identified similar activity (and malware) from this adversary in\r\nSeptember 2020.\r\nAnheng Threat Intelligence Center provides additional context regarding the social engineering and\r\nVisual Studio stages of this attack.\r\nhttps://norfolkinfosec.com/dprk-malware-targeting-security-researchers/\r\nPage 5 of 6\n\nPost navigation\r\nSource: https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/\r\nhttps://norfolkinfosec.com/dprk-malware-targeting-security-researchers/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/" ], "report_names": [ "dprk-malware-targeting-security-researchers" ], "threat_actors": [], "ts_created_at": 1775434561, "ts_updated_at": 1775791315, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b66786b425913ea7676f96e24e8bd5cd73deaf44.pdf", "text": "https://archive.orkl.eu/b66786b425913ea7676f96e24e8bd5cd73deaf44.txt", "img": "https://archive.orkl.eu/b66786b425913ea7676f96e24e8bd5cd73deaf44.jpg" } }