{
	"id": "06321684-dbec-4778-bbb0-c8cf9ba381d1",
	"created_at": "2026-04-06T00:18:58.495174Z",
	"updated_at": "2026-04-10T03:20:37.721524Z",
	"deleted_at": null,
	"sha1_hash": "c7d24acb48bb6fc1a0721a1f087c69ea88e166cb",
	"title": "North Korean hackers stole research data in two-month-long breach",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3493294,
	"plain_text": "North Korean hackers stole research data in two-month-long breach\r\nBy Bill Toulas\r\nPublished: 2023-02-02 · Archived: 2026-04-05 20:48:32 UTC\r\nA new cyber espionage campaign dubbed 'No Pineapple!' has been attributed to the North Korean Lazarus hacking group,\r\nallowing the threat actors to stealthily steal 100GB of data from the victim without causing any destruction.\r\nThe campaign lasted between August and November 2022, targeting organizations in medical research, healthcare, chemical\r\nengineering, energy, defense, and a leading research university.\r\nThe operation was discovered by Finnish cybersecurity firm WithSecure, whose analysts were called to investigate a\r\npotential ransomware incident on one of its customers. However, thanks to an operational mistake by Lazarus, they were\r\nable to link the campaign to the North Korean APT.\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-hackers-stole-research-data-in-two-month-long-breach/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-hackers-stole-research-data-in-two-month-long-breach/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nWithSecure was able to attribute the activity based on multiple pieces of evidence but also noticed some new developments\r\nfor Lazarus, like:\r\nthe use of new infrastructure using IP addresses without domain names,\r\na new version of the Dtrack info-stealer malware,\r\na new version of the GREASE malware used in admin account creation and protection bypass.\r\nThe campaign is named after the '\u003c No Pineapple! \u003e' error seen transmitted by a remote access malware when uploading\r\nstolen data to the threat actor's servers.\r\nQuietly stealing data\r\nThe Lazarus hackers compromised the victim's network on August 22nd, 2022, by leveraging the CVE-2022-27925 (remote\r\ncode execution) and CVE-2022-37042 (authentication bypass) Zimbra vulnerabilities to drop a webshell on the target's mail\r\nserver.\r\nThis RCE flaw was patched in May 2022, but the authentication bypass took Zimbra until August 12th to release a security\r\nupdate. By that time, it was already under active exploitation by threat actors.\r\nAfter successfully breaching the network, the hackers deployed the tunneling tools 'Plink and '3Proxy' to create reverse\r\ntunnels back to the threat actors' infrastructure, allowing the threat actors to bypass the firewall.\r\nLess than a week after, WithSecure says the intruders began utilizing modified scripts to extract approximately 5GB of email\r\nmessages from the server and save them to a locally stored CSV file, which was later uploaded to the attacker's server.\r\nOver the next two months, the threat actors spread laterally through the network, acquiring administrator credentials and\r\nstealing data from devices.\r\nWhile spreading through the network, Lazarus deployed multiple custom tools, such as Dtrack and what is believed to be a\r\nnew version of the GREASE malware, used to locate Windows administrator accounts.\r\nDtrack is an information-stealing backdoor known to be used by Lazarus, while the GREASE malware is associated with\r\nKimusky, another North Korean state-sponsored hacking group.\r\nThe attack culminated on November 5th, 2022, with the actors lurking in the network for over two months and ultimately\r\nstealing 100GB of data from the compromised organization. \r\nWithSecure was able to analyze the work patterns of the threat actors, stating that they worked Monday through Saturday\r\nfrom 9 AM to 10 PM.\r\n\"Time zone attribution analysis concluded that the time zone aligns with UTC +9. Reviewing activity by time of day finds\r\nthat most threat actor activity occurred between 00:00 to 15:00 UTC (09:00 and 21:00 UTC +9),\" shared WithSecure.\r\n\"Analysing activity by day of the week suggests that the threat actor was active Monday to Saturday, a common work\r\npattern for DPRK.\"\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-hackers-stole-research-data-in-two-month-long-breach/\r\nPage 3 of 5\n\nLazarus working times and days in the recent campaign (WithSecure)\r\nNew malware and tactics\r\nThe first notable change found in this Lazarus campaign is that they now rely solely on IP addresses without domain names\r\nfor their infrastructure.\r\nThis change has advantages for the threat actors, including reduced need for renewal maintenance and greater IP flexibility.\r\nThe new Dtrack variant spotted in the recent Lazarus attacks is dropped by an executable named 'onedriver.exe,' and it no\r\nlonger uses its own C2 server for data exfiltration.\r\nInstead, it relies on a separate backdoor to transfer the data it has gathered locally on the compromised machine, storing\r\nthem in a password-protected archive.\r\n\"The staging and exfiltration host was likely carefully chosen by the threat actor to be a host where endpoint security\r\nmonitoring tools were not deployed,\" explains WithSecure in the report.\r\nThe new GREASE malware used by Lazarus is executed on the host as a DLL (\"Ord.dll\") with higher privileges achieved\r\nby exploiting the 'PrintNightmare' flaw.\r\nIts main difference compared to previous versions is that it now uses RDPWrap to install an RDP service onto the host to\r\ncreate a privileged user account with the help of net user commands.\r\nExposed by errors\r\nEven for highly sophisticated threat actors like Lazarus, making mistakes isn't unheard of, and in this case, allowed the\r\ncampaigns to be attributed to the hacking group.\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-hackers-stole-research-data-in-two-month-long-breach/\r\nPage 4 of 5\n\nWithSecure's investigation of retrieved network logs from the victim revealed that one of the web shells planted by the\r\nintruders was communicating with a North Korean IP address (\"175.45.176[.]27\").\r\nThis isolated incident occurred at the beginning of that day, preceded by connections from a proxy address, indicating that\r\nthe threat actor likely exposed themselves by an error at the start of their workday.\r\nAdditionally, WithSecure observed that various commands executed on the breached network devices were very similar to\r\nthose hardcoded inside Lazarus malware but often contained mistakes and didn't execute, indicating that the threat actors\r\nwere typing them manually using the Impacket 'atexec' module.\r\nApart from the mistakes, WithSecure was able to link these operations to Lazarus based on TTP overlaps detailed in\r\nprevious reports by Symantec and Cisco Talos, the employed malware strains, the profiles of the targets, infrastructure\r\noverlaps, and time-zone analysis.\r\nWithSecure's report is another indication of Lazarus' activity, with the threat group continuing its efforts to gather\r\nintelligence and exfiltrate large amounts of data from high-profile victims.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/north-korean-hackers-stole-research-data-in-two-month-long-breach/\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-hackers-stole-research-data-in-two-month-long-breach/\r\nPage 5 of 5\n\nfrom 9 AM to 10 \"Time zone attribution PM. analysis concluded that the time zone aligns with UTC +9. Reviewing activity by time of day finds\nthat most threat actor activity occurred between 00:00 to 15:00 UTC (09:00 and 21:00 UTC +9),\" shared WithSecure.\n\"Analysing activity by day of the week suggests that the threat actor was active Monday to Saturday, a common work\npattern for DPRK.\"      \n   Page 3 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/north-korean-hackers-stole-research-data-in-two-month-long-breach/"
	],
	"report_names": [
		"north-korean-hackers-stole-research-data-in-two-month-long-breach"
	],
	"threat_actors": [],
	"ts_created_at": 1775434738,
	"ts_updated_at": 1775791237,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c7d24acb48bb6fc1a0721a1f087c69ea88e166cb.pdf",
		"text": "https://archive.orkl.eu/c7d24acb48bb6fc1a0721a1f087c69ea88e166cb.txt",
		"img": "https://archive.orkl.eu/c7d24acb48bb6fc1a0721a1f087c69ea88e166cb.jpg"
	}
}