216.73.217.80

Inside DPRK Operations: New Infrastructure Uncovered Across Global Campaigns

· Published 18/12/2025 09:40 · Modified 21/12/2025 19:37

Export JSON

Essential information

Published
18/12/2025 09:40
Modified
21/12/2025 19:37
Tags
2025-12-18 badcall blindingcan dprk mailpassview quasar rat vps
Related entities
1 vulnerabilities (cve), 20 observables, 1 intrusion sets (apt), 20 techniques (mitre), 6 malware, 1 others

Description

North Korean state-sponsored threat actors, including Lazarus and Kimsuky, continue to conduct widespread hacking operations for intelligence gathering, financial gain, and access. The investigation uncovered previously unconnected operational assets, revealing active tool-staging servers, credential theft environments, FRP tunneling nodes, and certificate-linked infrastructure. Key findings include a new Linux variant of the backdoor, extensive credential harvesting toolkits in open directories, and widespread deployment of Fast Reverse Proxy (FRP) instances. The analysis highlights consistent operational patterns across campaigns, such as reusing infrastructure, deploying identical FRP configurations, and leveraging shared certificates, providing defenders with actionable intelligence to proactively track activity.

External references