Astrill VPN: New IPs Publicly Released on VPN Service Heavily Used by North Korean Threat Actors
Essential information
- Published
- 01/03/2025 18:36
- Modified
- 03/03/2025 15:33
- Tags
- 2025-03-01 apt astrill vpn contagious interview famous chollima north korea
- Related entities
- 9 observables, 1 intrusion sets (apt), 7 techniques (mitre)
Description
North Korean threat actors, particularly from the Lazarus Group, continue to utilize Astrill VPN to conceal their IP addresses during attacks. Recent infrastructure and logs from the 'Contagious Interview' subgroup confirmed ongoing use of Astrill VPN in their operations. Google's Mandiant and Recorded Future's Insikt Group have also reported on DPRK threat actors' preference for this VPN service. Silent Push analysts have developed a 'Bulk Data Feed' of Astrill VPN IPs, updated in real-time, to help protect against threats. The research includes confirmation of Astrill VPN usage in recent attacks, including the $1.4 billion ByBit heist. A sample list of active Astrill VPN IP addresses is provided, with more comprehensive data available to enterprise users.