Inside DPRK Operations: New Infrastructure Uncovered Across Global Campaigns
Essential information
- Published
- 18/12/2025 09:40
- Modified
- 21/12/2025 19:37
- Tags
- 2025-12-18 badcall blindingcan dprk mailpassview quasar rat vps
- Related entities
- 1 vulnerabilities (cve), 20 observables, 1 intrusion sets (apt), 20 techniques (mitre), 6 malware, 1 others
Description
North Korean state-sponsored threat actors, including Lazarus and Kimsuky, continue to conduct widespread hacking operations for intelligence gathering, financial gain, and access. The investigation uncovered previously unconnected operational assets, revealing active tool-staging servers, credential theft environments, FRP tunneling nodes, and certificate-linked infrastructure. Key findings include a new Linux variant of the Badcall backdoor, extensive credential harvesting toolkits in open directories, and widespread deployment of Fast Reverse Proxy (FRP) instances. The analysis highlights consistent operational patterns across DPRK campaigns, such as reusing infrastructure, deploying identical FRP configurations, and leveraging shared certificates, providing defenders with actionable intelligence to proactively track DPRK activity.