A_Deep_Dive_into_the_Digital_Weapons_of_the_North_Korean_Cyber_Army.pdf (24 MB)

Ashley Shen and Moonbeom Park's HITB slide deck surveys North Korean cyber operations across Lazarus, Bluenoroff, and Andariel, framing DPRK activity around social disruption, financial theft, and intelligence collection. It highlights reused malware “lego” code and case studies including Trojan Alphanc, Rifdoor/Rifle, Phandoor, GhostRAT, DesertWolf, and VANATM. The deck describes delivery through software vulnerabilities, watering-hole compromises, spear-phishing, HWP exploit documents, and malicious Office macros, with examples tied to South Korean organizations, financial targets, ATM infrastructure, and Bitcoin companies. It includes concrete C2 and malware artifacts, such as Alphanc C2 IPs and an AsdfDoor download URL/hash, to show how shared tooling links DPRK campaigns.