JSAC2025_1_7_dongwook-kim_seulgi-lee_en.pdf (1 MB)

The JSAC/KrCERT presentation analyzes attacks against centralized management solutions by separating attacker-leased infrastructure from victim-environment activity. The source describes evidence from a retained Google account, North Korean wording, access to Korean Central News Agency content from Japan, RDP brute forcing, Python-based vulnerability scanning, Shodan searches, malware development, and zero-day research using stolen code and protected virtual images. In victim environments, the attackers abused public-facing management software, created administrator accounts through authentication bypass, used deployment functions to spread malware, modified SQL injection filtering, uploaded web shells, cleared logs, dumped credentials, and used RID hijacking for backdoor access. The evidence supports tracking centralized-management abuse with North Korea-linked artifacts while avoiding a definitive Lazarus label.