Astrill VPN: Silent Push Publicly Releases New IPs on VPN Service Heavily Used by North Korean Threat Actors

2025-02-28 • Silentpush •

https://www.silentpush.com/blog/astrill-vpn/

#ContagiousInterview #FamousChollima

Thumbnail for Astrill VPN: Silent Push Publicly Releases New IPs on VPN Service Heavily Used by North Korean Threat Actors

Silent Push reports that Lazarus-linked operators, including Contagious Interview or Famous Chollima and DPRK fake IT worker actors, continue to use Astrill VPN to mask their locations. Infrastructure and logs acquired from Contagious Interview showed Astrill references during setup testing, and Silent Push identified 27 unique Astrill VPN IP addresses tied to those records. The post also connects the pattern to prior Mandiant, Recorded Future, and BlueNoroff research, including Bybit-themed infrastructure and Astrill IPs observed around Lazarus activity.

Indicators of Compromise

Type	Value	First Seen	Last Seen
IPv4	167.88.61.250	2025-02-28	2026-03-15
IPv4	134.195.197.175	2025-02-28	2026-01-21
IPv4	172.96.141.172	2025-02-28	2026-01-21
IPv4	103.130.145.210	2025-02-28	2026-01-21
IPv4	91.239.130.102	2025-02-25	2026-01-21
EMAIL	[email protected]	2025-02-25	2025-12-16
DOMAIN	bybit-assessment.com	2025-02-25	2025-12-10
IPv4	104.223.97.2	2024-09-23	2025-12-03
DOMAIN	astrill.com	2025-02-28	2025-02-28
IPv4	172.93.100.166	2025-02-28	2025-02-28
IPv4	104.129.22.2	2025-02-28	2025-02-28
IPv4	169.57.129.31	2025-02-28	2025-02-28
IPv4	113.20.30.139	2025-02-28	2025-02-28
IPv4	169.38.132.135	2025-02-28	2025-02-28
IPv4	185.108.128.54	2025-02-28	2025-02-28