Bluenoroff (APT38) Live Infrastructure Hunting
2025-06-23 • Darkatlas •
https://darkatlas.io/blog/bluenoroff-apt38-live-infrastructure-hunting
Dark Atlas frames Bluenoroff, also known as APT38, as a financially motivated North Korean Lazarus subgroup linked to the Reconnaissance General Bureau and focused on banks, SWIFT endpoints, casinos, ATMs, and cryptocurrency platforms. The hunt starts from 104.168.151.116 and pivots on HTTP 404 response traits, JARM fingerprints, Hostwinds Seattle hosting, and structurally similar phishing-domain resolutions to identify additional suspected infrastructure. The excerpt lists related IPs including 192.119.116.231, 140.82.20.246, 156.154.132.200, 198.57.247.218, 192.64.119.169, and 198.54.117.242, with noted resolutions such as bellezalatam.com and amirani.chat. A macOS sample named localfile~.x64, SHA-256 dbe48dc08216850e93082b4d27868a7ca51656d9e55366f2642fc5106e3af980, is described as Cosmic Rust malware communicating with C2 at 104.168.136.24, extending the infrastructure hunting lead into malware telemetry.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 198.54.117.242 | 2025-06-23 | 2026-04-08 |
| IPv4 | 156.154.132.200 | 2025-06-23 | 2026-03-31 |
| IPv4 | 192.119.116.231 | 2025-04-23 | 2025-12-17 |
| IPv4 | 104.168.151.116 | 2025-04-23 | 2025-12-17 |
| HASH | dbe48dc08216850e93082b4d27868a7… | 2025-06-23 | 2025-06-23 |
| DOMAIN | socialsuport.com | 2025-06-23 | 2025-06-23 |
| DOMAIN | bellezalatam.com | 2025-06-23 | 2025-06-23 |
| DOMAIN | hwsrv-587720.hostwindsdns.com | 2025-06-23 | 2025-06-23 |
| IPv4 | 140.82.20.246 | 2025-06-23 | 2025-06-23 |
| IPv4 | 192.64.119.169 | 2025-06-23 | 2025-06-23 |
| IPv4 | 104.168.136.24 | 2025-06-23 | 2025-06-23 |
| IPv4 | 198.57.247.218 | 2025-06-23 | 2025-06-23 |