Inside DPRK Operations: New Lazarus and Kimsuky Infrastructure Uncovered Across Global Campaigns
2025-12-17 • Hunt.io •
https://hunt.io/blog/dprk-lazarus-kimsuky-infrastructure-uncovered
Hunt.io and Acronis mapped DPRK operational infrastructure spanning Lazarus, Kimsuky, and related North Korean activity, using pivots across IPs, open directories, certificates, and hashes. The research found recurring infrastructure habits including exposed staging directories, credential-theft kits, FRP tunneling nodes, repeated hosting choices, and certificate reuse that connected clusters across campaigns. One hunt tied Lazarus infrastructure to a Linux BADCALL variant hosted on 23.27.140[.]49, with behavior similar to earlier BADCALL samples and a new /tmp/sslvpn.log logging feature for operational tracking. Another hunt connected Lazarus DeceptiveDevelopment activity to open directories hosting credential-recovery tools such as MailPassView and WebBrowserPassView, along with larger toolsets including Quasar RAT components, browser credential extractors, rclone, and transfer utilities.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | ff32bc1c756d560d8a9815db458f438… | 2025-09-01 | 2026-04-03 |
| IPv4 | 23.27.140.49 | 2025-10-30 | 2026-02-24 |
| HASH | a5350b1735190a9a275208193836432… | 2025-12-17 | 2025-12-17 |
| HASH | a3876a2492f3c069c0c2b2f155b4c42… | 2025-12-17 | 2025-12-17 |
| IPv4 | 182.136.123.102 | 2025-12-17 | 2025-12-17 |
| IPv4 | 104.168.198.145 | 2025-12-17 | 2025-12-17 |
| IPv4 | 192.236.176.164 | 2025-12-17 | 2025-12-17 |
| IPv4 | 149.28.139.62 | 2025-12-17 | 2025-12-17 |
| IPv4 | 192.236.233.165 | 2025-12-17 | 2025-12-17 |
| IPv4 | 182.136.120.52 | 2025-12-17 | 2025-12-17 |
| IPv4 | 207.254.22.248 | 2025-12-17 | 2025-12-17 |
| IPv4 | 154.216.177.215 | 2025-12-17 | 2025-12-17 |
| IPv4 | 192.236.236.100 | 2025-12-17 | 2025-12-17 |
| IPv4 | 118.123.54.71 | 2025-12-17 | 2025-12-17 |
| IPv4 | 125.65.88.195 | 2025-12-17 | 2025-12-17 |
| IPv4 | 119.6.56.194 | 2025-12-17 | 2025-12-17 |
| IPv4 | 61.139.89.11 | 2025-12-17 | 2025-12-17 |
| IPv4 | 23.27.177.183 | 2025-12-17 | 2025-12-17 |
| IPv4 | 119.6.121.143 | 2025-12-17 | 2025-12-17 |
| IPv4 | 125.67.171.158 | 2025-12-17 | 2025-12-17 |
| IPv4 | 23.254.164.50 | 2025-12-17 | 2025-12-17 |
| IPv4 | 192.236.233.162 | 2025-12-17 | 2025-12-17 |
| IPv4 | 23.254.128.114 | 2025-12-17 | 2025-12-17 |
| IPv4 | 192.236.146.20 | 2025-10-28 | 2025-12-17 |
| HASH | 85045d9898d28c9cdc4ed0ca5d76ece… | 2025-09-01 | 2025-12-17 |
| HASH | 36541fad68e79cdedb965b1afcdc453… | 2025-07-22 | 2025-12-17 |
| HASH | bc7bd27e94e24a301edb3d3e7fad982… | 2025-07-22 | 2025-12-17 |
| IPv4 | 192.119.116.231 | 2025-04-23 | 2025-12-17 |
| IPv4 | 104.168.151.116 | 2025-04-23 | 2025-12-17 |
| IPv4 | 192.236.146.22 | 2025-04-23 | 2025-12-17 |
| HASH | 24d5dd3006c63d0f46fb33cbc1f5763… | 2023-04-20 | 2025-12-17 |
| HASH | cc307cfb401d1ae616445e78b610ab7… | 2023-04-20 | 2025-12-17 |
| IPv4 | 23.254.211.230 | 2023-04-20 | 2025-12-17 |