MoonPeak malware from North Korean actors unveils new details on attacker infrastructure
2024-08-21 • Cisco Talos •
https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/
Cisco Talos attributes MoonPeak activity to UAT-5394, a North Korea nexus cluster it tracks separately from Kimsuky because the overlap is not yet technically conclusive. The actor forked XenoRAT into the MoonPeak RAT and used staging, C2, payload hosting, and test VMs to build and validate implants. Talos observed UAT-5394 shifting from cloud storage to attacker owned servers after AhnLab disclosure, including 95.164.86.148 and 167.88.173.173 for MoonPeak C2 and infrastructure pivots. The report also notes QuasarRAT overlap and VPN access to infrastructure, giving defenders concrete hosting and administration patterns to hunt.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 80.71.157.55 | 2024-08-21 | 2025-06-19 |
| HASH | 148c69a7a1e06dc06e52db5c3f5895d… | 2024-08-21 | 2024-09-02 |
| HASH | 3e39fc595db9db1706828b079116144… | 2024-08-21 | 2024-09-02 |
| HASH | 27202534cc03a398308475146f6710b… | 2024-08-21 | 2024-09-02 |
| HASH | 4108c5096a62c0a6664eed781c39bb0… | 2024-08-21 | 2024-09-02 |
| HASH | b8233fe9e903ca08b9b1836fe6197e7… | 2024-08-21 | 2024-09-02 |
| HASH | 0b8897103135d92b89a83093f00d1da… | 2024-08-21 | 2024-09-02 |
| HASH | f4aa4c6942a87087530494cba770a1d… | 2024-08-21 | 2024-09-02 |
| HASH | facf3b40a2b99cc15eee7b7aee3b36a… | 2024-08-21 | 2024-09-02 |
| HASH | 4599a9421e83fb0e2c005e5d9ac1713… | 2024-08-21 | 2024-09-02 |
| HASH | 2b35ef3080dcc13e2d907f681443f3f… | 2024-08-21 | 2024-09-02 |
| HASH | 44e492d5b9c48c1df7ef5e0fe9a732f… | 2024-08-21 | 2024-09-02 |
| HASH | 458641936e2b41c425161a9b892d2aa… | 2024-08-21 | 2024-09-02 |
| HASH | 15eee641978ac318dabc397d9c39fb4… | 2024-08-21 | 2024-09-02 |
| HASH | 58fdc1b6ce4744d6331f8e2efc4652d… | 2024-08-21 | 2024-09-02 |
| HASH | 97ba8d30cf8393c39f61f7e63266914… | 2024-08-21 | 2024-09-02 |
| HASH | a80a35649f638049244a06dd4fb6eca… | 2024-08-21 | 2024-09-02 |
| HASH | 6bf8a19deb443bde013678f3ff83ab9… | 2024-08-21 | 2024-09-02 |
| HASH | 6a3839788c0dafe591718a3fb6316d1… | 2024-08-21 | 2024-09-02 |
| HASH | 8a4fbcdec5c08e6324e3142f8b8c41d… | 2024-08-21 | 2024-09-02 |
| HASH | 1ad43ddfce147c1ec71b37011d522c1… | 2024-08-21 | 2024-09-02 |
| HASH | 72a25d959d12e3efe9604aee4b1e7e4… | 2024-08-21 | 2024-09-02 |
| IPv4 | 95.164.86.148 | 2024-08-21 | 2024-09-02 |
| IPv4 | 45.87.153.79 | 2024-08-21 | 2024-09-02 |
| IPv4 | 45.95.11.52 | 2024-08-21 | 2024-09-02 |
| IPv4 | 167.88.173.173 | 2024-08-21 | 2024-09-02 |
| HASH | 0ed643a30a82daacecfec946031143b… | 2024-08-21 | 2024-08-21 |
| HASH | 293b1a7e923be0f554ec44c87c0981c… | 2024-08-21 | 2024-08-21 |
| HASH | f928a0887cf3319a74c90c0bdf63b5f… | 2024-08-21 | 2024-08-21 |
| HASH | 41d4f7734fbf14ebcdf63f51093718f… | 2024-08-21 | 2024-08-21 |
| IPv4 | 210.92.18.169 | 2024-08-21 | 2024-08-21 |
| IPv4 | 27.255.80.162 | 2024-08-21 | 2024-08-21 |
| IPv4 | 84.247.179.77 | 2024-08-21 | 2024-08-21 |
| IPv4 | 104.194.152.251 | 2024-08-21 | 2024-08-21 |
| IPv4 | 91.194.161.109 | 2024-08-21 | 2024-08-21 |
| IPv4 | 212.224.107.244 | 2024-08-21 | 2024-08-21 |
| IPv4 | 27.255.81.118 | 2024-08-21 | 2024-08-21 |
| IPv4 | 159.100.29.122 | 2024-05-23 | 2024-08-21 |