MoonPeaking-Into-Kimsuky-Operations-The-DPRK-Deck-of-Cards.pdf (675 KB)

CyberBlade Security expands on Cisco Talos research into MoonPeak, a XenoRAT adaptation, by mapping infrastructure tied to Kimsuky and broader DPRK cyber activity. The excerpt describes shared hosting patterns, reused codebases, response-hash pivots, and consistent technology stacks that blur boundaries between Kimsuky, Lazarus Group, and BlueNoroff. The mapped C2 infrastructure spans strategically important IP netblocks and includes domains impersonating South Korean public services and Western corporations. The activity is linked to spearphishing against South Korean users, targeting of the Saudi Ministry of Foreign Affairs, RDP certificate use, open-directory exposure, and Apple- or Google-themed lures. The findings matter because they suggest either shared infrastructure or centralized coordination across North Korean cyber units, complicating attribution and defensive tracking.