Phishing by Appointment: Suspected North Korean Hackers Target Blockchain Community Via Telegram
2024-02-28 • Hunt.io •
https://hunt.io/blog/suspected-north-korean-hackers-target-blockchain-community-via-telegram
Hunt tracked a suspected North Korean phishing campaign that targeted blockchain and angel investing communities through Telegram. The actor posed as an investment firm representative, built trust with entrepreneurs, arranged a meeting, then used a fake restricted meeting error to persuade victims to run a malicious AppleScript named IP_Request.scpt. The script fetched follow on commands from support.internal-meeting.site, part of an infrastructure cluster using Hostwinds servers, Let's Encrypt certificates, meeting themed domains, and RDP certificate naming patterns. Hunt connected the activity to Lazarus adjacent tradecraft and noted overlaps with Bluenoroff, APT38, and Black Alicanto infrastructure patterns.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | linkpc.net | 2017-12-19 | 2026-01-14 |
| DOMAIN | support.internal-meeting.site | 2024-02-28 | 2024-10-30 |
| IPv4 | 104.168.137.21 | 2023-12-06 | 2024-07-15 |
| URL | https://support.internal-meetin… | 2024-02-28 | 2024-02-28 |
| DOMAIN | udaviemayas.com | 2024-02-28 | 2024-02-28 |
| DOMAIN | dun.wndlwndmfe.xyz | 2024-02-28 | 2024-02-28 |
| DOMAIN | support.video-meet.xyz | 2024-02-28 | 2024-02-28 |
| DOMAIN | secure.paycount.webbs-informati… | 2024-02-28 | 2024-02-28 |
| IPv4 | 23.254.129.6 | 2024-02-28 | 2024-02-28 |
| IPv4 | 142.11.212.104 | 2024-02-28 | 2024-02-28 |
| IPv4 | 104.168.163.124 | 2024-02-28 | 2024-02-28 |
| IPv4 | 104.168.163.149 | 2024-02-28 | 2024-02-28 |