Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations
2025-04-23 • Trend Micro •
https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html
Trend Micro links Void Dokkaebi, also tracked as Famous Chollima, to North Korea aligned cybercrime activity routed through Russian IP ranges assigned around Khasan and Khabarovsk. The infrastructure is hidden behind VPN, proxy, VPS and RDP layers and is used to reach job platforms, collaboration tools and cryptocurrency services. Trend Micro assesses that DPRK IT workers connect through these ranges from countries including China, Russia and Pakistan, while related activity targets software professionals with fake cryptocurrency and Web3 job interviews. The reporting also ties the cluster to Beavertail command and control setup material and wallet password cracking activity, showing how DPRK operations combine remote worker fraud, malware delivery and crypto theft infrastructure.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 188.43.33.252 | 2025-04-23 | 2026-01-21 |
| IPv4 | 188.43.33.250 | 2025-04-23 | 2025-09-17 |
| IPv4 | 175.45.176.21 | 2025-01-06 | 2025-07-16 |
| IPv4 | 188.43.136.116 | 2025-01-06 | 2025-07-16 |
| IPv4 | 175.45.176.22 | 2025-01-06 | 2025-07-16 |
| IPv4 | 188.43.136.115 | 2025-01-06 | 2025-07-16 |
| DOMAIN | blocknovas.com | 2025-04-23 | 2025-04-25 |
| IPv4 | 188.43.33.251 | 2025-04-23 | 2025-04-25 |
| DOMAIN | mail.blocknovas.com | 2025-04-23 | 2025-04-24 |
| IPv4 | 167.88.39.141 | 2025-04-23 | 2025-04-24 |
| IPv4 | 188.43.33.249 | 2025-04-23 | 2025-04-23 |
| IPv4 | 188.43.33.253 | 2025-04-23 | 2025-04-23 |
| IPv4 | 95.164.18.177 | 2025-04-23 | 2025-04-23 |