The Infostealer to APT Pipeline: How Lazarus Group Hijacked a Yemen Disinformation Network
2025-12-12 • Hudson Rock •
Hudson Rock links a Yemeni disinformation operator's RedLine Stealer infection to later Lazarus Group use of the same compromised news infrastructure. The infected Windows machine exposed WordPress and cPanel credentials for domains such as alnagm-press.com, azal-press.com, and gulfnaw.com, which had been used in a pro-Houthi fake media network. The report says Lazarus/APT38 acquired or used those stolen credentials to hijack aged news domains for command-and-control, malware delivery, or phishing activity targeting South Korean entities, citing Alyac/ESTsecurity analysis. The case matters because it shows how commodity infostealer logs can give a state actor trusted, pre-aged infrastructure without building new domains from scratch.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| [email protected] | 2025-12-12 | 2025-12-12 | |
| URL | https://azal-press.com/wp-login… | 2025-12-12 | 2025-12-12 |
| URL | https://alnagm-press.com/wp-adm… | 2025-12-12 | 2025-12-12 |
| URL | https://isr.gulfnaw.com/wp-logi… | 2025-12-12 | 2025-12-12 |
| DOMAIN | isr.gulfnaw.com | 2025-12-12 | 2025-12-12 |
| DOMAIN | gulfnaw.com | 2025-12-12 | 2025-12-12 |
| DOMAIN | azal-press.com | 2025-12-12 | 2025-12-12 |
| DOMAIN | alnagm-press.com | 2025-12-12 | 2025-12-12 |
| IPv4 | 175.110.9.173 | 2025-12-12 | 2025-12-12 |