T1102.001 - DPRK Threat Intelligence

#T1102.001 Dead Drop Resolver

Technique

Tactics: Command And Control
Description:
Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
First Seen: Kimsuky deploys TRANSLATEXT to target South Korean academia • 2024-06-27

MITRE ATT&CK

10

Tagged Reports
6

Unique Authors
704

Active Days

Tagged Reports

2026-05-31

Socket

Famous Chollima Targets PHP Developers Through Compromised Packagist Package

#FamousChollima #ContagiousInterview #SupplyChain #T1195.002 #T1204.002 #T1059.007 #T1027 #T1102.001 #T1105

2026-03-31

OSM

TasksJacker: Latest DPRK Attack Skips the Fake Interview and Goes Straight to Compromising GitHub Users

#TasksJacker #VSCode #T1059.007 #T1070.004 #T1036 #T1041 #T1543 #T1555 #T1059.004 #T1027 #T1102.001 #T1071.001 #T1552.004 #T1195.001

2026-03-16

Break Glass Intelligence

Lazarus Group is Using the Solana Blockchain as a Dead-Drop C2 Channel -- and Nobody Noticed for 4 Months

#TraderTraitor #T1059.007 #T1082 #T1036 #T1041 #T1008 #T1027 #T1070.009 #T1622 #T1573.001 #T1571 #T1497.003 #T1102.001 #T1583.003 #T1195.001

2026-02-03

Red Asgard

Hunting Lazarus Part IV: Real Blood on the Wire

#ContagiousInterview #Lazarus #T1566.003 #T1552.001 #T1114 #T1027.002 #T1573.001 #T1098 #T1547.001 #T1530 #T1496 #T1005 #T1053.005 #T1113 #T1219 #T1560 #T1204.002 #T1102.001 #T1071.001 #T1087 #T1573.002 #T1555.003 #T1056.001 #T1497.001

2026-02-01

Red Asgard

Hunting Lazarus Part III: The Infrastructure That Was Too Perfect

#Lazarus #OtterCookie #T1027 #T1566.003 #T1027.002 #T1528 #T1573.001 #T1547.001 #T1496 #T1059.007 #T1053.005 #T1113 #T1020 #T1204.002 #T1102.001 #T1115 #T1497 #T1573.002 #T1555.003 #T1056.001 #T1497.001

2026-01-23

Red Asgard

Hunting Lazarus Part II: When the Dead Drop Moved to the Blockchain

#Lazarus #VSCode #T1059.007 #T1041 #T1555 #T1204.002 #T1566.003 #T1102.001

2026-01-13

Cyfirma

APT PROFILE – KIMSUKI

#Kimsuky #T1593 #T1055.012 #T1102.002 #T1190 #T1587 #T1059.005 #T1027 #T1583.006 #T1078.003 #T1071.002 #T1027.002 #T1562.004 #T1205 #T1550.002 #T1059.003 #T1566.001 #T1566 #T1553.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1585 #T1593.002 #T1620 #T1567.002 #T1585.002 #T1598 #T1583 #T1585.001 #T1588.002 #T1586.002 #T1587.001 #T1059.007 #T1588.005 #T1053.005 #T1204.001 #T1070.004 #T1583.004 #T1036.004 #T1041 #T1588.003 #T1656 #T1608.001 #T1204.002 #T1598.003 #T1589.003 #T1102.001 #T1105 #T1071.001 #T1594 #T1055 #T1059.006 #T1112 #T1218.010 #T1557 #T1219.002 #T1583.001 #T1059.001 #T1593.001 #T1218.005 #T1589.002 #T1657 #T1555.003 #T1036.005 #T1133 #T1566.002 #T1056.001 #T1584.001 #T1070.006 #T1596

2026-01-12

Red Asgard

Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure

#ContagiousInterview #Lazarus #T1059.006 #T1059.007 #T1562.001 #T1053.005 #T1539 #T1555 #T1573.002 #T1048.003 #T1204.002 #T1036.005 #T1566.003 #T1573.001 #T1547.001 #T1102.001 #T1027.002 #T1496

2024-07-19

Cyfirma

APT Quarterly Highlights : Q2 2024

#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1562.001 #T1190 #T1068 #T1543.003 #T1056 #T1595.002 #T1059.003 #T1566 #T1485 #T1218.011 #T1069.002 #T1010 #T1571 #T1102.001 #T1583.001 #T1555.003 #T1033 #T1497.001 #T1203 #T1036 #T1012 #T1027 #T1583.003 #T1071 #T1562.004 #T1614 #T1027.005 #T1548 #T1552 #T1140 #T1005 #T1053.005 #T1564.001 #T1555 #T1129 #T1070.001 #T1046 #T1070 #T1095 #T1569.002 #T1562 #T1573 #T1047 #T1552.001 #T1057 #T1082 #T1518.001 #T1176 #T1090 #T1518 #T1539 #T1041 #T1564 #T1560 #T1202 #T1071.001 #T1547 #T1112 #T1497 #T1059.001 #T1124 #T1056.001 #T1222 #T1070.006 #T1059 #T1564.003 #T1222.001 #T1056.004 #T1547.001 #T1584 #T1087.002 #T1070.004 #T1505.003 #T1113 #T1608.005 #T1204.002 #T1087 #T1574.002 #T1115 #T1083 #T1490 #T1053 #T1486 #T1566.002 #T1133 #T1021.004 #T1003

2024-06-27

Zscaler

Kimsuky deploys TRANSLATEXT to target South Korean academia

#Kimsuky #TRANSLATEXT #T1176 #T1041 #T1059.001 #T1113 #T1555.003 #T1102.001 #T1071.001

« Back