Security researchers from Hunt.io and Acronis Threat Research Unit have uncovered a sophisticated network of operational infrastructure controlled by North Korean state-sponsored threat actors Lazarus and Kimsuky.
The collaborative investigation revealed previously undocumented connections between these groups’ campaigns, exposing active command-and-control servers, credential-theft environments, tunneling nodes, and certificate-linked infrastructure that had remained hidden from public analysis until now.
The research demonstrates how DPRK operators maintain persistent access through predictable infrastructure patterns, even as they evolve their malware and attack lures.
By pivoting across indicators of compromise, certificates, and open directories using Hunt.io’s threat intelligence platform, the researchers mapped interconnected clusters of malicious assets deployed across multiple VPS providers in Asia and beyond.
One of the most significant findings centers on the consistency of DPRK operational tradecraft.
The investigation identified recurring signals that remained stable across different campaigns: credential harvesting toolkits staged in exposed open directories, Fast Reverse Proxy (FRP) tunneling nodes configured identically across multiple servers, and certificates reused across clusters of hosts with remote desktop protocol (RDP) exposure.
The first significant discovery involved tracking Lazarus activity through a Linux variant of the BADCALL backdoor, hosted on server 23.27.140[.]49 with an open directory on port 8080.
![IP intelligence data for 23.27.177[.]183.](https://public-hunt-static-blog-assets.s3.us-east-1.amazonaws.com/12-2025/Inside+DPRK+Operations+New+Lazarus+and+Kimsuky+Infrastructure+Uncovered+Across+Global+Campaigns+-+figure+4.png "New Lazarus and Kimsuky Infrastructure Discovered with Active Tools and Tunneling Nodes 2")
This variant contained a critical operational update the addition of a logging mechanism that records timestamped entries in the /tmp/ directory.
This feature allows operators to monitor malware execution and confirm proper functioning throughout intrusions, representing a deliberate enhancement to their toolkit for improved operational efficiency.
Active Credential Theft Infrastructure
The research uncovered two major credential theft staging environments that remained operational.
Server 207.254.22[.]248:8800 hosted a 112 MB toolkit containing 21 files across two subdirectories, including MailPassView, WebBrowserPassView, ChromePass, and rclone binaries representing a complete profile extraction and exfiltration suite.
Hunt.io intelligence confirmed this infrastructure was running a Mythic command-and-control server on port 7443 as recently as August 2025.
A second critical node at 149.28.139[.]62:8080 exposed over 270 MB of operational data across 201 files, including a fully functional Quasar RAT infrastructure, credential harvesters, and file-transfer utilities.
![Hunt.io intelligence showing Quasar RAT activity on 149.28.139[.]62.](https://public-hunt-static-blog-assets.s3.us-east-1.amazonaws.com/12-2025/Inside+DPRK+Operations+New+Lazarus+and+Kimsuky+Infrastructure+Uncovered+Across+Global+Campaigns+-+figure+14.png "New Lazarus and Kimsuky Infrastructure Discovered with Active Tools and Tunneling Nodes 3")
This staging environment represented a comprehensive attack ecosystem maintained by the threat actors for rapid deployment during intrusions.
Perhaps most alarming was the discovery of server 154.216.177[.]215, which exposed nearly 2 GB of operational data across 10,731 files and 1,222 subdirectories.
This infrastructure contained sophisticated reconnaissance tools, development artifacts, Nuclei template libraries, and personal artifacts, suggesting it functioned as an active threat actor operations hub.
Tunneling and Certificate-Based Infrastructure
The research identified eight identical FRP tunnel nodes deployed across Chinese and APAC-region VPS providers, all serving the same 10 MB binary on port 9999.
This uniformity indicated scripted, automated provisioning a hallmark of Lazarus operations designed to maintain persistent access even when traditional command-and-control channels are blocked.
Through certificate pivoting, researchers discovered twelve IP addresses all sharing the common name “hwc-hwp-7779700” with RDP exposure since January 2025.
Malware database queries confirmed ten of these IPs were directly associated with Lazarus Group malware, with remaining nodes linked to Bluenoroff operations, demonstrating where DPRK subgroup workflows intersect.
The research provides defenders with actionable intelligence for proactive threat hunting. Monitoring for recurring open directory patterns, tracking FRP deployments across specific ports and providers, and pivoting on certificate reuse can reveal new DPRK infrastructure before active campaigns launch.
These stable behavioral patterns offer more reliable detection signals than constantly evolving malware families.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.