Cybersecurity firm Silent Push have confirmed recently that North Korean IT workers continue to utilize Astrill VPN services to hide their true IP addresses when seeking employment with international companies.
This finding, originally reported by Google’s Mandiant in September 2024, shows the ongoing efforts by North Korean threat actors to circumvent detection while conducting malicious activities online.
Silent Push analysts have been tracking various North Korean hacking groups for years, with particular focus on the Lazarus Group and its subgroups such as Contagious Interview (also known as Famous Chollima).
Through extensive log analysis from both operators and victims, researchers have uncovered numerous references to Astrill VPN (astrill.com) being used as the preferred tool for IP obfuscation.
The preference for this specific VPN service appears consistent across multiple Lazarus Group operations, suggesting a standardized approach within their operational security protocols.
The investigation gained momentum following the discovery of a domain registered shortly before the $1.4 billion ByBit cryptocurrency heist.
The domain “bybitassessment.com” was registered using an email address previously linked to North Korean hacking operations, providing investigators with a valuable connection point.
This discovery by the researchers at Silent Push enabled Silent Push to acquire infrastructure components containing administrative and victim logs that further confirmed the extensive use of Astrill VPN by these threat actors.
In their continued monitoring of these activities, Silent Push has developed a comprehensive “Bulk Data Feed” containing real-time updates of all mapped Astrill VPN IP addresses.
This resource aims to help organizations identify and protect against threats originating from these sources, whether North Korean or otherwise.
Technical Infrastructure Analysis
The technical investigation revealed 27 unique Astrill VPN IP addresses linked to test records created during the configuration of North Korean attack infrastructure.
Among these addresses, several have been repeatedly observed in connection with malicious activities, including 104.223.97.2 and 91.239.130.102.
Additional IP addresses identified in the investigation include 103.130.145.210, 104.129.22.2, 113.20.30.139, 134.195.197.175, 167.88.61.250, and several others distributed across various network ranges.
This pattern of IP address usage provides organizations with specific indicators to monitor for potential North Korean infiltration attempts.
While not all connections from Astrill VPN indicate malicious activity, security professionals are advised to implement additional verification steps when encountering traffic from these IP ranges, particularly when dealing with IT contractors or freelancers.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.