A joint investigation by Hunt.io and the Acronis Threat Research Unit has exposed an extensive network of North Korean state-sponsored infrastructure, revealing fresh connections between Lazarus and Kimsuky operations across global campaigns.
The research uncovered active tool-staging servers, credential-theft environments, FRP tunneling nodes, and a certificate-linked infrastructure fabric controlled by DPRK operators.
This discovery provides unprecedented visibility into how these threat actors maintain persistent access and coordinate their attacks across multiple targets simultaneously.
The investigation identified a new Linux variant of the Badcall backdoor, a malware family previously seen in the 3CX supply chain attack.
This updated version includes enhanced logging capabilities, writing timestamped entries to /tmp/sslvpn.log with short numeric codes that track malware operations.
The logging mechanism helps attackers confirm proper execution and monitor behavior throughout intrusions. Hunt.io analysts identified this variant hosted on infrastructure previously linked to Lazarus campaigns, indicating the group’s ongoing malware development.
.webp "Researchers Uncovered New Lazarus and Kimsuky Infrastructure with Active Tools and Tunnelling Nodes 3")
Hunt.io researchers noted that the infrastructure reveals consistent operational patterns across DPRK subgroups.
Open directories serve as quick staging points, repeatedly deploying credential theft kits and FRP tunnels on the same ports across multiple VPS hosts.
The attackers reuse certificates that link separate clusters to the same operators, creating a detectable footprint even when malware or lures change.
These patterns enable tracking through infrastructure analysis rather than relying solely on payload examination.
The research uncovered multiple active infrastructure nodes. One server at 207.254.22.248:8800 exposed a 112 MB credential-theft toolkit containing MailPassView, WebBrowserPassView, ChromePass, and rclone binaries for data exfiltration.
.webp "Researchers Uncovered New Lazarus and Kimsuky Infrastructure with Active Tools and Tunnelling Nodes 4")
Another node at 149.28.139.62:8080 hosted a Quasar RAT environment with 270 MB of tooling.
The most significant discovery was 154.216.177.215:8080, which exposed nearly 2 GB of operational data, including offensive security tools, browser password stealers, privilege-escalation binaries, and development artifacts.
Hunt.io analysts identified these open directories as critical staging points for rapid deployment during intrusions.
FRP tunneling nodes
The researchers found eight FRP tunneling nodes running on port 9999 across Chinese and APAC-region VPS hosts, each serving identical 10 MB binaries.
This uniformity suggests automated provisioning rather than manual configuration. The nodes act as redirectors between compromised hosts and operator-controlled servers, providing reliable access even when traditional C2 channels are blocked.
Certificate analysis linked 12 IP addresses to the subject hwc-hwp-7779700, with 10 directly associated with Lazarus malware on port 443. This certificate reuse exposes entire infrastructure clusters before they become active in campaigns.
The malware’s infection mechanism begins with processing command-line arguments. The Badcall variant checks for a process ID argument, simulates a kill command via its FakeCmd function, and then daemonizes itself to begin primary operations.
The code snippet below shows the logging function that writes timestamped entries:-
void logMessage(const char *message) {
time_t now = time(NULL);
struct tm *t = localtime(&now);
char timestamp[20];
strftime(timestamp, sizeof(timestamp), "%Y-%m-%d %H:%M:%S", t);
fprintf(log_file, "[%s] %s\n", timestamp, message);
}%20Function%20(Source%20-%20Hunt.io).webp "Researchers Uncovered New Lazarus and Kimsuky Infrastructure with Active Tools and Tunnelling Nodes 5")
This shows the cross-reference list of the logMessage function, highlighting how Badcall now logs activity across different malware routines.
The numeric codes in log entries vary depending on the operation, allowing attackers to monitor malware behavior throughout the intrusion.
Defenders can detect this activity by monitoring for exposed directories containing credential harvesting tools, FRP binaries on port 9999, certificate subjects reused across RDP-enabled hosts, and infrastructure provisioned through the same regional providers.
These signals provide advance warning of DPRK activity as it forms, not just after intrusions begin. The research demonstrates that infrastructure analysis offers more reliable tracking than payload examination alone, exposing the consistent operational habits that define North Korean cyber operations.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
