A new joint investigation by Hunt.io and the Acronis Threat Research Unit has unearthed significant new infrastructure and active tools employed by North Korean state-sponsored hacking groups Lazarus and Kimsuky. The research, detailed in a recent report, reveals a sophisticated and interconnected network of servers and systems allowing these threat actors to maintain persistent access and coordinate global campaigns.
The findings provide unprecedented visibility into the operational methods of these nation-state-backed cybercriminals. The exposed infrastructure includes active tool-staging servers, environments dedicated to credential theft, Forward Reverse Proxy (FRP) tunneling nodes, and a fabric of certificate-linked systems controlled by Democratic People’s Republic of Korea (DPRK) operators. This discovery highlights the evolving tactics of these groups in carrying out their cyber operations.
New Lazarus and Kimsuky Infrastructure Uncovered with Active Tools
The investigation identified a new Linux variant of the Badcall backdoor, a malware family previously associated with the 3CX supply chain attack. This updated version features enhanced logging capabilities, enabling attackers to meticulously track malware operations through timestamped entries in a log file located at /tmp/sslvpn.log. These entries use short numeric codes to denote different malware actions, assisting the attackers in verifying execution and monitoring behavior during intrusions.
Hunt.io analysts discovered this new Badcall variant hosted on infrastructure that had previously been linked to Lazarus campaigns. This observation strongly suggests ongoing malware development and adaptation by the Lazarus group, underscoring their commitment to refining their tools and techniques. The findings indicate a continuous evolution in the sophisticated toolkits utilized by these advanced persistent threats (APTs).
The researchers noted consistent operational patterns across different DPRK subgroups through analysis of the uncovered infrastructure. Open directories are frequently utilized as rapid staging points for deploying credential theft kits and FRP tunnels on identical ports across multiple virtual private servers (VPS). This reuse of infrastructure and deployment methods allows for efficient and swift operational setup.
Furthermore, attackers are observed to reuse certificates that link separate infrastructure clusters, effectively creating a traceable footprint even when malware strains or lure documents are updated. This practice enables tracking threat actor activities through infrastructure analysis, rather than relying solely on the examination of individual malware payloads. The ability to follow these persistent infrastructure links offers a more robust method for attribution and threat intelligence gathering.
Several active infrastructure nodes were identified during the research. For example, one server located at 207.254.22.248:8800 exposed a substantial 112 MB credential-theft toolkit. This toolkit contained tools such as MailPassView, WebBrowserPassView, ChromePass, and rclone binaries, explicitly designed for the exfiltration of sensitive user credentials and data.
Another identified node, at IP address 149.28.139.62:8080, hosted a Quasar RAT environment containing approximately 270 MB of tooling, indicating a broad range of remote access and control capabilities. However, the most significant discovery was made at 154.216.177.215:8080. This server exposed nearly 2 GB of operational data, including a wide array of offensive security tools, browser password stealers, privilege-escalation binaries, and development artifacts, suggesting a comprehensive operational setup.
FRP Tunneling Nodes and Certificate Analysis
The research team located eight FRP tunneling nodes operating on port 9999, utilized across VPS hosts in China and the Asia-Pacific region. Each of these nodes was found to be serving identical 10 MB binaries, which suggests an automated provisioning process rather than manual configuration. These nodes play a crucial role as redirectors, establishing reliable communication channels between compromised hosts and operator-controlled servers, ensuring persistent access even when traditional command-and-control (C2) channels are blocked or detected.
Further analysis of certificates revealed a critical link: 12 IP addresses were associated with the subject hwc-hwp-7779700. Crucially, 10 of these IP addresses were directly linked to Lazarus malware activity on port 443. This reuse of certificates across different infrastructure components exposes entire clusters of malicious infrastructure before they are actively deployed in campaigns, providing an early warning signal for cybersecurity defenders.
The infection mechanism of the Badcall variant begins by processing command-line arguments. After checking for a process ID argument, it simulates a kill command using its integrated FakeCmd function. Subsequently, it daemonizes itself, allowing it to begin its primary malicious operations in the background. The malware’s logging function, demonstrated in a code snippet, writes timestamped entries like these to the specified log file, contributing to the attacker’s detailed operational oversight.
The depicted `logMessage()` function in the Badcall variant illustrates how the malware now logs its activities across various routines. The varying numeric codes within these log entries correspond to different operations, enabling attackers to meticulously monitor the malware’s behavior throughout the entire intrusion lifecycle. This detailed logging provides attackers with immediate feedback on the success and progression of their operations.
Cybersecurity defenders can detect these ongoing activities by actively monitoring for exposed directories containing credential harvesting tools, the presence of FRP binaries on port 9999, the reuse of certificate subjects across RDP-enabled hosts, and infrastructure provisioned through common regional providers. These indicators offer advanced warning of DPRK activity as it is being established, rather than only after intrusions have commenced.
This comprehensive research strongly indicates that infrastructure analysis offers a more reliable method for tracking North Korean cyber operations compared to relying solely on payload examination. The consistent operational habits, infrastructure reuse, and certificate linkages expose the defining characteristics of these sophisticated state-sponsored threat actors. The findings suggest that continued monitoring of such infrastructure patterns will be key to understanding and mitigating future campaigns by Lazarus, Kimsuky, and other DPRK-aligned groups.