Inside DPRK Operations: New Infrastructure Uncovered Across Global Campaigns

Description

North Korean state-sponsored threat actors, including Lazarus and Kimsuky, continue to conduct widespread hacking operations for intelligence gathering, financial gain, and access. The investigation uncovered previously unconnected operational assets, revealing active tool-staging servers, credential theft environments, FRP tunneling nodes, and certificate-linked infrastructure. Key findings include a new Linux variant of the Badcall backdoor, extensive credential harvesting toolkits in open directories, and widespread deployment of Fast Reverse Proxy (FRP) instances. The analysis highlights consistent operational patterns across DPRK campaigns, such as reusing infrastructure, deploying identical FRP configurations, and leveraging shared certificates, providing defenders with actionable intelligence to proactively track DPRK activity.