Shared Shadows: Hunt.io Uncovers the Unified Staging Grounds of Lazarus and Kimsuky
Groups operating in the interests of the DPRK continue to aggressively expand their infrastructure for cyber espionage, financial attacks, and long-term persistence within compromised systems. This is evidenced by the findings of a joint investigation conducted by Hunt.io and the Acronis Threat Research Unit, which uncovered close links between the infrastructures of the Lazarus and Kimsuky groups and analyzed recurring techniques and toolsets.
The research is grounded in a detailed examination of artifacts left behind by the attackers. The repeated reuse of IP addresses, digital certificates, tool directories, and other infrastructure components made it possible to identify interconnected nodes and expose shared tactics even among groups that are formally considered independent. This approach enabled analysts to trace campaigns that had previously appeared fragmented and unrelated.
One of the central focal points was the analysis of two newly identified malware strains associated with Lazarus and Kimsuky. In the case of Kimsuky, researchers observed a new iteration of the HttpTroy loader, disguised as a VPN configuration file, while Lazarus deployed an enhanced version of its BLINDINGCAN remote access tool. Within the same infrastructure, a modified Linux variant of the Badcall malware was also discovered, incorporating a system-level keylogger—an indication of increasingly sophisticated control over infected hosts.
Further analysis revealed extensive directories containing credential-stealing tools such as MailPassView and WebBrowserPassView. These utilities were hosted in openly accessible HTTP directories alongside a wide range of other software, from password harvesters to remote administration tools, including Quasar RAT. Some of these repositories contained thousands of files and hundreds of subdirectories, suggesting their role as fully fledged operational arsenals.
Particular attention was paid to the Lazarus Group’s use of FRP (Fast Reverse Proxy) technology, previously observed in supply-chain attacks, including the 3CX incident. Identical FRP binaries were deployed across multiple VPS servers operating on port 9999, pointing to an automated infrastructure rollout designed to establish resilient communication channels between compromised systems and command-and-control servers.
Digital certificate tracking also played a critical role in the analysis. One certificate used by Lazarus was linked to twelve IP addresses, ten of which were actively involved in malware distribution. The remaining two addresses, according to supplementary data, may have been used in operations attributed to Bluenoroff—another DPRK-affiliated cyber unit. This finding reinforces the conclusion that different groups can share and reuse key elements of infrastructure.
The consistent reuse of the same operational patterns enables not only retrospective investigation, but also proactive threat detection. Recurrent data-theft tools, uniformly configured proxy servers, stable VPS hosting patterns, and repeated certificate usage collectively make it possible to build effective systems for identifying and mitigating such attacks at an early stage.
Ultimately, the research underscores that despite the continuous evolution of malware payloads and infection vectors, infrastructure artifacts remain the most reliable indicators for tracking DPRK-linked cyber operations. Their stability and repetition allow defenders to detect malicious activity well before a full-scale attack unfolds.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
