{ "Event": { "analysis": "1", "date": "2026-04-22", "extends_uuid": "", "info": "[Threat Intel] Unmasking DPRK Cyber Threat Actors: Fake IT Worker Infrastructure", "protected": false, "publish_timestamp": "1779545355", "published": true, "threat_level_id": "2", "timestamp": "1777607275", "uuid": "131917c0-a3c2-45b6-b8e8-15ed2473b4fa", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#e57031", "local": false, "name": "misp-galaxy:producer=\"Team Cymru\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#6b5184", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"IP Addresses - T1590.005\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#db2044", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1598.003\"", "relationship_type": "" }, { "colour": "#5c59c9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Email Accounts - T1586.002\"", "relationship_type": "" }, { "colour": "#f4b62b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Time Based Checks - T1497.003\"", "relationship_type": "" }, { "colour": "#280b0e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Proxy - T1090.002\"", "relationship_type": "" }, { "colour": "#91649a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtual Private Server - T1583.003\"", "relationship_type": "" }, { "colour": "#6fe7f4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Tool - T1588.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Multi-hop Proxy - T1090.003\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#57997c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bidirectional Communication - T1102.002\"", "relationship_type": "" }, { "colour": "#08b028", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Accounts - T1078.003\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#eb5a95", "local": false, "name": "misp-galaxy:target-information=\"Latvia\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120046", "local": false, "name": "rectifyq:sub-category=\"infra-profile\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"north korea\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776942027", "to_ids": false, "type": "link", "uuid": "564b2261-dd16-47fc-87e8-f3787454986b", "value": "https://www.team-cymru.com/post/dprk-fake-it-worker-cyber-threat-actors-infrastructure" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776942027", "to_ids": false, "type": "text", "uuid": "a55e2da3-0766-4059-af1a-27d60fb59552", "value": "Investigation of DPRK-linked fake IT worker infrastructure began after cryptocurrency researcher ZachXBT identified domain luckyguys[.]site connected to illicit payments. Analysis of 30 days of network activity associated with IP 163.245.219[.]19 revealed concentrated VPN usage patterns, with Astrill VPN (37.5%), Mullvad (32.25%), and Proton VPN (6.25%) being prominent. American and Latvian residential IPs communicated with the infrastructure, showing frequent Astrill VPN usage and connectivity to Gmail, ChatGPT, and Workana freelance platform. A second IP, 216.158.225[.]144, was discovered through X509 certificate analysis. Traffic dropped sharply following public exposure, consistent with adversary behavior of abandoning attributed infrastructure. The activity suggests a distributed network of remote IT workers participating in sanctions evasion workflows, leveraging AI tools and freelance platforms to obtain employment under false identities." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776942027", "to_ids": false, "type": "text", "uuid": "7465d7fc-298d-4957-a9eb-063f0f7c545c", "value": "Name: Unmasking DPRK Cyber Threat Actors: Fake IT Worker Infrastructure\nAuthor: AlienVault\nAdversary: DPRK\nTags: [\"dprk\", \"astrill vpn\", \"vpn infrastructure\", \"freelance platforms\", \"fake it workers\", \"cryptocurrency fraud\", \"residential proxies\", \"sanctions evasion\"]\nTgtd countries: [\"United States of America\", \"Latvia\"]\nMlwr families: []\nAttack_ids: [\"T1132.001\", \"T1590.005\", \"T1566.002\", \"T1598.003\", \"T1586.002\", \"T1497.003\", \"T1090.002\", \"T1583.003\", \"T1588.002\", \"T1090.003\", \"T1562.001\", \"T1102.002\", \"T1573.002\", \"T1070.004\", \"T1071.001\", \"T1078.003\"]\nIndustries: [\"Finance\", \"Technology\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1776942027", "to_ids": false, "type": "threat-actor", "uuid": "d384fc76-57e8-4951-95dd-d01ee58f334f", "value": "DPRK" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777321595", "to_ids": true, "type": "ip-dst", "uuid": "09bb1a13-228d-4f11-b90f-79791f6bbb35", "value": "216.158.225.144", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777321616", "to_ids": true, "type": "url", "uuid": "7a00b825-b549-4fff-98f9-a0c694076218", "value": "https://flare.io/learn/resources/north-korean-infiltrator-threat", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777321637", "to_ids": true, "type": "domain", "uuid": "2b97e998-4fff-42e8-a490-8b205b3e7f21", "value": "luckyguys.site", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777321658", "to_ids": true, "type": "ip-dst", "uuid": "7b0d1de0-beef-4e07-b7ae-3aa1bdae4877", "value": "163.245.219.19", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }