North Korean Hackers Use Russian IP Infrastructure

North Korean hackers look north toward Russia for the internet infrastructure behind the many online scams that Pyongyang has built to funnel stolen cash into the rouge nation.

See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It

Trend Micro in a Wednesday report traced cybercrime activities aligned with North Korea to IP addresses assigned to an organization in the Russian city of Khabarovsk, which has cultivated ties with North Korea since the demise of the Soviet Union. It also traced activity to Khasan, a hamlet just across the Russian border from the Hermit Kingdom that’s the site of the “Korea–Russia Friendship Bridge.” A major Russian telecommunications firm laid a fiber-optic cable across the bridge in 2017.

Researchers said hackers behind campaigns related to the Void Dokkaebi intrusion set, also known as Famous Chollima, use Russian IP address ranges cloaked by a VPN, a proxy or a remote desktop protocol session to evade detection and attribution. Five Russian IP ranges serve as the backbone of campaigns that include social engineering, malware deployment and crypto wallet cracking.

North Korean hackers, including operators behind the $1.5 billion theft of Ether cryptocurrency from Bybit earlier this year, supply the regime with funds used to directly support leaders’ luxurious lifestyles and the country’s development of weapons of mass destruction, including nuclear weapons and ballistic missiles.

Void Dokkaebi hackers participate in the North Korean scam of social engineering IT job seekers into downloading malware-laced code, putatively as part of the interview process. They also obtain remote IT worker jobs at Western firms (see: Remote IT Worker Pretend: How to Spot Surging Insider Threat).

“We found that the Russian IP ranges connect to numerous VPS servers around the world using RDP and then do tasks from there, like communicating through apps like Skype, Telegram, Discord and Slack, contacting foreign IT professionals on job recruitment sites and connecting to cryptocurrency-related websites, for example, to empty stolen cryptocurrency wallets or launder money,” Trend Micro wrote.

Void Dokkaebi uses a front company called BlockNovas, complete with a slick website and presence on platforms like LinkedIn and Upwork, to lure developers into fake job interviews. Victims are tricked into downloading malware “BeaverTail” by Palo Alto Networks, a JavaScript-based backdoor hidden inside node package manager packages.

Trend Micro researchers linked BlockNovas to known Beavertail infrastructure and discovered that the company advertised for a senior software engineer role targeting Ukrainian professionals as recently as December 2024. Investigators found that malware-laced tasks distributed during interviews injected obfuscated scripts that compromised victims’ systems.

In one case, attackers claimed a victim’s webcam needed a software update, which turned out to be malware named FrostyFerret on macOS or GolangGhost on Windows. These infections connected to the same command-and-control infrastructure used by Beavertail and other tools in the campaign.

The infrastructure is extensive. Astrill VPN, a known tool used in North Korean campaigns, featured prominently in masking traffic across various layers. The attackers connected to remote management portals and uploaded credential-cracking tools like Hashtopolis to internal BlockNovas domains.

BlockNovas, supposedly based in South Carolina, has no corporate registration and its listed address is an empty lot. The FBI seized the domain on April 23, as part of an international law enforcement crackdown on North Korean cyberactors.