Exposed DPRK reference malware and logs
Contents
The LNK file mentioned in part 1 is not the only operational security (opsec) mishap by FAMOUS CHOLLIMA (hence why itâs part 1 and this is part 2). In fact there are many before and after these events but Iâm tackling them in the order they appear in my brain.
Below I disclose two historical accidental exposures in brief. As before, this isnât exactly actionable intelligence, but colourful detail for those who are tracking FAMOUS CHOLLIMA closely like me.
Summary
- Two exposed files reveal FAMOUS CHOLLIMAâs operational procedures
- Firstly, an
ordinary.txt
JavaScript source file that was exposed from July-September 2025, likely used as a reference point before modification and obfuscation - Secondly, a log file that reveals the OS and username of a FAMOUS CHOLLIMA operator: Windows and
dvant
, respectively
ordinary.txt
Several packages published from July to September 2025 contain the same ordinary.txt
file:
| name | version | released | maintainer | |
|---|---|---|---|---|
| vite-postcss-nested | 0.0.2 | 2025-07-15 …
Below I disclose two historical accidental exposures in brief. As before, this isnât exactly actionable intelligence, but colourful detail for those who are tracking FAMOUS CHOLLIMA closely like me.
Summary
- Two exposed files reveal FAMOUS CHOLLIMAâs operational procedures
- Firstly, an
ordinary.txt
JavaScript source file that was exposed from July-September 2025, likely used as a reference point before modification and obfuscation - Secondly, a log file that reveals the OS and username of a FAMOUS CHOLLIMA operator: Windows and
dvant
, respectively
ordinary.txt
Several packages published from July to September 2025 contain the same ordinary.txt
file:
| name | version | released | maintainer | |
|---|---|---|---|---|
| vite-postcss-nested | 0.0.2 | 2025-07-15 …
IoC
http://localhost:4444/api/ipcheck
https://dprk-research.kmsec.uk/api/samples/dcde20e9104c953246a379a54c2292e49add6601c77898972fd37912c985f470
https://dprk-research.kmsec.uk/api/tarfiles/vite-tsconfig-assistant/1.0.3
https://dprk-research.kmsec.uk/api/samples/c5e75f4641a5add4516c6785c3454160193f9a9eb835d96c9554305702a95911
https://dprk-research.kmsec.uk/api/tarfiles/{package_name
https://dprk-research.kmsec.uk/api/samples/02fa6ff6ea920eb38ab040a2f2debef6d1bd4c4a2ea6684bfa131e773eecc195
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
02fa6ff6ea920eb38ab040a2f2debef6d1bd4c4a2ea6684bfa131e773eecc195
c5e75f4641a5add4516c6785c3454160193f9a9eb835d96c9554305702a95911
dcde20e9104c953246a379a54c2292e49add6601c77898972fd37912c985f470
https://dprk-research.kmsec.uk/api/samples/dcde20e9104c953246a379a54c2292e49add6601c77898972fd37912c985f470
https://dprk-research.kmsec.uk/api/tarfiles/vite-tsconfig-assistant/1.0.3
https://dprk-research.kmsec.uk/api/samples/c5e75f4641a5add4516c6785c3454160193f9a9eb835d96c9554305702a95911
https://dprk-research.kmsec.uk/api/tarfiles/{package_name
https://dprk-research.kmsec.uk/api/samples/02fa6ff6ea920eb38ab040a2f2debef6d1bd4c4a2ea6684bfa131e773eecc195
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
02fa6ff6ea920eb38ab040a2f2debef6d1bd4c4a2ea6684bfa131e773eecc195
c5e75f4641a5add4516c6785c3454160193f9a9eb835d96c9554305702a95911
dcde20e9104c953246a379a54c2292e49add6601c77898972fd37912c985f470