Hunting North Korea's job adverts on Google Docs
Contents
Using my own platform to generate my own intel to publish my own reports. Itâs a closed loop!
Summary
- DPRK-nexus actor FAMOUS CHOLLIMA uses Google Docs to advertise fake jobs to steal data from developers as well as recruit facilicators for their malicious insider operations
- This post shows hunting tips on urlscan and dochunt (my collection of Google Docs), and highlights several documents I identified attributable FAMOUS CHOLLIMA.
Key takeaways
Tactical defenders will be interested in the technical steps I used to gather documents, link them together, and watch them over time to gather IOCs as FAMOUS CHOLLIMA edited them with new lures.
Those with a deeper interest in FAMOUS CHOLLIMAâs operational procedures will be interested in the longevity of the document lifetimes, suggesting long-lived and perhaps heavily used Google accounts for many parts of their playbook.
Additionally, the reuse of a specific, non-default image between a âproxy intervieweeâ advert and a Contagious Interview lure …
Summary
- DPRK-nexus actor FAMOUS CHOLLIMA uses Google Docs to advertise fake jobs to steal data from developers as well as recruit facilicators for their malicious insider operations
- This post shows hunting tips on urlscan and dochunt (my collection of Google Docs), and highlights several documents I identified attributable FAMOUS CHOLLIMA.
Key takeaways
Tactical defenders will be interested in the technical steps I used to gather documents, link them together, and watch them over time to gather IOCs as FAMOUS CHOLLIMA edited them with new lures.
Those with a deeper interest in FAMOUS CHOLLIMAâs operational procedures will be interested in the longevity of the document lifetimes, suggesting long-lived and perhaps heavily used Google accounts for many parts of their playbook.
Additionally, the reuse of a specific, non-default image between a âproxy intervieweeâ advert and a Contagious Interview lure …
IoC
http://hxxps://bitbucket.org/notion-dex/ultrax
http://hxxps://bitbucket.org/workspace1101/testing/src/dev/
http://hxxps://bitbucket.org/workspace622/testing/src/dev/
http://Web3.py
http://hxxps://bitbucket.org/workspace052/testing/src/dev/
http://hxxps://www.loom.com/share/5701c37802ee4de78ed57d6d5d526bf8
http://hxxps://bitbucket.org/dev-space0314/testing/src/dev/
http://hxxps://bitbucket.org/tech_workspace/testing/src/dev/
http://hxxps://www.landmarkworldwide.com/
http://hxxps://github.com/BetFin-ProWorkspace/Betfin-Poker
http://hxxps://drive.google.com/file/d/1ow5UOpvsXH_9ILKdpwkIekplcSVMm4F3/
http://hxxps://bitbucket.org/workspace503/real_estate-b_s/src/main/
http://hxxps://www.thelivingheart.life/
http://hxxps://bitbucket.org/workspace401/royal-city497-poc
http://hxxps://bitbucket.org/workspace814/technical-assessment436
http://hxxps://bitbucket.org/workspace403/royal-city497-poc
http://hxxps://0g.ai/
http://hxxps://bitbucket.org/royalcity-work302/royalcity-v1/src/main/
http://hxxps://bitbucket.org/web3_space/novax
http://hxxps://bitbucket.org/acebrian604/fm_dex/src/main/
http://hxxps://bitbucket.org/bestcity-work609/bestcity-v1/src/main/
http://hxxps://bitbucket.org/workspace401/technical-assessment496
http://hxxps://bitbucket.org/bg86889002000/propchain/src/master/
http://hxxps://bitbucket.org/workspace602/bestcity-v1/src/main/
http://hxxps://loom.com/
http://hxxps://bitbucket.org/workspace406/royal-city497-poc
http://hxxps://bitbucket.org/tech_workspace/testing/src
[email protected]
5701c37802ee4de78ed57d6d5d526bf8
de7f4a6cc9faa9e8cd165e77963b278f9c377978b1b4a0be58e41b4b1f4a525b
http://hxxps://bitbucket.org/workspace1101/testing/src/dev/
http://hxxps://bitbucket.org/workspace622/testing/src/dev/
http://Web3.py
http://hxxps://bitbucket.org/workspace052/testing/src/dev/
http://hxxps://www.loom.com/share/5701c37802ee4de78ed57d6d5d526bf8
http://hxxps://bitbucket.org/dev-space0314/testing/src/dev/
http://hxxps://bitbucket.org/tech_workspace/testing/src/dev/
http://hxxps://www.landmarkworldwide.com/
http://hxxps://github.com/BetFin-ProWorkspace/Betfin-Poker
http://hxxps://drive.google.com/file/d/1ow5UOpvsXH_9ILKdpwkIekplcSVMm4F3/
http://hxxps://bitbucket.org/workspace503/real_estate-b_s/src/main/
http://hxxps://www.thelivingheart.life/
http://hxxps://bitbucket.org/workspace401/royal-city497-poc
http://hxxps://bitbucket.org/workspace814/technical-assessment436
http://hxxps://bitbucket.org/workspace403/royal-city497-poc
http://hxxps://0g.ai/
http://hxxps://bitbucket.org/royalcity-work302/royalcity-v1/src/main/
http://hxxps://bitbucket.org/web3_space/novax
http://hxxps://bitbucket.org/acebrian604/fm_dex/src/main/
http://hxxps://bitbucket.org/bestcity-work609/bestcity-v1/src/main/
http://hxxps://bitbucket.org/workspace401/technical-assessment496
http://hxxps://bitbucket.org/bg86889002000/propchain/src/master/
http://hxxps://bitbucket.org/workspace602/bestcity-v1/src/main/
http://hxxps://loom.com/
http://hxxps://bitbucket.org/workspace406/royal-city497-poc
http://hxxps://bitbucket.org/tech_workspace/testing/src
[email protected]
5701c37802ee4de78ed57d6d5d526bf8
de7f4a6cc9faa9e8cd165e77963b278f9c377978b1b4a0be58e41b4b1f4a525b