In-Depth Analysis of the APT Down - The North Korea Files leak
Contents
Overview
This report provides a follow-up analysis of the data from the "APT Down - The North Korea Files" leak, originally published in Phrack Magazine. The leak included the actor's VMware VM and VPS dump files, which allowed for an in-depth analysis of their activities and helped infer the threat actor behind the operations.
Notably, the leaked files contained rootkit source code that was a direct match for a rootkit identified by our firm during a 2022 incident investigation at a South Korean financial institution. The code logic and even the encryption keys were identical. Furthermore, we discovered the source code for an updated 2025 version of this rootkit.
Other findings include an exploit for an Ivanti 1-day vulnerability, what appears to be exfiltrated source code from the Ministry of Foreign Affairs website and the GPKISecureWebX solution, and evidence of phishing attacks targeting the Public Prosecutor's Office and the Defense Counterintelligence Command. These …
This report provides a follow-up analysis of the data from the "APT Down - The North Korea Files" leak, originally published in Phrack Magazine. The leak included the actor's VMware VM and VPS dump files, which allowed for an in-depth analysis of their activities and helped infer the threat actor behind the operations.
Notably, the leaked files contained rootkit source code that was a direct match for a rootkit identified by our firm during a 2022 incident investigation at a South Korean financial institution. The code logic and even the encryption keys were identical. Furthermore, we discovered the source code for an updated 2025 version of this rootkit.
Other findings include an exploit for an Ivanti 1-day vulnerability, what appears to be exfiltrated source code from the Ministry of Foreign Affairs website and the GPKISecureWebX solution, and evidence of phishing attacks targeting the Public Prosecutor's Office and the Defense Counterintelligence Command. These …
IoC
https://service.navers.org/emuy.php?i={user
http://45.133.194.126
https://mail.daum.net
https://mail.yonsei.ac.kr/common/json/agent.do
http://nid.navermails.com
http://203.234.192.200
http://27.255.80.170
http://45.133.194.88
http://nid-security.com
http://192.168.123.200/ok.sct
192.168.50.1
27.255.80.170
203.234.192.200
192.168.123.200
45.133.194.126
45.133.194.88
[email protected]
603deb15153a715e2b73aef3857d758b1f552c573e6158d72d9811a33914defe
efa3c987532cc0bdac533845ad8df5ea
d03deb92153a71458973aef3857d75b27e552cc63e6158a8339811873994de47
http://45.133.194.126
https://mail.daum.net
https://mail.yonsei.ac.kr/common/json/agent.do
http://nid.navermails.com
http://203.234.192.200
http://27.255.80.170
http://45.133.194.88
http://nid-security.com
http://192.168.123.200/ok.sct
192.168.50.1
27.255.80.170
203.234.192.200
192.168.123.200
45.133.194.126
45.133.194.88
[email protected]
603deb15153a715e2b73aef3857d758b1f552c573e6158d72d9811a33914defe
efa3c987532cc0bdac533845ad8df5ea
d03deb92153a71458973aef3857d75b27e552cc63e6158a8339811873994de47