Inside DPRK Operations: New Lazarus and Kimsuky Infrastructure Uncovered Across Global Campaigns
Contents
Inside DPRK Operations: New Lazarus and Kimsuky Infrastructure Uncovered Across Global Campaigns
Published on
Published on
Published on
Dec 17, 2025
Dec 17, 2025
Dec 17, 2025
Inside DPRK Operations: New Lazarus and Kimsuky Infrastructure Uncovered Across Global Campaigns
Research Overview
Note: This report is the result of a collaborative investigation between Hunt.io and the Acronis Threat Research Unit, where both teams collaborated to map ongoing DPRK infrastructure activity, including Lazarus and Kimsuky.
Throughout the analysis, we surfaced clusters of operational assets that had not been connected publicly before, revealing active tool-staging servers, credential theft environments, FRP tunneling nodes, and certificate-linked infrastructure fabric controlled by DPRK operators.
These findings help outline how different parts of the DPRK operational infrastructure continue to intersect across campaigns and provide defenders with clearer visibility into the infrastructure habits these actors rely on.
Introduction
North Korean state-sponsored attackers run one of the most active operations globally, using hacking for intelligence, revenue, and access. Groups like Lazarus, Kimsuky, and …
Published on
Published on
Published on
Dec 17, 2025
Dec 17, 2025
Dec 17, 2025
Inside DPRK Operations: New Lazarus and Kimsuky Infrastructure Uncovered Across Global Campaigns
Research Overview
Note: This report is the result of a collaborative investigation between Hunt.io and the Acronis Threat Research Unit, where both teams collaborated to map ongoing DPRK infrastructure activity, including Lazarus and Kimsuky.
Throughout the analysis, we surfaced clusters of operational assets that had not been connected publicly before, revealing active tool-staging servers, credential theft environments, FRP tunneling nodes, and certificate-linked infrastructure fabric controlled by DPRK operators.
These findings help outline how different parts of the DPRK operational infrastructure continue to intersect across campaigns and provide defenders with clearer visibility into the infrastructure habits these actors rely on.
Introduction
North Korean state-sponsored attackers run one of the most active operations globally, using hacking for intelligence, revenue, and access. Groups like Lazarus, Kimsuky, and …
IoC
http://182.136.123.102
http://192.236.146.20
http://23.254.128.114
http://119.6.56.194
http://192.236.233.165
http://23.254.211.230
http://23.27.177.183
http://23.27.140.49
http://207.254.22.248
http://secondshop.store
http://154.216.177.215Once
http://125.67.171.158:9999
http://23.254.128.114To
http://104.168.198.145
http://207.254.22.248:8800
http://154.216.177.215Analysis
http://104.168.151.116
http://192.119.116.231
http://207.254.22.248:8800Analysis
http://149.28.139.62:8080
http://149.28.139.62
http://61.139.89.11
http://125.67.171.158
http://192.236.233.162
http://192.236.176.164
http://182.136.120.52
http://142.11.209.109
http://23.27.177.183
http://182.136.120.52:9999
http://118.123.54.71:9999
http://23.27.140.49:8080
http://119.6.56.194:9999
http://192.236.236.100
http://192.236.146.22
http://104.168.151.116The
http://182.136.123.102:9999
http://118.123.54.71
http://119.6.121.143
http://125.65.88.195:9999
http://149.28.139.62Both
http://119.6.121.143:9999
http://154.216.177.215
http://23.254.164.50
http://61.139.89.11:9999
http://125.65.88.195
119.6.121.143
192.236.176.164
125.65.88.195
154.216.177.215
149.28.139.62
192.119.116.231
207.254.22.248
23.27.140.49
142.11.209.109
119.6.56.194
182.136.123.102
192.236.146.22
104.168.198.145
192.236.146.20
192.236.233.165
118.123.54.71
61.139.89.11
23.254.211.230
23.27.177.183
182.136.120.52
192.236.233.162
125.67.171.158
192.236.236.100
23.254.128.114
23.254.164.50
104.168.151.116
ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9
36541fad68e79cdedb965b1afcdc45385646611aa72903ddbe9d4d064d7bffb9
cc307cfb401d1ae616445e78b610ab72e1c7fb49b298ea003dd26ea80372089a
a3876a2492f3c069c0c2b2f155b4c420d8722aa7781040b17ca27fdd4f2ce6a9
a5350b1735190a9a275208193836432ed99c54c12c75ba6d7d4cb9838d2e2106
24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a
bc7bd27e94e24a301edb3d3e7fad982225ac59430fc476bda4e1459faa1c1647
85045d9898d28c9cdc4ed0ca5d76eceb457d741c5ca84bb753dde1bea980b516
http://192.236.146.20
http://23.254.128.114
http://119.6.56.194
http://192.236.233.165
http://23.254.211.230
http://23.27.177.183
http://23.27.140.49
http://207.254.22.248
http://secondshop.store
http://154.216.177.215Once
http://125.67.171.158:9999
http://23.254.128.114To
http://104.168.198.145
http://207.254.22.248:8800
http://154.216.177.215Analysis
http://104.168.151.116
http://192.119.116.231
http://207.254.22.248:8800Analysis
http://149.28.139.62:8080
http://149.28.139.62
http://61.139.89.11
http://125.67.171.158
http://192.236.233.162
http://192.236.176.164
http://182.136.120.52
http://142.11.209.109
http://23.27.177.183
http://182.136.120.52:9999
http://118.123.54.71:9999
http://23.27.140.49:8080
http://119.6.56.194:9999
http://192.236.236.100
http://192.236.146.22
http://104.168.151.116The
http://182.136.123.102:9999
http://118.123.54.71
http://119.6.121.143
http://125.65.88.195:9999
http://149.28.139.62Both
http://119.6.121.143:9999
http://154.216.177.215
http://23.254.164.50
http://61.139.89.11:9999
http://125.65.88.195
119.6.121.143
192.236.176.164
125.65.88.195
154.216.177.215
149.28.139.62
192.119.116.231
207.254.22.248
23.27.140.49
142.11.209.109
119.6.56.194
182.136.123.102
192.236.146.22
104.168.198.145
192.236.146.20
192.236.233.165
118.123.54.71
61.139.89.11
23.254.211.230
23.27.177.183
182.136.120.52
192.236.233.162
125.67.171.158
192.236.236.100
23.254.128.114
23.254.164.50
104.168.151.116
ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9
36541fad68e79cdedb965b1afcdc45385646611aa72903ddbe9d4d064d7bffb9
cc307cfb401d1ae616445e78b610ab72e1c7fb49b298ea003dd26ea80372089a
a3876a2492f3c069c0c2b2f155b4c420d8722aa7781040b17ca27fdd4f2ce6a9
a5350b1735190a9a275208193836432ed99c54c12c75ba6d7d4cb9838d2e2106
24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a
bc7bd27e94e24a301edb3d3e7fad982225ac59430fc476bda4e1459faa1c1647
85045d9898d28c9cdc4ed0ca5d76eceb457d741c5ca84bb753dde1bea980b516