North Korea's abuse of Cloudflare Workers and Pages
Contents
I took a break from my DPRK tracking hobby to amass a useless collection of public Google Docs in dochunt. But play time is over! DPRK gave me something fun to come back to. Thank you NK, very cool!
Summary
- A cluster of 5 npm packages abuse Cloudflare infrastructure (Pages/Workers) to deliver PylangGhost RAT
- Novel obfuscation techniques, encryption, runtime logic gates, and device fingerprinting are used to hinder detection
- This cluster showcases the latest techniques by FAMOUS CHOLLIMA to evade detection and strengthens attribution of Contagious Trader to FAMOUS CHOLLIMA
Before we begin, I should note that this isnât the first instance of FAMOUS CHOLLIMA abusing Cloudflare Workers but I wanted to document their progress and this felt like a nice checkpoint to showcase that.
Here is the cluster of npm packages to be discussed:
| Name | npm maintainer | First weaponised version publish | Comment | Download npm package |
|---|---|---|---|---|
es6-runtimejs | jaosne …
Summary
- A cluster of 5 npm packages abuse Cloudflare infrastructure (Pages/Workers) to deliver PylangGhost RAT
- Novel obfuscation techniques, encryption, runtime logic gates, and device fingerprinting are used to hinder detection
- This cluster showcases the latest techniques by FAMOUS CHOLLIMA to evade detection and strengthens attribution of Contagious Trader to FAMOUS CHOLLIMA
Before we begin, I should note that this isnât the first instance of FAMOUS CHOLLIMA abusing Cloudflare Workers but I wanted to document their progress and this felt like a nice checkpoint to showcase that.
Here is the cluster of npm packages to be discussed:
| Name | npm maintainer | First weaponised version publish | Comment | Download npm package |
|---|---|---|---|---|
es6-runtimejs | jaosne …
IoC
https://keo.pages.dev/output-2
https://keo.pages.dev/output-1
http://keo.pages.dev
https://deoft.org/li-
http://keo.pages.dev/output-1
https://deoft.org/pver-3447.patch
http://dpw.jr12012025z.workers.dev
http://187.127.248.20
https://deoft.org/pver-
http://keo.pages.dev/output-2
https://deoft.org/pmac-
https://dpw.jr12012025z.workers.dev
187.127.248.20
187.77.111.137
[email protected]
[email protected]
[email protected]
[email protected]
35af43ed0478bcfe7f718bf47f754368
6c025ef4e5ee6ddd02ea7534ddfe8c23
9ec622624f5f07c5d86e6048f2710de1e9c5ac7c6a6fad4fcb31121bb67c0239
https://keo.pages.dev/output-1
http://keo.pages.dev
https://deoft.org/li-
http://keo.pages.dev/output-1
https://deoft.org/pver-3447.patch
http://dpw.jr12012025z.workers.dev
http://187.127.248.20
https://deoft.org/pver-
http://keo.pages.dev/output-2
https://deoft.org/pmac-
https://dpw.jr12012025z.workers.dev
187.127.248.20
187.77.111.137
[email protected]
[email protected]
[email protected]
[email protected]
35af43ed0478bcfe7f718bf47f754368
6c025ef4e5ee6ddd02ea7534ddfe8c23
9ec622624f5f07c5d86e6048f2710de1e9c5ac7c6a6fad4fcb31121bb67c0239