Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access
Contents
Key Points and Observations
- On July 7, 2024, npm user
nagasiren978published two malicious packages to the npm registry on npmjs.org.
- These packages, "harthat-hash" and "harthat-api", contain malicious code that installs additional malicious software from a command and control (C2) server.
- This C2 server mostly served malicious batch scripts and one DLL, indicating a victim target set of Windows.
- The tactics, techniques, and procedures (TTPs) behind the malicious packages, C2 infrastructure, and targeting sets align closely with what Microsoft calls MOONSTONE SLEET, an actor aligned with the Democratic Peopleâs Republic of Korea (DPRK, also referred to as North Korea).
- We internally name this cluster Stressed Pungsan. (We align nation-state threat actor clusters with their national breeds, and the Pungsan is a dog native to North Korea.)
Background
The Datadog Security Research team continuously tracks how threat actors abuse the software supply chain ecosystem to distribute malware and gain footholds into developer and cloud environments. …
- On July 7, 2024, npm user
nagasiren978published two malicious packages to the npm registry on npmjs.org.
- These packages, "harthat-hash" and "harthat-api", contain malicious code that installs additional malicious software from a command and control (C2) server.
- This C2 server mostly served malicious batch scripts and one DLL, indicating a victim target set of Windows.
- The tactics, techniques, and procedures (TTPs) behind the malicious packages, C2 infrastructure, and targeting sets align closely with what Microsoft calls MOONSTONE SLEET, an actor aligned with the Democratic Peopleâs Republic of Korea (DPRK, also referred to as North Korea).
- We internally name this cluster Stressed Pungsan. (We align nation-state threat actor clusters with their national breeds, and the Pungsan is a dog native to North Korea.)
Background
The Datadog Security Research team continuously tracks how threat actors abuse the software supply chain ecosystem to distribute malware and gain footholds into developer and cloud environments. …
IoC
142.111.77.196
d2a74db6b9c900ad29a81432af72eee8ed4e22bf61055e7e8f7a5f1a33778277
http://142.111.77.196/user/user.asp?id=237596
http://142.111.77.196/user/user.asp?id=G6A822B
d2a74db6b9c900ad29a81432af72eee8ed4e22bf61055e7e8f7a5f1a33778277
http://142.111.77.196/user/user.asp?id=237596
http://142.111.77.196/user/user.asp?id=G6A822B