The Infostealer to APT Pipeline: How Lazarus Group Hijacked a Yemen Disinformation Network
Contents
The Infostealer to APT Pipeline: How Lazarus Group Hijacked a Yemen Disinformation Network
Hudson Rock investigations reveal how a single infected computer in Yemen served as the bridge between a 2019 disinformation campaign and North Korea’s Lazarus Group.
In the world of Threat Intelligence, we often view Advanced Persistent Threats (APTs) as omnipotent operators who build their own sophisticated infrastructure. The reality, however, is far more opportunistic.
Following our recent exposure of a compromised North Korean hacker, Hudson Rock has uncovered another striking example of the “Infostealer to APT Pipeline.”
We have identified a specific computer in Yemen, infected by an Infostealer in 2020 and 2023, which granted administrative access to a network of news domains previously used for a massive disinformation campaign. Our analysis indicates that these same credentials were subsequently weaponized by the Lazarus Group (North Korea) to fuel their own operations.
Visualizing the Attack Chain
2019: Disinformation
Yemen-based actors establish alnagm-press.com to impersonate Arab …
Hudson Rock investigations reveal how a single infected computer in Yemen served as the bridge between a 2019 disinformation campaign and North Korea’s Lazarus Group.
In the world of Threat Intelligence, we often view Advanced Persistent Threats (APTs) as omnipotent operators who build their own sophisticated infrastructure. The reality, however, is far more opportunistic.
Following our recent exposure of a compromised North Korean hacker, Hudson Rock has uncovered another striking example of the “Infostealer to APT Pipeline.”
We have identified a specific computer in Yemen, infected by an Infostealer in 2020 and 2023, which granted administrative access to a network of news domains previously used for a massive disinformation campaign. Our analysis indicates that these same credentials were subsequently weaponized by the Lazarus Group (North Korea) to fuel their own operations.
Visualizing the Attack Chain
2019: Disinformation
Yemen-based actors establish alnagm-press.com to impersonate Arab …