VMWare artifacts left by a FAMOUS CHOLLIMA operator
Contents
Iâve been tracking DPRKâs npm packages for almost a year now and amassed more than 1000 packages, some of them reveal something more than just the payload, which is exciting!
Summary
- In May-June 2025, a FAMOUS CHOLLIMA operator left an LNK file in several published packages
- The LNK contains metadata that reveals operational procedures of a DPRK malware operator
This is perhaps the least actionable intel from my research, however it represents one of the reasons I started tracking these npm packages in the first place â npm doesnât archive malicious packages for malware analysts and threat intelligence numpties like myself to examine. Once npm discovers a malicious package, they yank it from the registry and call it a day. Evidence is irrevocably purged from existence unless a third party is able to retrieve it first, which in this case, I did!
logs-buffer - Shortcut.lnk
In May 2025 (yes, I have been very slow …
Summary
- In May-June 2025, a FAMOUS CHOLLIMA operator left an LNK file in several published packages
- The LNK contains metadata that reveals operational procedures of a DPRK malware operator
This is perhaps the least actionable intel from my research, however it represents one of the reasons I started tracking these npm packages in the first place â npm doesnât archive malicious packages for malware analysts and threat intelligence numpties like myself to examine. Once npm discovers a malicious package, they yank it from the registry and call it a day. Evidence is irrevocably purged from existence unless a third party is able to retrieve it first, which in this case, I did!
logs-buffer - Shortcut.lnk
In May 2025 (yes, I have been very slow …
IoC
https://kmsec.uk/samples/dprk/8456fc178a8ea190fc15a140c39a9bc67a5508575cf81fd089003f9de6cfd51c.lnkinfo.txt
https://dprk-research.kmsec.uk/api/tarfiles/react-babel-purify/1.0.7
http://log-server-lovat.vercel.app
https://kmsec.uk/samples/dprk/8456fc178a8ea190fc15a140c39a9bc67a5508575cf81fd089003f9de6cfd51c.lnk
https://dprk-research.kmsec.uk/api/tarfiles/{package_name
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
f290db50ffe64d4fb5fe409d3d1c8eca6f6711e4bbd85a13c9dce055508cc1b3
8456fc178a8ea190fc15a140c39a9bc67a5508575cf81fd089003f9de6cfd51c
https://dprk-research.kmsec.uk/api/tarfiles/react-babel-purify/1.0.7
http://log-server-lovat.vercel.app
https://kmsec.uk/samples/dprk/8456fc178a8ea190fc15a140c39a9bc67a5508575cf81fd089003f9de6cfd51c.lnk
https://dprk-research.kmsec.uk/api/tarfiles/{package_name
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
f290db50ffe64d4fb5fe409d3d1c8eca6f6711e4bbd85a13c9dce055508cc1b3
8456fc178a8ea190fc15a140c39a9bc67a5508575cf81fd089003f9de6cfd51c