North Korea runs one of the world’s most aggressive cyber operations. From billion-dollar cryptocurrency theft to high-profile supply chain compromises, its state-backed operators hammer security teams with a potent blend of espionage, financial crime and destructive campaigns.
The likes of Lazarus and Kimsuky sit at the center of the DPRK ecosystem. And they show no mercy — targeting anyone from startups to government organizations and critical IT infrastructure — in pursuit of revenue, intelligence, and strategic leverage.
Chief Information Security Officer at Acronis.
The constant pressure these groups apply has shaped how organizations defend themselves. To date, the playbook has been largely reactive and malware-centric.
Article continues below
Blue teams focus efforts on dissecting payloads, reverse engineering samples and racing to detect the next variant. But new research into DPRK activity suggests defenders may be tracking the wrong signal.
In fact, one of the most reliable ways to track these actors is through the infrastructure they leave behind.
The blind spot in modern defense
Many organizations are investing heavily in endpoint protection and malware detection, which is essential for fending off imminent threats. However, far less attention is paid to infrastructure level telemetry.
It’s this deep analysis, which can highlight consistent operational behaviours, that many security teams are missing out on.
A joint investigation by the Acronis Threat Research Unit and Hunt.io set out to map ongoing DPRK infrastructure. It uncovered persistent infrastructure reuse linking campaigns over time: shared certificates spanning twelve IP addresses, identical Fast Reverse Proxy (FRP) tunnelling nodes deployed across multiple hosts, and exposed staging servers hosting gigabytes of operational tooling.
Why does this matter?
Payloads are engineered to mutate and evade signature-based detection. Infrastructure, by contrast, reflects habits — repeatable configurations, templated deployments and reused communication channels that persist across campaigns.
Even mature internet security programs often center response strategies around payload analysis and alert triage, which can leave preparation activity invisible until an intrusion is underway. This may explain why DPRK operators continue to reuse infrastructure for years, even after major supply chain incidents.
Open directories expose operational staging
Take exposed HTTP directories, for example. While investigating, researchers repeatedly found servers hosting structured toolkits that included credential harvesting utilities, remote access tools, exfiltration binaries and tunnelling components.
In one case, the exposed environment contained thousands of files and nearly two gigabytes of operational tooling. It resembled a live operator workspace rather than a simple malware drop location. In practical terms, it felt less like discovering a single malicious file and more like stumbling into an active DPRK toolkit mid operation.
This discovery shows how DPRK operators optimize for speed. Open directories reduce friction and allow attackers to retrieve tools quickly during an intrusion without maintaining complex delivery infrastructure.
It also shows operational maturity. If attackers are comfortable staging tooling at this scale, it points to a focus on efficiency and repeatability — and that they do not expect defenders to be monitoring these environments consistently.
Tunnelling infrastructure shows how campaigns scale
Tunnelling infrastructure provides one of the clearest examples of infrastructure reuse in practice.
In the joint investigation, researchers identified eight identical Fast Reverse Proxy (FRP) nodes running on the same port across different hosts. FRP is commonly used to create reverse tunnels that allow operators to maintain access to compromised systems, even when inbound connections are restricted. Finding the same configuration replicated across multiple servers points to templated deployment rather than ad-hoc setup.
The good news is that when tunnelling nodes are provisioned in the same way across campaigns, they create predictable artefacts that defenders can track. Even if domains rotate and malware families evolve, the underlying access layer may remain consistent.
In the case of DPRK infrastructure, repeatability points to operational efficiency — but it also offers defenders a more durable hunting signal than any single malicious binary.
Infrastructure is the connective tissue
Across four separate hunts, the same patterns kept resurfacing. Exposed staging directories packed with credential theft tooling. Fast Reverse Proxy tunnels configured identically across different VPS hosts. Reused certificates linking twelve IP addresses back to the same operational clusters.
These were not isolated discoveries. They were recurring elements of a structured ecosystem.
And that’s why it’s so important to look deeper. Once the pivot moves from payloads to infrastructure, the separation between DPRK subgroups becomes less distinct and shared operational habits start to surface. Campaigns that appear unrelated at the malware level begin to reveal common certificates, showing how activity often treated as separate is in fact closely linked.
Operational security among DPRK cyber operators has evolved unevenly over the past decade, revealing a trade-off between stealth and operational efficiency. Early Lazarus campaigns in the mid-2010s were marked by comparatively noisy infrastructure and bespoke malware, making attribution possible but often slow and reliant on payload analysis and victim-side forensics.
As global scrutiny increased following high-profile incidents, DPRK actors adapted by hardening malware, adopting layered obfuscation and increasingly abusing legitimate platforms and open source tooling to blend into normal traffic. At the same time, repeated investigations point to a persistent weakness in infrastructure OPSEC: long-lived staging servers, reused certificates, identical Fast Reverse Proxy tunnelling nodes and exposed directories that reappear across campaigns and even across subgroups such as Lazarus and Kimsuky.
Incidents like the Kimsuky “Kim” leak highlight this imbalance, where sophisticated social engineering and credential theft operations were undermined by recoverable operator artefacts and poorly compartmentalized infrastructure.
Taken together, the record of the past decade suggests DPRK actors have become more disciplined at the payload and intrusion layer, but remain consistently exposed at the infrastructure layer, giving defenders a durable, campaign-spanning advantage.
Malware will continue to evolve. Lures will change. Domains will rotate. Infrastructure, however, leaves consistent patterns. In the case of Lazarus and Kimsuky, and beyond, these patterns make it possible to connect activity, surface related clusters and identify supporting infrastructure before it is fully weaponized.
That is why infrastructure hunting is no longer a supporting discipline. It is the vantage point that allows defenders to see how operations are built, sustained and scaled.
https://cdn.mos.cms.futurecdn.net/7DtE9RCVmUtmH2FAfvxsvM-2560-80.jpg
Source link
