Home News North Korean hackers impersonated recruiters to steal credentials from over 1,500 developer systems
Manager women working at hiring application discussing curriculum vitae with remote recruiter during online videocall meeting conference in startup office. Teleconference call on computer screen

North Korean hackers impersonated recruiters to steal credentials from over 1,500 developer systems

by biztrendz

The attackers built a layered infrastructure

Based on data collected by SecurityScorecard obtained by analyzing the attackers’ command-and-control infrastructure, the campaign had three waves. In November, attackers targeted 181 developers, primarily from European technology sectors. In December, the campaign expanded globally targeting hundreds of developers, with certain hotspots like India (284 victims). In January, a new wave added 233 more victims, including 110 systems in India’s technology sector alone.

“The attackers exfiltrated critical data, including development credentials, authentication tokens, browser-stored passwords, and system information,” the researchers said. “Once collected by the C2 servers, the data was transferred to Dropbox, where it was organized and stored. Persistent connections to Dropbox highlighted the attackers’ systematic approach, with some servers maintaining active sessions for over five hours.”

Despite using several VPN tunnels for obfuscation, the attacker activity was tracked back to several IP addresses in North Korea. The attackers connected through Astrill VPN endpoints, then through the Oculus Proxy network IPs in Russia and finally to the C&C servers hosted by a company called Stark Industries.

Related Posts

Adblock Detected

Please support us by disabling your AdBlocker extension from your browsers for our website.