Shared Lazarus Kimsuky Attack Infrastructure

Hunt.io and Acronis mapped a broad DPRK operational infrastructure linking Lazarus, Kimsuky, and related subgroups through reused open directories, credential-harvest toolkits, FRP tunneling nodes, and certificate-linked clusters. The investigation exposed a new Linux Badcall variant, widespread MailPassView/WebBrowserPassView staging, identical FRP deployments on port 9999, and certificate pivots that reveal larger Lazarus ecosystems. #Lazarus #Badcall

Keypoints

Hunt.io and Acronis collaborated to pivot on infrastructure (IPs, open directories, certificates, hashes) and link activity across DPRK-linked groups including Lazarus and Kimsuky.
Recurring operational patterns identified: exposed open directories used for tool staging, repeated credential-harvest toolkits, FRP tunneling nodes on identical ports, and certificate reuse tying clusters together.
Analysis revealed a new Linux variant of the Badcall backdoor that daemonizes and writes timestamped entries to /tmp/sslvpn.log, improving operator monitoring of the implant.
Open directories hosted large credential-exfiltration suites and RAT tooling (MailPassView, WebBrowserPassView, Quasar, rclone, etc.) on multiple IPs (e.g., 207.254.22[.]248:8800, 149.28.139[.]62:8080, 154.216.177[.]215:8080).
Fast Reverse Proxy (FRP) binaries were identically deployed across eight VPS hosts on port 9999, indicating scripted/automated provisioning for robust C2 tunneling.
Defender guidance: monitor for exposed HTTP directories with repeated tool layouts, identical FRP binaries on port 9999, certificate subject reuse across RDP/TLS hosts, and recurring hosting-provider patterns.

MITRE Techniques

[T1583 ] Acquire Infrastructure – DPRK operators provisioned VPS hosts, staging servers, FRP nodes, and certificates to build and reuse operational infrastructure (‘operational assets that had not been connected publicly before, revealing active tool-staging servers, credential theft environments, FRP tunneling nodes, and certificate-linked infrastructure fabric controlled by DPRK operators’).
[T1078 ] Valid Accounts – Exposed RDP and operator login access was used for hands-on management of nodes and staging systems (‘The consistent exposure of RDP across these hosts suggests they are not passive servers but systems intended for operator access or staging’).
[T1572 ] Protocol Tunneling – FRP was used to tunnel traffic and maintain covert C2 connectivity across restrictive networks (‘FRP usually sits between the compromised host and the operator, giving Lazarus a dependable way to maintain access even when outbound traffic is filtered or restricted’).
[T1056 ] Input Capture / Credential Harvesting – DPRK actors deployed credential-recovery utilities and browser password-stealers to harvest credentials (‘credential-recovery utilities, “MailPassView” and “WebBrowserPassView” both used by the Lazarus group for credential harvesting’).
[T1553 ] Subvert Trust Controls – Reused TLS/ certificate artifacts and certificate pivots were used to link clusters and enable long-term access while evading simple attribution (‘certificate reuse that links separate clusters back to the same operators’ and ‘certificate pivots reflect the infrastructure choices DPRK groups use for Defense Evasion and long-term access’).

Indicators of Compromise

[File Hash ] notable malware/tool hashes – a3876a2492f3c069c0c2b2f155b4c420d8722aa7781040b17ca27fdd4f2ce6a9 (New Linux Badcall), bc7bd27e94e24a301edb3d3e7fad982225ac59430fc476bda4e1459faa1c1647 (MailPassView), and 7 more hashes.
[IP Address:Port ] hosted backdoors, open directories, and FRP nodes – 23.27.140[.]49:8080 (Badcall host with ELF open directory), 207.254.22[.]248:8800 (exposed credential-theft toolkit opendir), and other IP:port entries across the report (dozens more IPs).
[Domain ] pivot domain linked to Lazarus – secondshop[.]store used as an entry/pivot domain to certificate-linked infrastructure.
[File Name ] staged tooling and operator binaries – MailPassView.exe, WebBrowserPassView.exe, Quasar.exe (Quasar RAT tooling), and many additional credential/exfiltration utilities staged in open directories.
[Certificate Subject ] TLS/certificate pivot – subject.common_name == “hwc-hwp-7779700” used to pivot and surface 12 IPs tied to RDP/TLS exposure and Lazarus-linked infrastructure.