The investigation links the domain luckyguys[.]site and associated IPs to payments and infrastructure used by DPRK-linked fake IT workers, with concentrated VPN usage and residential IPs observed communicating with the hosts. Activity dropped sharply after public exposure, indicating rapid adversary abandonment and operational sensitivity. #DPRK #Workana
Keypoints
- Domain luckyguys[.]site was identified as linked to payments associated with DPRK-linked fake IT workers and resolved to 163.245.219[.]19 during analysis.
- VPN usage to the infrastructure was highly concentrated: Astrill 37.5%, Mullvad 32.25%, Proton VPN 6.25%.
- Network traffic to the identified IPs declined sharply after public reporting on April 8, consistent with rapid infrastructure abandonment following attribution.
- American and Latvian residential IP addresses communicated with the infrastructure; netflow showed frequent Astrill VPN use and connections to cloud services including Gmail, ChatGPT, and Workana.
- Additional infrastructure tied to the same X.509 name (luckyguys[.]site) was found at 216.158.225[.]144 and similarly showed a drop in traffic after disclosure.
- Telemetry supports an assessment of a distributed network of remote IT workers or facilitators, likely using home-based “laptop farms,” with operational overlap with known DPRK fake IT worker tradecraft.
- Recommended actions include monitoring behavioral patterns and connections to 163.245.219[.]19 and 216.158.225[.]144, treating residential IPs and VPN overlaps as risk signals, and scrutinizing freelance hiring pipelines.
MITRE Techniques
- [T1583 ] Acquire Infrastructure – Use of domain and dedicated IPs to support operations (‘the domain resolved to 163.245.219[.]19’).
- [T1090 ] Proxy – Use of VPNs and residential IPs to obfuscate origin and route traffic (‘Astrill VPN: 37.5%Mullvad: 32.25%Proton VPN: 6.25%’).
- [T1078 ] Valid Accounts – Use of freelancer profiles and remote employment under false identities to obtain access and cover (‘maintaining freelancer profiles on platforms like Workana to obtain remote employment under false identities’).
- [T1071 ] Application Layer Protocol – Use of cloud and web services for communication and development support (‘Connectivity to cloud services associated with: GmailChatGPTWorkana’).
Indicators of Compromise
- [Domain ] payment-linked infrastructure – luckyguys[.]site
- [IPv4 address ] identified infrastructure IPs – 163.245.219[.]19, 216.158.225[.]144
- [X.509 certificate ] certificate name linking infrastructure – luckyguys[.]site (used to discover second IP)
- [Residential IPs ] hosts observed communicating with infrastructure – American residential IP, Latvian residential IP
- [VPN providers ] privacy/proxy services frequently used to access infrastructure – Astrill (37.5%), Mullvad (32.25%)
Read more: https://www.team-cymru.com/post/dprk-fake-it-worker-cyber-threat-actors-infrastructure