Inside DPRK Operations: New Lazarus and Kimsuky Infrastructure Uncovered Across Global Campaigns

    Friday, December 26, 2025 In: Threat Research Print

    Date: 12/26/2025

    Severity: High

    Summary

    North Korean state-sponsored threat actors, including Lazarus and Kimsuky, continue to operate at a global scale, conducting espionage, financial crime, and access-driven attacks. While their malware, lures, and objectives evolve, these groups consistently reuse infrastructure such as IP addresses, certificates, open directories, and shared tooling. By pivoting across infrastructure indicators, multiple seemingly separate incidents were linked, exposing a broader, interconnected DPRK activity network. This infrastructure-centric analysis highlights persistent operational patterns that make DPRK campaigns trackable despite ongoing changes in tactics and malware.

    Indicators of Compromise (IOC) List  

    URLs/Domains

    secondshop.store

    IP Address

    23.27.140.49

    23.27.177.183

    23.254.211.230

    207.254.22.248

    149.28.139.62

    154.216.177.215

    182.136.123.102

    119.6.56.194

    182.136.120.52

    118.123.54.71

    61.139.89.11

    125.67.171.158

    125.65.88.195

    119.6.121.143

    23.254.128.114

    104.168.198.145

    23.254.164.50

    192.236.146.20

    142.11.209.109

    192.236.233.162

    192.236.176.164

    192.236.236.100

    192.236.146.22

    192.236.233.165

    192.119.116.231

    104.168.151.116

    Hash

    a3876a2492f3c069c0c2b2f155b4c420d8722aa7781040b17ca27fdd4f2ce6a9

    cc307cfb401d1ae616445e78b610ab72e1c7fb49b298ea003dd26ea80372089a

    a5350b1735190a9a275208193836432ed99c54c12c75ba6d7d4cb9838d2e2106

    ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9

    85045d9898d28c9cdc4ed0ca5d76eceb457d741c5ca84bb753dde1bea980b516

    bc7bd27e94e24a301edb3d3e7fad982225ac59430fc476bda4e1459faa1c1647

    36541fad68e79cdedb965b1afcdc45385646611aa72903ddbe9d4d064d7bffb9

    24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "secondshop.store" or siteurl like "secondshop.store" or url like "secondshop.store"

    Detection Query 2 :

    dstipaddress IN ("182.136.123.102","154.216.177.215","192.119.116.231","142.11.209.109","125.65.88.195","182.136.120.52","23.254.164.50","192.236.146.20","104.168.151.116","119.6.121.143","125.67.171.158","23.254.211.230","23.254.128.114","23.27.140.49","119.6.56.194","192.236.233.162","23.27.177.183","192.236.233.165","192.236.146.22","207.254.22.248","149.28.139.62","118.123.54.71","61.139.89.11","104.168.198.145","192.236.176.164","192.236.236.100") or srcipaddress IN ("182.136.123.102","154.216.177.215","192.119.116.231","142.11.209.109","125.65.88.195","182.136.120.52","23.254.164.50","192.236.146.20","104.168.151.116","119.6.121.143","125.67.171.158","23.254.211.230","23.254.128.114","23.27.140.49","119.6.56.194","192.236.233.162","23.27.177.183","192.236.233.165","192.236.146.22","207.254.22.248","149.28.139.62","118.123.54.71","61.139.89.11","104.168.198.145","192.236.176.164","192.236.236.100")

    Detection Query 3 :

    sha256hash IN ("cc307cfb401d1ae616445e78b610ab72e1c7fb49b298ea003dd26ea80372089a","a5350b1735190a9a275208193836432ed99c54c12c75ba6d7d4cb9838d2e2106","a3876a2492f3c069c0c2b2f155b4c420d8722aa7781040b17ca27fdd4f2ce6a9","ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9","85045d9898d28c9cdc4ed0ca5d76eceb457d741c5ca84bb753dde1bea980b516","24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a","bc7bd27e94e24a301edb3d3e7fad982225ac59430fc476bda4e1459faa1c1647","36541fad68e79cdedb965b1afcdc45385646611aa72903ddbe9d4d064d7bffb9")

    Reference: 

    https://hunt.io/blog/dprk-lazarus-kimsuky-infrastructure-uncovered#Indicators_of_Compromise_IOCs


    Tags

    Threat ActorDPRKAPTLazarusGroupKimsukyNorth KoreanCyber Espionage

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.