Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations

    Thursday, April 24, 2025 In: Threat Research Print

    Date: 04/24/2025

    Severity: High

    Summary

    Multiple Russian IP address ranges—masked through VPNs, proxy servers, and VPS infrastructure—are being used in cybercrime operations aligned with North Korea's Void Dokkaebi group (also known as Famous Chollima). These IPs are linked to companies near the North Korea-Russia border and support IT workers operating from countries like China, Russia, and Pakistan. The infrastructure facilitates activities such as job scams, cryptocurrency theft, and brute-force attacks. Instructional materials and non-native English content suggest potential collaboration with foreign conspirators. Targets include IT professionals in Ukraine, the U.S., and Germany, particularly those involved in crypto, Web3, and blockchain.

    Indicators of Compromise (IOC) List

    URL/Domain

    lianxinxiao.com

    blocknovas.com

    gitlab.blocknovas.com

    bookings.blocknovas.com

    softglide.co

    worldenterprise-beta.com

    apply-blocknovas.site

    easydriver.cloud

    IP Address

    5.253.43.122

    45.61.150.31

    45.61.151.174

    94.232.247.192

    172.86.80.145

    185.153.182.241

    185.235.241.208

    37.221.126.117

    45.12.141.170

    88.119.169.226

    95.164.18.177

    95.164.33.66

    95.217.124.253

    171.22.127.221

    175.45.176.21

    175.45.176.22

    188.43.33.250

    188.43.136.115

    188.43.136.116

    5.180.24.82

    5.253.41.207

    37.221.125.200

    45.8.146.117

    45.8.146.226

    45.83.140.51

    45.142.213.118

    74.119.192.244

    74.119.194.244

    94.131.96.32

    94.131.101.119

    103.35.188.149

    103.35.191.100

    103.47.67.26

    103.231.72.236

    166.88.61.53

    171.22.120.200

    193.178.210.229

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    domainname like "lianxinxiao.com" or siteurl like "lianxinxiao.com" or url like "lianxinxiao.com" or domainname like "softglide.co" or siteurl like "softglide.co" or url like "softglide.co" or domainname like "blocknovas.com" or siteurl like "blocknovas.com" or url like "blocknovas.com" or domainname like "gitlab.blocknovas.com" or siteurl like "gitlab.blocknovas.com" or url like "gitlab.blocknovas.com" or domainname like "bookings.blocknovas.com" or siteurl like "bookings.blocknovas.com" or url like "bookings.blocknovas.com" or domainname like "worldenterprise-beta.com" or siteurl like "worldenterprise-beta.com" or url like "worldenterprise-beta.com" or domainname like "apply-blocknovas.site" or siteurl like "apply-blocknovas.site" or url like "apply-blocknovas.site" or domainname like "easydriver.cloud" or siteurl like "easydriver.cloud" or url like "easydriver.cloud"

    Detection Query 2

    dstipaddress IN ("74.119.192.244","45.61.151.174","172.86.80.145","193.178.210.229","94.232.247.192","45.61.150.31","5.253.43.122","74.119.194.244") or ipaddress IN ("74.119.192.244","45.61.151.174","172.86.80.145","193.178.210.229","94.232.247.192","45.61.150.31","5.253.43.122","74.119.194.244","185.153.182.241","185.235.241.208","37.221.126.117","45.12.141.170","88.119.169.226","95.164.18.177","95.164.33.66","95.217.124.253","171.22.127.221","175.45.176.21","175.45.176.22","188.43.33.250","188.43.136.115","188.43.136.116","5.180.24.82","5.253.41.207","37.221.125.200","45.8.146.117","45.8.146.226","45.83.140.51","45.142.213.118","94.131.96.32","94.131.101.119","103.35.188.149","103.35.191.100","103.47.67.26","103.231.72.236","166.88.61.53","171.22.120.200") or srcipaddress IN ("74.119.192.244","45.61.151.174","172.86.80.145","193.178.210.229","94.232.247.192","45.61.150.31","5.253.43.122","74.119.194.244","185.153.182.241","185.235.241.208","37.221.126.117","45.12.141.170","88.119.169.226","95.164.18.177","95.164.33.66","95.217.124.253","171.22.127.221","175.45.176.21","175.45.176.22","188.43.33.250","188.43.136.115","188.43.136.116","5.180.24.82","5.253.41.207","37.221.125.200","45.8.146.117","45.8.146.226","45.83.140.51","45.142.213.118","94.131.96.32","94.131.101.119","103.35.188.149","103.35.191.100","103.47.67.26","103.231.72.236","166.88.61.53","171.22.120.200")

    Reference:

    https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html


    Tags

    Threat ActorDokkaebiChollimaRussiaNorth KoreaChinaPakistanInformation TechnologyUkraineGermanyUnited Statescryptocurrency

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.