🇰🇵 KP7 malware familiesExploits CVEs in the wild

DPRK

Also known asDemocratic People’s Republic of Korea (DPRK or North Korea)Democratic People’s Republic of Korea (DPRK)Democratic People’s Republic of Korea (DPRK) threat actorsdemocratic_people's_republic_of_korea_(dprk)dprkDPRK (Democratic People's Republic of Korea)DPRK (North Korean) actorsDPRK APTDPRK cyber threat actorsDPRK hacker groupDPRK intelligence agentsdprk_actorsdprk_affiliated_actorsdprk_affiliated_campaigndprk_operativesDPRK-aligned actorsDPRK-linked attackersDPRK-linked hackersNorth Korean State-Sponsored Threat Actorsnorth_korea

DPRK refers to North Korean state-sponsored cyber threat actors and DPRK-affiliated operators. Aliases in the provided content include Democratic People’s Republic of Korea (DPRK), North Korea, DPRK actors, DPRK-affiliated actors, DPRK-aligned actors, DPRK APT, DPRK cyber threat actors, DPRK operatives, and North Korean state-sponsored threat actors. The content describes DPRK as a nation-state threat, particularly prominent in financially motivated cyber operations and cryptocurrency theft, with reporting that North Korean hackers stole at least $2.02 billion in cryptocurrency in 2025, including the $1.5 billion Bybit theft, and that DPRK-linked thefts represented a major share of overall crypto losses. The content also states DPRK actors target defense, diplomatic, financial, and cryptocurrency-related entities, including expanded targeting in Europe to steal cryptocurrency and evade sanctions. The provided material also describes a sophisticated DPRK remote worker and insider infiltration program. According to the content, DPRK operatives use stolen or borrowed identities, deepfake-enabled video interviews, proxy chains, residential IPs, laptop farms, and fraudulent IT worker schemes to obtain remote employment at Western enterprises and technology companies, generate revenue for the regime, and in some cases establish persistent access, espionage opportunities, or sabotage capability. The content cites incidents and reporting involving fake job candidates, KnowBe4’s accidental hiring of a North Korean operative, Amazon’s detection of a North Korean imposter sysadmin, and law-enforcement action against facilitators supporting DPRK IT worker schemes. The content further attributes multiple software supply-chain and malware activities to DPRK or suspected DPRK-linked actors. These include a suspected DPRK-linked compromise of Axios npm packages via a malicious dependency and postinstall malware, a North Korean campaign involving 338 malicious npm packages, use of EtherHiding to conceal malware on blockchains, and React2Shell attacks involving EtherRAT. The material also states DPRK actors misuse AI to improve cyber operations, including phishing, reconnaissance, data extraction, and deepfake-enabled social engineering. Overall, the content portrays DPRK as a persistent nation-state cyber threat combining financially motivated theft, sanctions evasion, insider infiltration, software supply-chain compromise, malware deployment, and AI-enabled deception.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Software & Services

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

56 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics74 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

3 techniques

T1589×2

Gather Victim Identity Information

T1590

Gather Victim Network Information

T1598×3

Phishing for Information

T1598.003

Spearphishing Link

TA0042

Resource Development

2 techniques

T1585×2

Establish Accounts

T1585.001

Social Media Accounts

T1586

Compromise Accounts

TA0001

Initial Access

7 techniques

T1078×7

Valid Accounts

T1133×2

External Remote Services

T1190

Exploit Public-Facing Application

T1195

Supply Chain Compromise

T1199×3

Trusted Relationship

T1200

Hardware Additions

T1566

Phishing

T1566.001

Spearphishing Attachment

T1566.002

Spearphishing Link

TA0002

Execution

4 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1059×2

Command and Scripting Interpreter

T1059.001

PowerShell

T1059.005

Visual Basic

T1059.007

JavaScript

T1203×2

Exploitation for Client Execution

T1204

User Execution

T1204.002

Malicious File

TA0003

Persistence

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1078×7

Valid Accounts

T1133×2

External Remote Services

TA0004

Privilege Escalation

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1055

Process Injection

T1078×7

Valid Accounts

TA0005

Stealth

8 techniques

T1006

Direct Volume Access

T1027

Obfuscated Files or Information

T1027.007

Dynamic API Resolution

T1036×7

Masquerading

T1036.005

Match Legitimate Resource Name or Location

T1055

Process Injection

T1070

Indicator Removal

T1070.004×2

File Deletion

T1078×7

Valid Accounts

T1497

Virtualization/Sandbox Evasion

T1497.001×2

System Checks

T1497.003

Time Based Checks

T1622

Debugger Evasion

TA0006

Credential Access

1 technique

T1649×2

Steal or Forge Authentication Certificates

TA0007

Discovery

7 techniques

T1046×2

Network Service Discovery

T1057×2

Process Discovery

T1082

System Information Discovery

T1083

File and Directory Discovery

T1497

Virtualization/Sandbox Evasion

T1497.001×2

System Checks

T1497.003

Time Based Checks

T1580

Cloud Infrastructure Discovery

T1622

Debugger Evasion

TA0008

Lateral Movement

2 techniques

T1021×2

Remote Services

T1210

Exploitation of Remote Services

TA0011

Command and Control

5 techniques

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1090×3

Proxy

T1090.002

External Proxy

T1105×2

Ingress Tool Transfer

T1219

Remote Access Tools

T1572×2

Protocol Tunneling

TA0010

Exfiltration

3 techniques

T1020

Automated Exfiltration

T1041

Exfiltration Over C2 Channel

T1537×3

Transfer Data to Cloud Account

TA0040

Impact

5 techniques

T1485×5

Data Destruction

T1486×5

Data Encrypted for Impact

T1491

Defacement

T1491.001

Internal Defacement

T1496

Resource Hijacking

T1657×3

Financial Theft

ARSENAL

Associated malware families

7 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BeaverTail"Tech Note - BeaverTail variant distributed via malicious repositories and ClickFix lure... DPRK’s BeaverTail malware"3Mar 18, 2026

BlueNoroffHuntress wrote in a recent blog post describing the BlueNoroff targeted attack where threat actors tied to the Democratic People's Republic of Korea (DPRK) compromised a victim organization with malicious Zoom extensions and deepfakes.1Mar 18, 2026

CoreKitAgentThe researchers detail how NimDoor deploys two key binaries: a loader with the misspelled name GoogIe LLC (using an uppercase ‘i’ rather than lowercase ‘L’) and a trojan called CoreKitAgent.1Mar 18, 2026

EtherRAT“this payload, dubbed EtherRAT… is a persistent access implant… EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution…”1Mar 8, 2026

HONESTCUEThe report identified attempts to coerce disclosure of internal reasoning, AI-assisted reconnaissance by DPRK, PRC, Iranian, and Russian actors, and AI-integrated malware such as HONESTCUE leveraging Gemini’s API for second-stage payload generation.1Mar 8, 2026

2 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-55182React2ShellIn the wildEvidence1

...began with an Application exploit a la React2Shell, found AWS credentials, pivoted to AWS, and ultimately stole source code.

IOCS

Observables

346 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

346 IOCsView more in app

ip.v4

107 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+99

Domains

98 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+90

uri

92 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+84

hash.sha256

34 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+26

hash.md5

10 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+2

hash.sha1

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app

cyberthroneNews

May 31, 2026

The Synthetic Threat: Voice on the call is Not Human - TheCyberThrone

Using deepfake job candidates and synthetic identities to infiltrate enterprise technology teams and gain insider access to production systems.

elastic security labsNews

Apr 2, 2026

How we caught the Axios supply chain attack - Elastic Security Labs

Suspected state-linked actor attributed in the content to the Axios npm supply chain compromise, involving takeover of a maintainer account and publication of malicious package versions that deployed cross-platform malware via a phantom dependency.

dark readingNews

Mar 5, 2026

Software Development Practices Help Enterprises Tackle Real-Life Risks

Referenced as an insider-threat example: a North Korean operator allegedly obtained employment as a software engineer (via apparently legitimate background checks), highlighting risks from fraudulent hiring/onboarding and potential access abuse.

the hacker newsNews

Feb 20, 2026

Ukrainian National Sentenced to 5 Years in North Korea IT Worker Fraud Case

Fraudulent remote IT worker operation using stolen/borrowed U.S. identities to obtain jobs at U.S. companies and freelance platforms, operate U.S.-based laptop farms to appear domestic, and launder wages through money transmitters to foreign accounts to fund DPRK weapons/munitions programs; evolving tradecraft includes using real LinkedIn accounts of impersonated individuals to increase application legitimacy.

+14 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping56

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal7

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables346

Domains, IPs, and hashes tied to this actor, refreshed continuously.