🇰🇵 KP7 malware familiesExploits CVEs in the wild

DPRK

Also known asDemocratic People’s Republic of Korea (DPRK or North Korea)Democratic People’s Republic of Korea (DPRK)Democratic People’s Republic of Korea (DPRK) threat actorsdemocratic_people's_republic_of_korea_(dprk)dprkDPRK (Democratic People's Republic of Korea)DPRK (North Korean) actorsDPRK APTDPRK cyber threat actorsDPRK hacker groupDPRK intelligence agentsdprk_actorsdprk_affiliated_actorsdprk_affiliated_campaigndprk_operativesDPRK-aligned actorsDPRK-linked attackersDPRK-linked hackersNorth Korean State-Sponsored Threat Actorsnorth_korea

North Korea, also referred to as the Democratic People’s Republic of Korea (DPRK), is a nation-state cyber threat actor ecosystem encompassing DPRK state-sponsored, affiliated, aligned, and linked actors. The content describes DPRK as a major cyber threat with activity spanning cryptocurrency theft, software supply-chain compromise, malware operations, social engineering, and fraudulent remote-worker infiltration. Known aliases in the provided content include Democratic People’s Republic of Korea (DPRK), DPRK actors, DPRK-affiliated actors, DPRK-aligned actors, DPRK cyber threat actors, DPRK-linked hackers, North Korea, and North Korean state-sponsored threat actors. The reporting attributes large-scale cryptocurrency theft to DPRK-connected hackers, including more than $2 billion stolen in 2025 and the $1.5 billion Bybit heist. The content states DPRK continues to pose the most significant nation-state threat to cryptocurrency security and uses stolen cryptocurrency to circumvent sanctions and fund state priorities. Reported laundering behavior includes use of Chinese-language money laundering services, bridge services, mixing protocols, smaller transfer tranches, and an approximately 45-day laundering cycle. The content also describes a sophisticated DPRK remote-worker program in which operatives use stolen identities, deepfake-enhanced interviews, proxy chains, residential IPs, and laptop farms to obtain remote jobs at Western and U.S. companies. These operations are described as generating revenue for the regime and, in some cases, enabling espionage, sabotage, insider access, and persistent access to production systems. Related activity includes fake job interview coding tests and fake front companies that lure candidates into running malicious code from attacker-controlled repositories. Additional DPRK-linked activity in the content includes suspected involvement in major software supply-chain compromises such as malicious npm package campaigns, including a campaign involving 338 malicious npm packages and reporting that the Axios npm compromise was attributed to a suspected DPRK-linked actor. The content also references DPRK use of EtherHiding and an Ethereum-based implant called EtherRAT in React2Shell attacks. Quantstamp assessed malware used in the Humanity Protocol compromise as characteristic of DPRK intrusions, and the project’s later AML-related response cited linkage to DPRK-affiliated actors. The content further notes that North Korean state-sponsored actors have misused AI to improve cyber operations, including phishing lure creation, reconnaissance, and data extraction, and that DPRK operatives have used deepfake job candidates to infiltrate enterprise technology teams.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

56 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics74 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

3 techniques

T1589×2

Gather Victim Identity Information

T1590

Gather Victim Network Information

T1598×3

Phishing for Information

T1598.003

Spearphishing Link

TA0042

Resource Development

2 techniques

T1585

Establish Accounts

T1585.001

Social Media Accounts

T1586

Compromise Accounts

TA0001

Initial Access

7 techniques

T1078×8

Valid Accounts

T1133×2

External Remote Services

T1190

Exploit Public-Facing Application

T1195×2

Supply Chain Compromise

T1199

Trusted Relationship

T1200

Hardware Additions

T1566

Phishing

T1566.001

Spearphishing Attachment

T1566.002×2

Spearphishing Link

TA0002

Execution

4 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1059×2

Command and Scripting Interpreter

T1059.001

PowerShell

T1059.005

Visual Basic

T1059.007

JavaScript

T1203×2

Exploitation for Client Execution

T1204

User Execution

T1204.002

Malicious File

TA0003

Persistence

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1078×8

Valid Accounts

T1133×2

External Remote Services

TA0004

Privilege Escalation

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1055

Process Injection

T1078×8

Valid Accounts

TA0005

Stealth

8 techniques

T1006

Direct Volume Access

T1027

Obfuscated Files or Information

T1027.007

Dynamic API Resolution

T1036×6

Masquerading

T1036.005

Match Legitimate Resource Name or Location

T1055

Process Injection

T1070

Indicator Removal

T1070.004×2

File Deletion

T1078×8

Valid Accounts

T1497

Virtualization/Sandbox Evasion

T1497.001×2

System Checks

T1497.003

Time Based Checks

T1622

Debugger Evasion

TA0006

Credential Access

1 technique

T1649×2

Steal or Forge Authentication Certificates

TA0007

Discovery

7 techniques

T1046×2

Network Service Discovery

T1057×2

Process Discovery

T1082

System Information Discovery

T1083

File and Directory Discovery

T1497

Virtualization/Sandbox Evasion

T1497.001×2

System Checks

T1497.003

Time Based Checks

T1580

Cloud Infrastructure Discovery

T1622

Debugger Evasion

TA0008

Lateral Movement

2 techniques

T1021×2

Remote Services

T1210

Exploitation of Remote Services

TA0009

Collection

1 technique

T1213

Data from Information Repositories

TA0011

Command and Control

5 techniques

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1090×3

Proxy

T1105×2

Ingress Tool Transfer

T1219

Remote Access Tools

T1572×2

Protocol Tunneling

TA0010

Exfiltration

3 techniques

T1020

Automated Exfiltration

T1041×2

Exfiltration Over C2 Channel

T1537×2

Transfer Data to Cloud Account

TA0040

Impact

5 techniques

T1485×5

Data Destruction

T1486×5

Data Encrypted for Impact

T1491

Defacement

T1491.001

Internal Defacement

T1496

Resource Hijacking

T1657×4

Financial Theft

ARSENAL

Associated malware families

7 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BeaverTail"Tech Note - BeaverTail variant distributed via malicious repositories and ClickFix lure... DPRK’s BeaverTail malware"3Mar 18, 2026

BlueNoroffHuntress wrote in a recent blog post describing the BlueNoroff targeted attack where threat actors tied to the Democratic People's Republic of Korea (DPRK) compromised a victim organization with malicious Zoom extensions and deepfakes.1Mar 18, 2026

CoreKitAgentThe researchers detail how NimDoor deploys two key binaries: a loader with the misspelled name GoogIe LLC (using an uppercase ‘i’ rather than lowercase ‘L’) and a trojan called CoreKitAgent.1Mar 18, 2026

EtherRAT“this payload, dubbed EtherRAT… is a persistent access implant… EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution…”1Mar 8, 2026

HONESTCUEThe report identified attempts to coerce disclosure of internal reasoning, AI-assisted reconnaissance by DPRK, PRC, Iranian, and Russian actors, and AI-integrated malware such as HONESTCUE leveraging Gemini’s API for second-stage payload generation.1Mar 8, 2026

2 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-55182React2Shell RCE in React Server Components Flight ProtocolIn the wildEvidence1

...began with an Application exploit a la React2Shell, found AWS credentials, pivoted to AWS, and ultimately stole source code.

IOCS

Observables

468 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

468 IOCsView more in app

ip.v4

127 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+119

Domains

126 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+118

uri

98 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+90

hash.sha1

56 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+48

hash.sha256

45 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+37

hash.md5

10 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+2

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

cyber security newsNews

Jun 26, 2026

Amazon Q Vulnerability Let Attackers Execute Code and Access Sensitive Cloud Environments

Uses fake job interview coding tests to trick targets into cloning and running attacker-controlled repositories.

rekt newsNews

Jun 9, 2026

Rekt - Humanity Protocol - Rekt

Linked to the spear-phishing compromise of a Humanity Protocol director's laptop, leading to theft of private keys, malicious contract upgrades, bridge draining, and unauthorized token minting.

cyberthroneNews

May 31, 2026

The Synthetic Threat: Voice on the call is Not Human - TheCyberThrone

Using deepfake job candidates and synthetic identities to infiltrate enterprise technology teams and gain insider access to production systems.

elastic security labsNews

Apr 2, 2026

How we caught the Axios supply chain attack - Elastic Security Labs

Suspected state-linked actor attributed in the content to the Axios npm supply chain compromise, involving takeover of a maintainer account and publication of malicious package versions that deployed cross-platform malware via a phantom dependency.

+16 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping56

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal7

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables468

Domains, IPs, and hashes tied to this actor, refreshed continuously.