January 22, 2025

by Jonathan Greig
North Korean hackers are spoofing financial institutions and venture capital firms in the United States, Vietnam, and Japan, according to new research.

According to Recorded Future’s Insikt Group, the campaign was linked to APT38, a North Korean state-sponsored group known for high-profile attacks on cryptocurrency firms.

The researchers discovered 74 domains resolving to five IP addresses, as well as six malicious files in the most recent cluster between September 2022 and March 2023. A previous Insikt Group report about overlapping activity attributed to TAG-71 highlighted the group’s spoofing of popular cloud services, as well as domains belonging to financial firms in Japan, Taiwan, and the United States.

Recorded Future’s The Record is an editorially independent unit.

In the report, it was noted that North Korean hacking groups have a long history of attacking cryptocurrency exchanges, commercial banks, and e-commerce sites for financial gain.

As a result of these campaigns, the North Korean government will continue to try to raise funds for the regime, which remains under significant international sanctions.

Insikt Group researcher Mitch Haszard noted that the recent campaign focused most on spoofing venture capital firms. He noted that APT38 has previously targeted SWIFT and cryptocurrency exchanges.

“Both have a clear goal of stealing money, but spoofing venture capital firms is something new and slightly different,” he said.

According to the researchers, 18 malicious servers were used by North Korean hackers to deliver malware in March 2022. Potential victims were tricked into opening malicious content or providing their login credentials by heavily spoofing popular cloud services, cryptocurrency exchanges, and private investment firms.

As a result of targeting investment banking and venture capital firms, the group hopes to expose “sensitive or confidential information of these entities or their customers, resulting in legal or regulatory action, jeopardizing pending business negotiations or agreements, or revealing information detrimental to companies’ strategic investment portfolios.”

The Insikt Group found three more IP addresses associated with the group during a campaign from January 2023 to March 2023.

Several of these addresses hosted domains associated with document software such as “doc-share” and “autoprotect,” while others purported to be financial institutions based in Japan, Vietnam, and the United States.

Kaspersky researchers linked several of the IP addresses to another financially motivated hacking group.

North Korea’s hackers are likely to continue launching financially motivated attacks as a result of crippling financial sanctions, researchers predict.

You may have missed

Norfolk residents wake up to the crash of a huge tree onto a house. During storm

Norfolk residents wake up to the crash of a huge tree onto a house. During storm

December 22, 2023
Colonia is the worst affected, with wind speeds of over 160 km/h.

Colonia is the worst affected, with wind speeds of over 160 km/h.

December 22, 2023
Stormont uses buckets to fix roof leaks after repairs fail

Stormont uses buckets to fix roof leaks after repairs fail

December 21, 2023
Racine apartment fire causes 30 people to be displaced by Christmas

Racine apartment fire causes 30 people to be displaced by Christmas

December 21, 2023
The path of destruction by a tornado in Clarksville is 11.3 miles long and 600 yards wide.

The path of destruction by a tornado in Clarksville is 11.3 miles long and 600 yards wide.

December 16, 2023
Lawrence Restaurant severely damaged by overnight fire

Lawrence Restaurant severely damaged by overnight fire

December 15, 2023