New Lazarus and Kimsuky Infrastructure Discovered with Active Tools and Tunneling Nodes
Security researchers from Hunt.io and Acronis Threat Research Unit have made a groundbreaking discovery, uncovering a complex network of operational infrastructure controlled by North Korean state-sponsored threat actors, specifically the notorious Lazarus and Kimsuky groups.
Through a collaborative investigation, the researchers have revealed previously unknown connections between these groups’ campaigns, exposing active command-and-control servers, credential-theft environments, tunneling nodes, and certificate-linked infrastructure that had remained hidden from public analysis until now.
The research demonstrates how DPRK operators maintain persistent access to their targets through predictable infrastructure patterns, despite continuously evolving their malware and attack lures.
By utilizing Hunt.io’s threat intelligence platform, the researchers were able to pivot across indicators of compromise, certificates, and open directories, mapping interconnected clusters of malicious assets deployed across multiple VPS providers in Asia and beyond.

One of the most significant findings of the investigation centers on the consistency of DPRK operational tradecraft, with recurring signals that remain stable across different campaigns, including credential harvesting toolkits, Fast Reverse Proxy (FRP) tunneling nodes, and certificate reuse.
The investigation identified these consistent patterns, which provide valuable insights into the tactics, techniques, and procedures (TTPs) of the Lazarus and Kimsuky groups.
The researchers tracked Lazarus activity through a Linux variant of the BADCALL backdoor, hosted on server 23.27.140[.]49, which had an open directory on port 8080.
![IP intelligence data for 23.27.177[.]183.](https://public-hunt-static-blog-assets.s3.us-east-1.amazonaws.com/12-2025/Inside+DPRK+Operations+New+Lazarus+and+Kimsuky+Infrastructure+Uncovered+Across+Global+Campaigns+-+figure+4.png)
This variant contained a critical operational update – the addition of a logging mechanism that records timestamped entries in the /tmp/ directory, allowing operators to monitor malware execution and confirm proper functioning throughout intrusions.
This deliberate enhancement to their toolkit represents a significant improvement in operational efficiency for the threat actors.
Active Credential Theft Infrastructure
The research uncovered two major credential theft staging environments that remained operational, including a 112 MB toolkit containing 21 files across two subdirectories, and a second critical node exposing over 270 MB of operational data across 201 files.
Server 207.254.22[.]248:8800 hosted a complete profile extraction and exfiltration suite, including MailPassView, WebBrowserPassView, ChromePass, and rclone binaries.
Hunt.io intelligence confirmed that this infrastructure was running a Mythic command-and-control server on port 7443 as recently as August 2025.
A second critical node at 149.28.139[.]62:8080 exposed a fully functional Quasar RAT infrastructure, credential harvesters, and file-transfer utilities.
![Hunt.io intelligence showing Quasar RAT activity on 149.28.139[.]62.](https://public-hunt-static-blog-assets.s3.us-east-1.amazonaws.com/12-2025/Inside+DPRK+Operations+New+Lazarus+and+Kimsuky+Infrastructure+Uncovered+Across+Global+Campaigns+-+figure+14.png)
Perhaps most alarming was the discovery of server 154.216.177[.]215, which exposed nearly 2 GB of operational data across 10,731 files and 1,222 subdirectories, suggesting it functioned as an active threat actor operations hub.
Tunneling and Certificate-Based Infrastructure
The research identified eight identical FRP tunnel nodes deployed across Chinese and APAC-region VPS providers, all serving the same 10 MB binary on port 9999, indicating scripted, automated provisioning.
Through certificate pivoting, researchers discovered twelve IP addresses all sharing the common name “hwc-hwp-7779700” with RDP exposure since January 2025, with ten of these IPs directly associated with Lazarus Group malware.
The research provides defenders with actionable intelligence for proactive threat hunting, including monitoring for recurring open directory patterns, tracking FRP deployments, and pivoting on certificate reuse to reveal new DPRK infrastructure before active campaigns launch.
These stable behavioral patterns offer more reliable detection signals than constantly evolving malware families, enabling defenders to stay one step ahead of the threat actors.