The attackers built a layered infrastructure
Based on data collected by SecurityScorecard obtained by analyzing the attackers’ command-and-control infrastructure, the campaign had three waves. In November, attackers targeted 181 developers, primarily from European technology sectors. In December, the campaign expanded globally targeting hundreds of developers, with certain hotspots like India (284 victims). In January, a new wave added 233 more victims, including 110 systems in India’s technology sector alone.
“The attackers exfiltrated critical data, including development credentials, authentication tokens, browser-stored passwords, and system information,” the researchers said. “Once collected by the C2 servers, the data was transferred to Dropbox, where it was organized and stored. Persistent connections to Dropbox highlighted the attackers’ systematic approach, with some servers maintaining active sessions for over five hours.”
Despite using several VPN tunnels for obfuscation, the attacker activity was tracked back to several IP addresses in North Korea. The attackers connected through Astrill VPN endpoints, then through the Oculus Proxy network IPs in Russia and finally to the C&C servers hosted by a company called Stark Industries.