Advertisement · 728 × 90

Posts by Nick Roy

npm Malware, Fake Devs, and Deepfake Videos: These Are A Few of My Favorite DPRK Things What started as what I thought was going to be a quick look into a suspicious GitHub organization turned into a much deeper rabbit hole with an active npm backdoor, more than a dozen fake developer personas, and recruitment posts looking for overseas facilitators. Individually there's a lot of interesting pieces here but together they map closely to documented DPRK tradecraft.

Tracking brand new DPRK front companies and personas

2 weeks ago 0 0 0 0
Made for Export: North Korea’s Software Catalog An email discovered last year that was sent from North Korea’s internet infrastructure offers a rare look at how DPRK software developers market their work abroad. While most recent reporting has focused on North Korean IT workers fraudulently obtaining jobs at Western companies, the documents attached to this message appear to represent something different: a catalog of domestically developed software being pitched to commercial partners overseas.

My favorite DPRK IT workers are the ones just straight up trying to export surveillance software

1 month ago 1 0 0 0
Hunting For North Korean Fiber Optic Cables Before we go any further, one thing that I want to make clear is that the word assume is going to be doing some heavy lifting throughout this post. This was a rabbit hole that I recently went down and I probably have more questions than answers, but I still wanted to document what I had found so far. If you have additional information or findings you want to share, as always feel free to reach out: …

Hunting For North Korean Fiber Optic Cables

Before we go any further, one thing that I want to make clear is that the word assume is going to be doing some heavy lifting throughout this post. This was a rabbit hole that I recently went down and I probably have more questions than answers, but I…

4 months ago 4 2 0 0

you can hang out in my garage. plenty of PBR and soup stocked up in case this ever happened

8 months ago 1 0 0 0

just wait for the screenshots in part 3...

9 months ago 0 0 1 0
Hangro: Investigating North Korean VPN Infrastructure Part 2 If you haven’t seen part 1, it provides an overview of the service as well as the domains and IPs supporting the infrastructure. Continuing my analysis of the Hangro VPN IPs and service I started querying the IPs directly as well as started taking some first steps towards reversing an older sample of the Hangro VPN client. Using OpenSSL as well as a few other tools provided some additional details on how the VPN functions.

part 2 of digging into north koreas vpn

9 months ago 0 0 1 0
North Korea Offline With Invalid Routes for AS131279 On March 18, 2025, at around 9:38 AM UTC, connectivity to AS131279 dropped. Shortly after, at 9:50 AM UTC, a change in the Start of Authority (SOA) record and an update to the Route Origin Authorization (ROA) were detected. The update introduced a new ROA for 175.45.176.0/22, authorizing AS131279 as the origin but setting a maximum prefix length of /22. Previously, AS131279 had been announcing four /24s (175.45.176.0/24, 175.45.177.0/24, etc.), which had not been marked as invalid.

North Korea Offline With Invalid Routes for AS131279

On March 18, 2025, at around 9:38 AM UTC, connectivity to AS131279 dropped. Shortly after, at 9:50 AM UTC, a change in the Start of Authority (SOA) record and an update to the Route Origin Authorization (ROA) were detected. The update introduced…

1 year ago 0 0 0 0
North Korea whois records hijacked?

North Korea whois records hijacked?

1 year ago 0 0 0 0
Post image

Someone having a bad day in North Korea. Whois records just changed

1 year ago 0 0 0 0
Advertisement
Hangro: Investigating North Korean VPN Infrastructure Part 1 In a post from a now-deleted user on the webdev subreddit, someone asked about how to acquire a .kp TLD. While there were a few decent responses, the original poster shared an update: they successfully obtained a domain but noted that a VPN is required to access the website. This raised intriguing questions about VPN usage in North Korea. While several VPN providers claim to operate from North Korea, most merely offer false IP geolocation.

Hangro: Investigating North Korean VPN Infrastructure Part 1

In a post from a now-deleted user on the webdev subreddit, someone asked about how to acquire a .kp TLD. While there were a few decent responses, the original poster shared an update: they successfully obtained a domain but noted that a…

1 year ago 2 0 0 0