Russian VPS Servers With RDP and Proxy Servers Enable North Korean Cybercrime Operations

Trend Research has uncovered a sophisticated network of cybercrime operations linked to North Korea, heavily utilizing Russian internet infrastructure.

Specifically, IP address ranges in the towns of Khasan and Khabarovsk, Russia, assigned to organizations under TransTelecom (ASN AS20485), are pivotal in these activities.

Khasan, just a mile from the North Korea-Russia border and connected via the Korea-Russia Friendship Bridge, and Khabarovsk, with its deep economic and cultural ties to North Korea, serve as strategic hubs.

These IP ranges, including 80.237.84.0/24 and 188.43.136.0/24, are obscured by an extensive anonymization network comprising commercial VPN services like Astrill VPN, proxy servers, and numerous Virtual Private Servers (VPS) accessed via Remote Desktop Protocol (RDP).

This setup masks malicious traffic origins, enabling North Korean-aligned actors, associated with the Void Dokkaebi intrusion set (also known as Famous Chollima), to conduct their operations undetected.

Trend Research’s ...