We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

North Korean Hackers Spread Malware via VPN Update Flaw

North Korean Hackers Spread Malware via VPN Update Flaw
Author Image Anka Markovic Borak
Anka Markovic Borak Published on 13th August 2024 Cybersecurity Researcher

North Korean cybercriminal groups Kimsuky (APT43) and Andariel (APT45) exploited a VPN software update flaw in South Korea to install malware and steal trade secrets from construction and machinery companies.

The malicious actors are believed to be operating in connection with North Korea’s nationwide industrial factories modernization project. The two groups involved, Kimsuky (APT43) and Andariel (APT45), are linked to the Lazarus Group, a threat actor that in March 2024, leveraged an undisclosed Windows vulnerability to conduct cyberattacks.

ASEC’s report shows that Kimsuky compromised a South Korean construction trade organization's website in January 2024 by disseminating malware through trojanized installers named "NX_PRNMAN" or "TrustPKI." These installers were signed with a certificate from Korean defense company "D2Innovation," allowing them to bypass antivirus checks.

Upon installation, the malware captured screenshots, stole browser data, and extracted sensitive information, including GPKI certificates and SSH keys. This attack affected construction companies, public institutions, and local governments.

In April 2024, Andariel exploited a vulnerability in a domestic VPN software's communication protocol to distribute the DoraRAT malware through fake software updates. The malware targeted construction and machinery companies, enabling the theft of large files, such as design documents.

The NCSC advises website operators at risk of state-sponsored hacking to request security inspections from Korea's Internet & Security Agency (KISA). They recommend implementing strict software distribution approval policies and requiring administrator authentication for the final distribution stage.

Additionally, keeping software and operating systems updated, providing ongoing employee security training, and monitoring government cybersecurity advisories are crucial for preventing such attacks.

North Korean hackers are linked to numerous incidents. In June 2023, such hackers targeted JumpCloud, a US-based company that provides user/device management and authentication services.

About the Author

Anka is a tech writer with a keen interest in cybersecurity and online privacy. She thinks it's really important to educate people on how to avoid misuse of their data.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address