Taking a break from fake DPRK companies for a while, there was some interesting activity that I recently noticed on 175.45.176.97. Between May 14th and May 17th, 175.45.176.97 a request to the root of the server returned a 302 and was redirecting to recoshield.com which appears to be a South Korean company that manufacturers paint and windshield protectors.

Headers from the server showed the following:

HTTP/1.1 302 Found
Date: Sun, 17 May 2026 17:09:19 GMT
Server: Apache/2.4.37 (Rocky Linux)
X-Powered-By: PHP/7.4.33
Location: https://www.recoshield.com
Content-Length: 0
Content-Type: text/html; charset=UTF-8

I don’t think Rocky Linux has shown up in the DPRK IP range before. Now that alone might be interesting enough but searching additional directories revealed a few other findings. Poking around the server revealed what appears to be some sort of captive portal framework that was accidentally left exposed to the internet.

/1/ – The Redirect

Viewing http://175.45.176.97/1/ showed a brief snippet of text before immediately loading the Google homepage. A couple of tries later to stop the page loading and it showed the following text

While the text is displayed, behind the scenes a couple of things are happening. Looking at the source, the first block of code attempts to load the Google favicon, to check whether or not the visitor has internet access.

function checkGoogle() {
    const img = new Image();
    img.src = "https://www.google.com/favicon.ico?" + Math.random();
    img.onload = function() { redirectToGoogle(); };
    img.onerror = function() { redirectToError(); }
};

If the favicon loads then a user is redirected to google.com, however if the request fails or takes longer than 4 seconds to return a user is then routed to check.php?b19fefb66cf87da9a792c55b9020a52a

Unfortunately I was not able to get the check.php endpoint to load so it’s unclear the exact purpose of how it behaves, but the hashed parameter looks like a campaign identifier for logging incoming victims.

The comments in the code are also worth mentioning, translations are included and were not in the original source:

// 1. 타임아웃 설정 (모바일은 네트워크 전환이 빈번하므로 3~5초 권장)
// ("Timeout — 3-5 seconds recommended for mobile due to frequent network switching")
// 2. 이미지 객체를 이용한 우회 체크 (CORS 이슈 없음)
// ("Image object bypass check — no CORS issues")

The first comment shows that this was built specifically with mobile networks in mind and targeting mobile device users. The second comment also shows that the developer working on this was worried about cross origin requests blocking the fetch() call and specifically chose just the favicon as a workaround.

/test/ – The Lure

This is the page that the victim actually sees, and at first it caught me off guard. Originally I thought that there was a WiFi access point in North Korea that was accidentally exposed. However, digging into the page further shows that it is a fully designed mobile portal with a Huawei logo and Wifi error graphic informing the user:

“Slow Connection — Maybe your internet connection is unstable. There seems to be an issue with your wifi slowing down the internet. It’s recommended to test your phone using google wifi app.”

A button labeled “Go Google” is the only interaction. When clicked, two things happen:

First, a POST request is made to the server:

$.ajax({
    url: './?sectoken=03d340f83c70a18f06dd9b98055d08c2',
    type: 'POST',
});

Now admittedly I should have tested this more to see if the token changed or if it was static. However, ignoring my mistakes the page then redirected to install WiFi Analyzer Pro

WiFi Analyzer isn’t malicious and has over 10 million installs with a rating of 4.6 stars. It’s a legitimate app on the Play Store that’s been available since 2018. So why would a DPRK captive portal be redirecting to a legitimate Android app? There are two possible options

Option 1: It’s not about the app, its about the redirect.

The sectoken in the POST request that fires before the redirect is the actual information collection. By the time the page for the Play Store loads information about the device and a timestamp has already been sent to the server, and the app is designed to make it look like it’s part of the troubleshooting workflow

Option 2: The app is a placeholder

There’s some additional commented out code on the page that loads:

// launcher.setPackageName('com.google.android.youtube');
// launcher.setPackageName('com.instagram.android');
// launcher.setPackageName('com.netflix.mediaclient');

This suggests that the Android package could be just a placeholder. Netflix, YouTube, and Instagram are clearly test values and abdelrahman.wifianalyzerpro may simply be whatever the developer grabbed to confirm the Play Store redirect flow worked end-to-end. The real payload a trojanized app, a credential harvester, something else entirely may not have been swapped in yet while this was exposed to the internet.

/js/ – An Open Directory

One more thing that was left open, and not particularly interesting but worth including was an open directory. Nothing out of place was discovered and all of the files appeared to be legitimate. The only item of interest was that all files have the same timestamp of April 24th, 2026 at 00:51

What’s Actually Going On Here?

At first I thought this was just a At first I thought this was just a strange redirect to a South Korean company, but digging in a little more revealed something more interesting. While it’s hard to be completely certain when examining the purpose of the page it does appear that this is part of some infrastructure related to a rogue access point attack that was being tested and was accidentally exposed to the internet.

Based on the information collected, the intended wokflow appears to be something like the following

1. An operator in the field broadcasts a fake WiFi SSID, something like “Hotel Wifi” or “HuaweiAP_5G”. Something that is likely to attract attention based on the location and where targets are likely to connect.
2. A victim connects expecting to get a standard captive portal before getting access to the internet.
3. They get served /1/ which performs the connectivity check in the background. Assuming they do not have internet access they get routed through to check.php
4. They land on /test/ the slow connection page
5. They click Go Google, the sectoken logs the click and they are redirected to install the app.

Now without being able to examine all of the files some of the steps could be a slightly different order or there could be branches to the way the site responds as well.

The Huawei branding is an interesting choice as well. Huawei home and carrier networking can be found all across Southeast Asia and East Africa, which are regions where DPRK IT workers are known to operate under freelance developer cover. A Huawei branded portal is probably not going to look out of place in Laos, Cambodia, Vietnam, or parts of East Africa. Chollima Group has done phenomenal writeups on this, tracking IT worker cells operating out of Laos and documenting workers across multiple African countries as recently as 2025.

If you want to take a look at the html files send cat pictures to contact [at] nkinternet.com