Malware News North Korean–linked actor tied to Polyfill.io supply‑chain attack, Gate.us compromise, and Japanese espionage

Wrecker4923

Wrecker4923

Level 8
Thread author
Verified
Well-known
Apr 11, 2024
391
2,047
669
Content source
https://www.infostealers.com/article/how-one-infostealer-infection-solved-a-global-supply-chain-mystery-and-unmasked-dprk-spies-in-u-s-crypto/
An entertaining read.

Executive Summary: Key Findings​

  • The Infiltrator-in-Chief (Gate.us): The operative successfully infiltrated the American crypto exchange Gate.us. In a staggering display of irony, this sanctioned North Korean actor sat in on Google Meets with Western compliance vendors (Sumsub) to actively define the very AML/KYC logic designed to catch him, mapping their blind spots using real FBI fugitives.
  • The Polyfill.io Mastermind: Definitive forensic evidence links the catastrophic Polyfill.io supply chain attack (which compromised 100,000+ websites) directly to a North Korean state-sponsored actor embedded within a Chinese syndicate.
  • Japanese Scientific Espionage: Transcending simple IT wage theft, the actor exfiltrated sensitive, air-gapped network blueprints from the National Institute for Materials Science (NIMS), demonstrating a pivot from illicit revenue generation to strategic state espionage targeting critical infrastructure.
  • Automated Crypto Laundering: The actor built an automated Telegram-based cryptocurrency gateway to lease out poisoned CDN nodes and wash USDT without manual intervention.
  • A Cybercriminal PIP: Despite orchestrating massive cyber warfare campaigns, the North Korean operative was put on a “Performance Improvement Plan” and given a salary cut to $3,000/month by his Chinese handlers for needing “too much guidance.”

Possible Lessons:​

  • Consumers should choose their crypto exchange carefully; you never know who’s in it.
  • It sucks to be stuck at a job you can’t leave, because your employer can say whatever regardless of your performance.
Click to expand...
 
Last edited by a moderator:
  • Like
  • Love
  • Hundred Points
Reactions: Zero Knowledge, Sorrento, Captain Awesome and 3 others
Wrecker4923 said:
An entertaining read.

Possible Lessons:​

  • Consumers should choose their crypto exchange carefully; you never know who’s in it.
  • It sucks to be stuck at a job you can’t leave, because your employer can say whatever regardless of your performance.
Click to expand...
It really is an absorbing read, but I would treat claims at that level with some caution until they are independently corroborated.

What stands out

  • If the reporting is accurate, the most important point is not the irony, but the operational lesson: insider access plus weak vendor verification can undermine even well-designed compliance and security controls.
  • The Polyfill.io angle is especially notable because that incident already demonstrated how dangerous third-party script trust can be. A supply-chain compromise at that scale is a reminder that convenience dependencies can become systemic risk.
  • The alleged shift from financially motivated activity into broader espionage is also consistent with a pattern often discussed in threat intelligence: the same access, tooling, or personnel can serve multiple state objectives.

Practical lessons

  • For users, choosing a crypto platform should involve more than fees and features. Security transparency, incident response history, regulatory posture, and independent scrutiny matter more.
  • For companies, KYC/AML processes are only as strong as identity proofing, internal access controls, and vendor oversight.
  • For website operators, the Polyfill episode remains a strong argument for reducing third-party JavaScript dependencies and self-hosting critical assets where possible.
  • For defenders, “low-level” infostealer infections can expose much larger ecosystems than people expect. Small compromises sometimes uncover major operational networks.

On the “possible lessons” you listed

Your first point is fair in a broad sense, although I would phrase it more as: users should evaluate exchanges as high-risk custodians, not just convenient apps.

Your second point is darkly funny, but it also highlights something real: criminal and state-linked ecosystems can be structured like ordinary workplaces in all the worst ways, including quotas, pressure, arbitrary discipline, and internal politics.

Bottom line

As a story, it is entertaining. As security material, the real value is in the recurring lesson that trust chains fail in very human ways: bad hiring, weak verification, overtrusted vendors, and excessive access.

Sources
 
Executive Summary

Confirmed Facts
Telemetry from a compromised Windows 10 Enterprise machine (DESKTOP-OG1CFR5) confirms that a DPRK operative managing the Polyfill.io supply chain attack and infiltrating Gate.us was infected by the LummaC2 infostealer. The infection vector was a password-protected ZIP archive hosted on MediaFire, which exfiltrated vast quantities of credentials, browser history, and Google Translate logs.

Assessment
The incident demonstrates a catastrophic OPSEC failure by an advanced persistent threat (APT). While the operative utilized sophisticated corporate infiltration techniques (e.g., bypassing KYC using synthetic personas like "Ariel Cruz"), their foundational security posture was flawed due to credential recycling and the execution of unverified third-party software

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1204.002
(User Execution: Malicious File): The operative actively downloaded and executed the malicious archive.

T1552.001
(Credentials from Password Stores: Credentials In Files): LummaC2 extracted plain-text credentials stored in browser profile databases.

T1078.004
(Valid Accounts: Cloud Accounts): The operative maintained stolen access to Cloudflare tenants polyfill2[@]protonmail[.]com, AWS (l-one-user), and Sumsub compliance dashboards.

CVE Profile
[NVD Score: N/A - Social Engineering]
[CISA KEV Status: Inactive/Not Applicable]

Telemetry

IP Address
192.161.60[.]132

Hostname
DESKTOP-OG1CFR5

Delivery Vector
hxxps://www[.]mediafire[.]com/file/gflsp6ovigjnvms/@#Full_Istaller_Pc_Setup_2024_PaSSW%E1%B9%8FrD^$[.]zip/file

Compromised Identities
koalaworld20210104[@]gmail[.]com
brian[@]funnull[.]com
ariel.cruz[@]gate[.]us

Note
The structure of the downloaded file suggests a trojanized software installer, but exact hash metrics remain unknown.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

The following commands are tailored for organizations auditing their environments against DPRK IT Worker infiltration methodologies.

GOVERN (GV) – Crisis Management & Oversight

Command
Enact strict identity verification policies for remote contractors, requiring hardware-bound MFA (FIDO2) and prohibiting the use of VOIP/SMS numbers (e.g., Twilio, Hushed) for authentication.

DETECT (DE) – Monitoring & Analysis

Command
Deploy SIEM rules to detect high-frequency automated translation queries (e.g., sl=en&tl=ko) originating from corporate endpoints, particularly when correlated with "Make a copy" events (copy-filename-input) on sensitive intellectual property.

Command
Audit VPN and remote access logs for consistent >200ms latency or clock-skew anomalies indicative of asynchronous, timezone-masked workflows.

RESPOND (RS) – Mitigation & Containment

Command
Isolate any host demonstrating execution of LummaC2 payloads or suspicious connections to known bulletproof C2 infrastructure (e.g., stark-industries.solutions).

RECOVER (RC) – Restoration & Trust

Command
In the event of a suspected insider threat/infostealer compromise, initiate a global password reset for all associated SSO, Cloudflare, AWS, and Git repositories.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Restrict local administrative rights to prevent employees or contractors from executing unauthorized .zip or .exe payloads from unverified file-sharing domains like MediaFire.

Remediation - THE HOME USER TRACK (Safety Focus)

While this specific telemetry reflects an enterprise/APT scenario, home users encountering LummaC2 via fake software setups must take immediate action.

Priority 1: Safety

Command
Disconnect from the internet immediately if you suspect you have executed a trojanized software installer or cracked software.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset all critical passwords, session tokens, and cryptocurrency exchange credentials using a known clean device (e.g., a mobile phone on a cellular network).

Priority 3: Persistence

Command
Run a comprehensive offline antivirus scan. If the infection is confirmed, perform a clean installation of the operating system, as infostealers like LummaC2 often drop secondary payloads.

Hardening & References

Baseline
CIS Controls v8 (Control 2: Software Asset Management; Control 6: Access Control Management).

Framework
NIST CSF 2.0 (PR.PS-01: Authentication and identity management, DE.CM-09: User behavior monitoring).

Advisory
Refer to joint CISA/FBI advisories regarding DPRK IT Worker schemes and the usage of synthetic identities for fraudulent employment.

Source

InfoStealers
Click to expand...
 
Last edited by a moderator:
  • Like
Reactions: Zero Knowledge, Sorrento, harlan4096 and 2 others

You may also like...