1、O C T O B E R 1,2 0 2 5A NORTH KOREAN CYBER OPERATION:Exposing ARP-based Covert C2s,WebSocket Malware,and Video Conference Software AbuseSecTor 2025WHO ARE WE?A N O R T H K O R E A N C Y B E R O P E R A T I O NAvi SambiraDirector,N.AMERICA,CA2AGENDAA N O R T H K O R E A N C Y B E R O P E R A T I O N
2、3BackgroundTool BreakdownDemonstrationRecommendationsLast ThoughtsBACKGROUNDREAL-WORLD IMPACTA N O R T H K O R E A N C Y B E R O P E R A T I O NKey Milestones in North Korean Cyber Operations(May 2022February 2025)January 2025North Korean IT workers begin extorting former employersFebruary 2025$1.5
3、billion stolen in singlecryptocurrency attackMay 2022North Korean IT workers identified as major infection vectorAt least seven organizations in sixcountries targetedSeptember 2024 February 202521 command and control servers linked to operationsAugust 2024 February 20255jnMARCHFEBRUARYJANUARYDECEMBE
4、RNOVEMBERTIMELINE OF EVENTSA N O R T H K O R E A N C Y B E R O P E R A T I O N7December 2024North Korean IT worker hired as senior DevOps engineerEarly January 2025Discovery of tooling on seized laptopFebruary 2025Laptop returned to client and analyzed by SygniaJanuary to February 2025Threat hunt pe
5、rformed in client environmentNO MALWARE NEEDED:JUST PYTHON,ARP,AND ZOOMA N O R T H K O R E A N C Y B E R O P E R A T I O NCovert DeviceControl8Scripts enablecontrol withoutmalware installation.ScriptsARP packetsrebroadcastcommands locally.ARP PacketsZoom Automationsimulates remotedesktop control.Zoo
6、m AutomationWebSocketfacilitates remotecommand andcontrol.WebSocketEvasion operatesbelow traditionallogging thresholds.EvasionTOOL BREAKDOWN10COVERT CONTROL SYSTEM:NO EXPLOITS REQUIREDA N O R T H K O R E A N C Y B E R O P E R A T I O NNetwork ListenerModuleVideo ConferencingAutomation ModuleInput Si