← Dispatches

TLP:CLEAR · 2026-02-25

Anatomy of a Trojanized Toolkit: Reversing a Live DPRK-Linked C2 Channel

We pulled a trojanized CUDA installer from an active campaign delivering a multi-stage Python RAT with a live command-and-control server. We reversed the protocol, impersonated a compromised host, mapped the full operational playbook in real time, and identified significant overlaps with known DPRK/Lazarus Group tradecraft.

We identified and acquired a trojanized NVIDIA CUDA toolkit installer circulating in an active campaign. Initial triage confirmed a multi-component payload: a remote access trojan, an infostealer, and a cryptocurrency clipboard hijacker bundled into a single deployment chain. The installer appeared legitimate. The execution chain did not. We reversed the binary, broke the C2 (command-and-control) protocol, impersonated a compromised host, and mapped the entire operational playbook. What we found carries the fingerprints of Pyongyang.

Delivery and Payload

The campaign distributed a PowerShell dropper disguised as cuda_toolkit_sim_v12.4.ps1. On execution it downloaded a 19MB ZIP archive from camdriver[.]pro, extracted it to a temporary directory, and silently launched a VBScript bootstrap. The download URL referenced Realtek drivers rather than NVIDIA (hxxps://camdriver[.]pro/realtekwin.update?r=ffa752c6-84e9-4bb9-b3c8-a3ab09cbcbe6), suggesting the same infrastructure serves multiple lure variants targeting different developer audiences.

The payload archive, driver.zip, contained a complete attack toolkit: 14 Python modules, two RSA-2048 public keys, a bundled Python 3.12 runtime packed into Module.zip at 16.5MB, and a renamed copy of pythonw.exe masquerading as svchost.exe. The VBScript launcher extracted the Python runtime and executed the RAT entry point (updatedriver.py) via the disguised interpreter, keeping the entire chain windowless and invisible to the user.

Persistence

The dropper established four independent persistence mechanisms to survive across privilege levels. With admin access: a scheduled task named svchost running at logon with HIGHEST privilege, plus a second task disguised as OneDrive Update Task-S-16-5-25-262930093-1106209884-352468633-100 executing from %TEMP% as SYSTEM. Without admin access: a startup folder shortcut at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk, and a registry Run key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost. The malware also entered a UAC elevation loop, repeatedly calling ShellExecuteW with "runas" until the user clicked Yes.

Anti-Analysis and Evasion

The evasion module patched seven ETW functions in memory: EtwEventWrite, EtwEventWriteEx, EtwEventWriteFull, EtwEventWriteString, EtwEventWriteTransfer, EtwWrite, and EtwWriteEx. Each was overwritten with xor eax, eax; ret (0x48 0xC7 0xC0 0x00 0x00 0x00 0x00 0xC3 on x64), blinding Event Tracing for Windows entirely. AMSI was neutralized by patching AmsiScanBuffer to return E_INVALIDARG (0x80070057). NTDLL was unhooked by loading a fresh copy from System32, bypassing any EDR inline hooks.

VMware detection checked MAC address prefixes (00:0C:29, 00:50:56, 00:05:69), registry keys, WMI queries, and process names. Every Python module opened with base64-encoded guard code checking for UTC timezone, sandbox path keywords (virus, sample, sandbox, malware, InsideTm), active debuggers via sys.gettrace(), and memory tracers via tracemalloc.is_tracing(). Patching seven ETW functions instead of just EtwEventWrite is unusual for commodity malware and reflects operational maturity.

C2 Protocol Reversal

We fully reversed the layered encryption scheme used for C2 communication. The transport layer generated a random AES-256-GCM session key per request, encrypted the message payload, then wrapped the session key with the server RSA-2048-OAEP public key using SHA-256. The wire format was [RSA_ENCRYPTED_KEY | NONCE | TAG | CIPHERTEXT], sent as an HTTP POST to 144[.]172[.]115[.]189:8080 with Content-Type: application/octet-stream. The server responded using the same session key as [NONCE | TAG | CIPHERTEXT].

A second encryption layer operated at the message level: individual data fields within commands were encrypted using AES-CBC with a hardcoded 32-byte key (f7Jk9vB2xQpL6zT1wR8sY3uN0eH5cD4a) and 16-byte IV (pL9vB2xQpL6zT1wR) extracted directly from constants.py. Exfiltrated files received a third layer of encryption using a separate RSA-2048 operator public key, ensuring only the holder of the corresponding private key could decrypt stolen data. This dual-key architecture, separating transport encryption from data encryption, suggests organizational separation between infrastructure operators and intelligence consumers.

Impersonating a Compromised Host

With the protocol broken, we built a fake agent. It registered with fabricated system information: a plausible hostname, a Windows 10 build string, daemon version 1.0.3, and a generated machine fingerprint matching the format stored at %APPDATA%\.system_id\.host. The agent responded to every C2 command with plausible synthetic data. Credential theft requests received fake Chrome Login Data entries. Cookie extraction received fabricated session cookies. Extension enumeration received dummy wallet data. At no point did the agent execute any received command. It was a listener, not a participant.

The Automated Attack Playbook

The C2 responded within seconds. It issued seven automated data theft commands in rapid sequence, each identified by an obfuscated command prefix:

CommandTarget
r4ys/gi%#Chrome cookies
r4ys/89ioFull Chrome profile
r4ys/kyciChrome Login Data (passwords via DPAPI)
r4ys/tgthTelegram tdata session directories
r4ys/dcgdDiscord tokens (stable, PTB, canary, dev)
r4ys/stsfSteam SSFN authentication files
r4ys/cookChrome cookies (second pass)

Browser credentials and session tokens were collected first, indicating immediate interest in account takeover. Cryptocurrency wallet extensions were specifically targeted through a hardcoded list of 85+ browser extension IDs, including MetaMask, TronLink, Binance Wallet, Phantom, and Rabby. The clipboard hijacker module (utils_block.py) monitored for cryptocurrency addresses across eight blockchains (BTC, ETH, LTC, DOGE, ADA, TRX, SOL, SUI), replacing them with 40 attacker-controlled wallets embedded in the binary.

After the initial theft cycle, the C2 entered a WAIT/SLEEP loop issuing 300-second polling intervals. We capped the sleep to 5 seconds and maintained persistent contact. Over thousands of exchanges across the first hours of monitoring, the server issued no manual operator commands. No shell access. No file uploads. No lateral movement. The infrastructure appeared to operate on full autopilot, executing its credential harvesting playbook without any human in the loop.

The Operator Wakes Up

That changed 24 hours later. At 21:15:00 UTC on February 26, after over 6,300 silent polling exchanges, the C2 issued its first non-automated command: dghh, the EXIT (self-destruct) instruction. Our watcher logged the 128-byte encrypted payload, sent a fake acknowledgment, re-registered with a fresh agent ID, and resumed monitoring.

The operator responded immediately. Within 19 seconds, a second EXIT command arrived. Our agent re-registered again. Nine seconds later, a third EXIT. Ten seconds after that, a fourth. Between 21:15:00 and 21:15:38, the operator sent four rapid-fire self-destruct commands, each time watching our agent complete the full 7-command theft cycle before issuing another kill signal. They were actively watching the C2 panel in real time.

After the fourth attempt, the EXIT commands stopped. The C2 returned to its WAIT/SLEEP loop and has remained silent since. The operator either gave up or concluded the agent was compromised and moved on. What they could not do was actually kill our watcher, the fake agent logged every EXIT command but never executed any of them, and the re-registration with a fresh ID kept the session alive.

This sequence confirms three things. First, there is a human operator staffing this infrastructure, not just automated collection. Second, that operator is actively reviewing incoming victim sessions, which means the exfiltrated data from real victims is being processed and acted on. Third, the operator recognized our fake data as synthetic, the fabricated Chrome cookies, dummy Telegram tdata, and placeholder Discord tokens we fed back during the theft cycle were apparently unconvincing enough to trigger a manual review and cleanup attempt. The operation is not just running. Someone is watching.

Linked Phishing Infrastructure

Concurrent with the malware analysis, we identified a separate phishing operation sharing infrastructure. A fake Ripple careers site at ripplecareer[.]com collected victim PII through a fabricated "Brand Design Intern, Brand Studio (Summer 2026)" application form. Data was exfiltrated via HTTPS POST to camdriver[.]pro/letsgoassessment using RSA-2048-OAEP encryption in the browser.

The "company" field was transmitted in cleartext, an operational security failure that exposed full device fingerprints (OS, browser version, screen resolution, timezone), phone numbers, and the social engineering lure verbatim. The User-Agent was spoofed with Safari/7046A194A on Mac OS X 10.9.3 while sec-ch-ua headers reported Chrome 145 on Windows.

ripplecareer[.]com resolved to 95.169.180.146 and camdriver[.]pro to 95.169.180.198, both within the same /24 block. camdriver[.]pro served dual purposes: hosting the malware payload archive and receiving exfiltrated phishing data. Shared infrastructure across a malware pipeline and a credential phishing operation indicates unified operational management. The RSA public key from the phishing site did not match either key from the malware binary (server key dated rsa-key-20260210, operator key dated rsa-key-20260211), confirming separate key material per campaign but a common operator.

DPRK / Lazarus Attribution

The pattern of trojanizing legitimate developer tools to deliver Python-based credential stealers with heavy cryptocurrency focus maps directly to documented DPRK threat activity. The overlaps are not circumstantial. They are structural.

Architectural Match to BeaverTail / InvisibleFerret

Palo Alto Unit 42 tracks an ongoing DPRK campaign designated CL-STA-0240 "Contagious Interview." Their BeaverTail malware downloads a complete Python runtime and deploys InvisibleFerret, a Python backdoor that steals browser credentials, cryptocurrency wallet extensions, and messaging platform tokens. Our sample bundles a 16.5MB Python 3.12 runtime (Module.zip) to execute a Python RAT via a renamed pythonw.exe. The delivery architecture is functionally equivalent.

Exact Extension ID Overlap

BeaverTail targets MetaMask (nkbihfbeogaeaoehlefnkodbefgpgknn), MetaMask Edge (ejbalbakoplchlghecdalmeeeajnimhm), Binance Wallet (fhbohimaelbohpjbbldcngcnapndodjp), TronLink (ibnejdfjmmkpcnlpebklmnkoeoihofec), Phantom (bfnaelmomeimhlpmgjnjophhpkkoljpa), and Rabby (acmacodkjbdgmoleebolmdjonilkdbch). Our sample targets every one of these same extension IDs, plus 70 more. The list in constants.py is a superset of the known DPRK target list. Both tools also target the same messaging platforms: Telegram tdata, Discord tokens across four client variants, and Steam SSFN files. This is a specific collection priority list that matches DPRK operational requirements.

Operation DreamJob Recruitment Lure

ESET Research documented Lazarus Group Operation DreamJob, in which actors impersonate recruiters from companies like Meta and Amazon to deliver trojanized coding challenges. The fake Ripple internship site at ripplecareer[.]com follows this exact playbook: a fabricated job opportunity at a prominent cryptocurrency company used as a social engineering lure. The choice of Ripple aligns with DPRK documented strategic interest in cryptocurrency industry infiltration. UN Security Council reports have repeatedly documented North Korean actors targeting cryptocurrency exchanges, DeFi platforms, and blockchain companies to fund the regime weapons programs.

Multi-Stage Delivery Complexity

The delivery chain (PowerShell dropper to VBScript launcher to Python RAT via renamed interpreter) mirrors Lazarus tooling complexity. ESET analysis of LightlessCan, a Lazarus RAT delivered through Operation DreamJob, documented similar multi-stage chains with encrypted payloads, environment-dependent decryption keys, and execution guardrails. Our sample employs comparable anti-analysis guardrails terminating execution in sandboxes, debuggers, or VMs.

Financial Architecture

Clipboard hijacking across eight blockchains with 40 pre-staged wallet addresses represents infrastructure investment. Each address is an operational asset requiring management, gas funding, and monitoring. According to Chainalysis and UN Panel of Experts reports, North Korean threat actors stole over $1.7 billion in cryptocurrency in 2023 alone. Crypto clipboard hijacking is a known DPRK revenue generation technique that operates passively once deployed, exactly the autonomous model we observed.

Tradecraft Consistency

The comprehensive ETW patching of seven functions goes beyond what commodity malware implements. The dual-key RSA architecture suggests organizational separation between operators and consumers. The fully automated C2 with no human operator suggests a scaled collection model rather than targeted intrusion. IP clustering of phishing and malware infrastructure within the same /24 at 95.169.180.0/24 is consistent with DPRK bulk-provisioning practices. We also found a backup C2 address commented out in the source (23[.]227[.]203[.]99:8080), indicating contingency planning for primary C2 loss.

Assessment

We assess with moderate confidence that this operation is linked to DPRK-affiliated threat activity, specifically the cluster tracked as Contagious Interview / CL-STA-0240 and the broader Lazarus Group umbrella. This assessment is based on seven converging factors: (1) architectural equivalence to BeaverTail/InvisibleFerret; (2) exact overlap in targeted cryptocurrency wallet extension IDs; (3) identical targeting of Telegram, Discord, and Steam session data; (4) fake cryptocurrency company recruitment site consistent with Operation DreamJob; (5) shared infrastructure between malware delivery and phishing at camdriver[.]pro; (6) cryptocurrency clipboard hijacking across multiple blockchains as a revenue mechanism; and (7) fully automated C2 infrastructure designed for scale.

The C2 at 144[.]172[.]115[.]189 remains live as of this writing. It continues to accept connections and execute its automated collection playbook against any agent that presents valid protocol formatting. A human operator connected during our extended monitoring window and attempted to terminate our fake agent four times via EXIT commands before giving up. The infrastructure is not just running on autopilot, it is actively staffed and monitored. The operation is burned. Pyongyang knows.

Indicators of Compromise

Network Indicators

TypeIndicatorContext
C2 Server144[.]172[.]115[.]189:8080Primary C2 (confirmed live)
C2 Server23[.]227[.]203[.]99:8080Backup C2 (dormant, in source comments)
Domaincamdriver[.]proPayload hosting and phishing exfil
Domainripplecareer[.]comPhishing lure site (95.169.180.146)
URLhxxps://camdriver[.]pro/realtekwin.update?r=ffa752c6-...Stage 2 payload download
URLhxxp://144[.]172[.]115[.]189:8080C2 HTTP endpoint
URLhxxps://camdriver[.]pro/letsgoassessmentPhishing data exfil endpoint

File Hashes (SHA256)

HashFile
63797c555d995fac8d167c184d016534a1da0f338521a8af244ad4e78ae79946driver.zip (payload archive)
204337c13fe22c6b1c22c91b87f8bb5e3be1316d96405549a92a4f0daab6d4d1updatedriver.py (RAT entry point)
7d733fcee66f0d93f5d38e773c5f8ce1747b8a4244e031a45050708e5cf446a2core.py (C2 command loop)
d89a4e1880f762aacfd63467072dcc53c45d82a8fdbfdb9878f3897d215d72cbtransport.py (encrypted transport)
678042861a29ade86989c7952371ba4bb9b083f78e8f42cae0c5c438261e20d4constants.py (config/wallets/extensions)
1c6b8ed92d08ff2eacf441e5d9bac079bd01588f719374675a978610b0bd743aauto.py (Chrome credential theft)
b2776c9383d45bec871e426304c47681628d82bb9d29a4fc543cf58a042d5935auto_gather.py (Telegram/Discord/Steam)
f7f69ae26afd0d3011a583f9994fae1382d746f5f97115a48adc98029f10b63bevasion.py (ETW/AMSI/NTDLL bypass)
ffb76093fa92e1a6731582707023da6d1fdbcd806d00974a95c008504bfe96bedec.py (Chrome DPAPI decryption)
fd5c46d73d29ba21b04c844bbaf9096066136526911230645a2a040d23fb612bsvchost.exe (renamed pythonw.exe)

Host Indicators

TypeIndicator
RegistryHKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost
Sched Tasksvchost (ONLOGON, HIGHEST, current user)
Sched TaskOneDrive Update Task-S-16-5-25-262930093-1106209884-352468633-100 (SYSTEM)
File Path%TEMP%\OneDriveUpdate.exe
File Path%APPDATA%\.system_id\.host
File Path%TEMP%\.store
Startup%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Cryptographic Material

TypeValue
AES-CBC Keyf7Jk9vB2xQpL6zT1wR8sY3uN0eH5cD4a
AES-CBC IVpL9vB2xQpL6zT1wR
Daemon Version1.0.3

Detection Strings

StringContext
StarMainLoopC2 command loop function name
REPLACEMENT_ADDRESSESClipper wallet configuration variable
OneDriveUpdate.exePersistence binary in %TEMP%
realtekwin.updatePayload URL path component
camdriver.proPayload and phishing domain

Intercept Cell Research is a Cipher Cortex research program. Hooked Scams is a scam investigation series from Intercept Cell Research.