Trend Micro researchers identified that a threat actor known as Void Dokkaebi (also called Famous Chollima) has been conducting extensive social engineering campaigns through fictitious companies like BlockNovas, which presented itself as a blockchain technology firm with a sophisticated online presence. According to recent findings, five Russian IP ranges, primarily located in the border towns of Khasan and Khabarovsk, are being leveraged to facilitate sophisticated attacks targeting cryptocurrency wallets and sensitive information from technology professionals worldwide. This infrastructure enables North Korean threat actors to conceal their origins while connecting to job recruitment platforms, cryptocurrency services, and communication applications including Skype, Telegram, Discord, and Slack. Investigators also discovered instructional videos with non-native English text detailing Beavertail C&C server setup and cryptocurrency wallet password cracking, suggesting collaboration with foreign conspirators beyond the core North Korean team. North Korea’s cybercrime operations have significantly expanded beyond the limited 1,024 IP addresses assigned to their national network through an elaborate scheme involving Russian infrastructure. Analysis of the group’s infrastructure revealed connections to Beavertail malware command-and-control servers and password-cracking tools like Hashtopolis, demonstrating the operation’s focus on cryptocurrency theft. The BlockNovas operation exemplifies the sophisticated social engineering tactics employed by North Korean threat actors. On April 23, 2025, the FBI seized the BlockNovas domain as part of a law enforcement action against North Korean cyber actors. BlockNovas targeted IT professionals in Ukraine, the United States, and Germany with fraudulent job interviews, prompting victims to download and execute malware disguised as necessary software for the interview process. Created in July 2024, BlockNovas maintained an extensive online presence, including profiles on LinkedIn, Upwork, Facebook, and X (formerly Twitter). The group leveraged artificial intelligence to create convincing online personas, including a fictitious Chief Technology Officer whose profile appeared legitimate with hundreds of followers. The infrastructure supporting these operations traces back to specific Russian IP ranges assigned to two organizations in Khasan and Khabarovsk. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This command downloads and executes malware known as FrostyFerret on Mac systems or GolangGhost on Windows, connecting to command-and-control servers that support both these variants and Beavertail malware. Khasan, situated merely one mile from the North Korea-Russia border and connected via the Korea-Russia Friendship Bridge, serves as a strategic location for these operations. The cybercriminals have established a multi-layered anonymization network utilizing commercial VPN services, proxy servers, and numerous Virtual Private Servers (VPS) with Remote Desktop Protocol (RDP) access. These IP ranges include 80.237.84.0/24 (created September 2024), 80.237.87.0/24 (created December 2024), 188.43.136.0/24 (created September 2017), and several others registered to network names like KPOST-NET and SKYFREIGHT-NET. BlockNovas specifically targeted Ukrainian IT professionals in December 2024, focusing on individuals with cryptocurrency expertise. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 25 Apr 2025 09:10:05 +0000