DPRK-aligned threat operations: tradecraft, tooling, and detection patterns

Thursday 15 October 14:30 - 15:00, Red room   

Wonkyeom Kim 

DPRK-aligned threat actors have refined their operations against high-value targets over multiple years, evolving their tactics, infrastructure, and operational tradecraft. Public reporting captures parts of this picture (individual samples, isolated indicators, point-in-time observations), but sustained analysis across observed activity reveals consistent patterns at the campaign level. How operators stage initial access. How they reuse infrastructure across years rather than months. How their tooling evolves across sub-operations. And how their increasingly fileless implants leave traces that can still be hunted with the right approach.

This talk presents a campaign-level view of a cluster of DPRK-aligned activity, drawn from extended hands-on analysis. The work builds on publicly characterized families and patterns observed in operational research contexts. Rather than focusing on a single incident or a single sample, the talk synthesizes patterns across the cluster, offering a cross-case view that complements existing public reporting and adds depth where individual reports stop.

The talk is organized around four lenses:

• Tactics. Recurring initial-access patterns observed across the cluster, including watering-hole staging, supply-chain compromise via shared upstream service infrastructure, and sideloading chains that abuse trusted security software. Cases are abstracted to focus on tactical reuse rather than any specific incident.
• Infrastructure. Operator footprint patterns spanning multi-year reuse, where the same infrastructure pool is observed feeding what public reporting treats as separate operations. The talk situates this cluster-level observation alongside infrastructure-side signals already documented in related public reporting and discusses how these connect when viewed together.
• Tooling. Selected malware examples, building on publicly characterized families such as ImprudentCook, anchor the analysis. The discussion follows the cluster's progression toward increasingly fileless implants that abuse legitimate Windows components and load entirely in memory. Attention is given to code reuse, crypto-key reuse, and string-level overlaps as attribution signals across variants.
• Detection patterns. A pragmatic live-forensics hunting workflow for the kind of fileless and sideloaded implants this cluster favours, built on widely available host-level utilities such as the NirSoft toolset rather than EDR telemetry. The lens is set by a real constraint that shapes early-response work in many environments: engagement windows are tight, the affected organization needs to keep operating, and every additional hour of disruption matters. Speed and minimal footprint are not preferences here, they are hard requirements. The session walks through how live artifacts such as alternate data streams, registry persistence, prefetch entries, service registrations, and runtime process behaviour can be combined to surface implants that leave little to no on-disk evidence, and how to do so quickly enough to complete the engagement without disrupting operations. The workflow is designed for environments where specialized telemetry isn't available.

Back to VB2026 Programme page

Back to VB2026 conference page

Register your interest for VB2026

Other VB2026 papers