By rssfeeds-admin 
The attackers, suspected to be aligned with DPRK (North Korean) threat groups, have exploited various vulnerabilities across the crypto supply chain, from staking platforms to exchange software providers, to steal sensitive data, including private keys and proprietary software.
The campaign leverages a combination of web application vulnerabilities and cloud-based exploitation techniques to infiltrate crypto networks and exfiltrate valuable data.
Initial Access and Exploitation
The attackers began their operation by targeting crypto staking platforms using the React2Shell vulnerability (CVE-2025-55182).
This vulnerability enabled them to gain initial access to web applications, after which they used mass-scanning techniques to identify exposed systems.
In addition, the attackers leveraged pre-obtained AWS credentials, likely obtained through previous breaches or exploitation of cloud environments, to gain further access to other crypto exchange tenants.
After compromising cloud credentials, the threat actors moved laterally within the environment. They exploited AWS IAM roles to escalate privileges, enabling them to pivot between AWS services.
Using this access, the attackers gained control over Kubernetes environments by updating kubeconfig files, thereby authenticating and interacting with Kubernetes clusters.
Additionally, the attackers utilized S3 bucket enumeration to locate sensitive data, including Terraform state files and environment variables containing private keys and secrets.
These files were essential to the attackers, as they enabled access to internal systems and allowed them to conduct further reconnaissance and exfiltration.
Data Exfiltration and Malware Deployment
The attackers focused their efforts on exfiltrating high-value data, including proprietary exchange software and Docker images containing sensitive code and secrets.
They extracted five Docker images from the Elastic Container Registry (ECR) and saved them as tar archives for later use. These images contained important configurations and application secrets that could be exploited for future attacks.
In addition to exfiltrating data, the threat actors deployed malicious payloads within compromised systems. They used VShell and FRP reverse proxies to maintain persistent remote access to the compromised networks, allowing them to execute commands and exfiltrate data over time.
The C2 infrastructure used by the attackers included VShell (a Chinese-developed post-exploitation tool) and FRP reverse proxies.
These ctrlaltintel tools facilitated remote control and data exfiltration by creating persistent connections through non-standard ports, such as port 53 (DNS), to bypass detection.
The threat actors’ use of South Korean VPN nodes to obfuscate their origin and IPv6/IPv4 addresses suggests an effort to evade detection and hinder attribution efforts.
Furthermore, the domain itemnania.com, registered in South Korea, was identified as a key piece of the infrastructure, supporting the attackers’ operations.
By following these recommendations, organizations can strengthen their defenses against this evolving threat and protect critical assets from future attacks.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post DPRK APTs Steal Crypto Keys In Coordinated Cloud Attack appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.