Larva-24005

Also known as: Larva-24005

Larva-24005 is a threat actor that breaches servers in Korea to establish a web server and PHP environment for phishing attacks, primarily targeting individuals involved with North Korea and university professors researching the regime. They exploit the BlueKeep vulnerability for initial access and utilize RDPWrap and a custom keylogger post-compromise. Phishing emails are crafted to appear as legitimate communications, often containing malicious URLs or compressed files. The actor has been observed storing phishing pages in the IIS_USER account and XAMPP home folder, although traces of these pages were later deleted.

🌍 Country North Korea

Introduction

Larva-24005 is a threat actor that breaches servers in Korea to establish a web server and PHP environment for phishing attacks, primarily targeting individuals involved with North Korea and university professors researching the regime. They exploit the BlueKeep vulnerability for initial access and utilize RDPWrap and a custom keylogger post-compromise. Phishing emails are crafted to appear as legitimate communications, often containing malicious URLs or compressed files. The actor has been observed storing phishing pages in the IIS_USER account and XAMPP home folder, although traces of these pages were later deleted.

Activities and Tactics

Country of Origin: 🇰🇵 North Korea

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Xploit

Attribution and Evidence

Country of Origin: North Korea Additional attribution information pending cataloguing.

References

References pending cataloguing.