Скачать или смотреть A North Korean Cyber Operation

A North Korean Cyber Operation: Exposing ARP-Based Covert C2s, WebSocket Malware, and Video Conference Software Abuse

🎙️ Luis Garcia, Incident Response Expert, Sygnia
🎙️ Matthew Mosley, Manager of Incident Response, Sygnia
📍 Presented at SANS DFIR Summit 2025

This research uncovers a real-world covert remote-control system designed by a North Korean IT worker, who was caught operating within an unsuspecting organization.

The forensic investigation that followed pieced together a highly sophisticated malware ecosystem, leveraging ARP-based payload execution, WebSockets for stealthy command & control, and Zoom for covert persistence and remote access.

Through deep technical analysis and live attack demonstration, this session will break down how the attacker:
Built an advanced C2 infrastructure using WebSockets to control infected machines.
Used ARP packets as a payload transport mechanism, embedding commands inside network traffic to execute commands without traditional TCP/IP communication.
Weaponized Zoom as a Remote Access Trojan (RAT), launching meetings without user interaction and auto-approving remote-control access via HID injection techniques.
Covertly executed commands through a Python script, allowing keystroke and mouse movement emulation, bypassing endpoint logging.
Enabled remote execution through a command client, which persistently reconnected to the C2 when the user was active.

By reverse-engineering the threat actor’s toolkit, we uncovered previously undocumented techniques used for network protocol abuse and application-layer persistence. The investigation highlights not only how these tactics were implemented by the North Korean IT worker, but also how defensive teams can detect and mitigate such stealthy attacks before they escalate into full-scale data exfiltration or espionage.

This research not only provides insight into offensive security tactics but also delivers actionable detection and mitigation strategies for network defenders, threat hunters, and digital forensic investigators.

Key Takeaways for Attendees:
Understand how attackers can bypass security controls using ARP packet injection as a C2 transport layer.
See how WebSockets are leveraged for persistent malware communication.
Witness a live demonstration of a covert ARP-based malware executing system commands without TCP/IP.
Gain insight into how Zoom was used as a stealthy RAT, and how attackers manipulated the application for long-term persistence and remote control.

View upcoming Summits: https://www.sans.org/u/DuS