[Speakers]
Adversary Village at
DEF CON 33

DEF CON 33 Schedule

Seongsu Park

Zscaler, APT Research team, Staff Threat Researcher

Seongsu Park(@unpacker) is a passionate researcher on malware research, threat intelligence, and incident response with over a decade of experience in cybersecurity. He has extensive experience in malware researching, evolving attack vectors researching, and threat intelligence with a heavy focus on response to high-skilled North Korea threat actors.

Now he is working in the Zscaler APT Research team as a Staff Threat Researcher and focuses on analyzing and tracking security threats in the APAC region.

Talk: Blurred Lines of Cyber Threat Attribution: The Evolving Tactics of North Korean Cyber Threat Actors

Saturday | Aug 9th2025
DEF CON Creator Stage 3 (Room 231) | Las Vegas Convention Center
Threat Actors

Introduction

Attributing cyber threats to a specific nation-state remains one of the most complex challenges in cybersecurity. Cyber attribution relies on analyzing digital artifacts, infrastructure patterns, and adversary tactics, none of which provide definitive proof on their own. Threat actors continuously evolve, adopting new methodologies and obfuscation techniques that make attribution increasingly difficult. Over the past decade, North Korea’s cyber operations have transformed from rudimentary attacks into highly sophisticated campaigns that rival the capabilities of established cyber powers. Initially, DPRK’s cyber program consisted of loosely organized groups with limited technical capacity, but today, these actors operate under a structured, state-controlled framework with clear strategic objectives. This research presents an in-depth analysis of how DPRK threat actors have adapted, restructured, and collaborated, shedding light on the complexities of nation-state attribution.

1. The Rise of Umbrella Groups: A Structured Expansion

As cyber warfare becomes a fundamental aspect of statecraft, threat actor groups are evolving into larger, more structured entities. North Korea, heavily sanctioned and financially isolated, has systematically expanded its cyber operations to sustain its economy and circumvent restrictions. Once perceived as a singular entity responsible for high-profile attacks such as the 2014 Sony Pictures breach and the 2017 WannaCry ransomware outbreak, Lazarus Group has since fragmented into multiple operationally distinct yet interconnected subgroups. Each of these units plays a specialized role within North Korea’s broader cyber strategy, focusing on espionage, financial crime, or intelligence gathering.

This shift from a centralized hacking collective to a decentralized, state-controlled cyber network has significantly strengthened North Korea’s cyber resilience. By diversifying its teams and attack methodologies, the DPRK has established an adaptable framework that enhances both operational efficiency and deniability. Today, Lazarus-affiliated subgroups exhibit at least four distinct clusters, each employing unique attack methodologies—clear evidence of their expanding capabilities.

2. Inter-Group Collaboration: The Blurring of Attribution

Traditionally, distinct DPRK cyber groups operated with minimal overlap, each pursuing its own objectives. However, recent incidents indicate increased collaboration between these units, making attribution more challenging. In a 2023 attack on a South Korea-based cryptocurrency exchange, incident analysis revealed a two-phase intrusion sequence. The initial breach was executed using malware historically linked to Andariel group, suggesting their involvement in establishing foothold access. However, deeper investigation exposed post-exploitation activities tied to Kimsuky group, indicating that control had either been transferred or shared between the two groups. This case highlights a strategic shift, where North Korean threat actors no longer operate in isolation but leverage cross-group expertise to maximize operational success. By combining initial access capabilities with intelligence collection tactics, these groups create hybrid attack strategies that defy conventional attribution models.

3. Reshuffling Tools and Personnel: Attribution Pitfalls

Just as organizations restructure their teams and reassign personnel, cyber threat groups also reallocate resources, tools, and expertise across different units. This reshuffling introduces significant challenges for long-term tracking and attribution. A prime example is Pebbledash, a backdoor historically associated with Lazarus Group. Initially deployed in espionage campaigns, the malware later surfaced in Kimsuky-led operations with distinct modifications, including a revamped delivery mechanism and an entirely new command-and-control infrastructure. This transition suggests either an internal reassignment of malware developers or a cross-pollination of attack tools between DPRK cyber units. Such cases demonstrate that malware attribution, once a reliable indicator of adversary identity, is becoming increasingly unreliable. As groups within a single nation-state share or modify tools, cybersecurity defenders must adapt their attribution methodologies beyond traditional malware signatures.

4. Emergence of New Actors: The Unpredictable Variable

While most cyber threat actors evolve from pre-existing groups, there are rare cases where entirely new entities emerge with no clear lineage. One such incident occurred in December 2025, when a previously unknown DPRK-affiliated group surfaced during a period of political unrest in South Korea. Unlike its predecessors, this group utilized an entirely new malware arsenal, including modified versions of Talaus stealer, Donut loader, and Quasar RAT. No infrastructure or tactical overlaps were found with known DPRK actors, suggesting either the formation of a new cyber warfare unit or a significant restructuring of existing teams. The emergence of new groups presents a critical challenge for cyber attribution. Without historical attack patterns or infrastructure links, defenders must rely on behavioral analytics and geopolitical context to determine an adversary’s identity.

Conclusion: The Fluid Nature of Nation-State Cyber Operations

The evolution of North Korean cyber threat actors underscores the fluid nature of state-sponsored cyber operations. DPRK has refined its strategy, transitioning from a singular hacking entity to a complex, multi-group network. Attribution now requires understanding the shifting structures, motivations, and methodologies of state-backed cyber operations. By refining investigative techniques, defenders can build more effective attribution models to predict and mitigate future cyber operations.

Detailed talk outline

  1. Opening: The Attribution Crisis

    Duration: 3 minutes (0:00-3:00)

    • Hook: Traditional DPRK attribution assumptions are fundamentally broken
    • Overview of presentation scope and key findings
  2. Background: The Attribution Challenge

    Duration: 4 minutes (3:00-7:00)

    1. Traditional Attribution Pillars
      • Digital artifacts, infrastructure patterns, and tactical consistency
      • Why none provide definitive proof individually
    2. North Korea's Cyber Evolution
      • Transformation from 2014 Sony breach to current sophisticated operations
      • Strategic shift from isolated attacks to systematic cyber warfare
  3. The Umbrella Group Phenomenon

    Duration: 6 minutes (7:00-13:00)

    1. Lazarus Group Fragmentation
      • Historical monolithic structure vs. current 4+ operational clusters
      • Specialization in espionage, financial crime, and intelligence gathering
    2. Decentralized Network Benefits
      • Enhanced operational efficiency and plausible deniability
      • Technical evidence of distinct coding styles and infrastructure segregation
  4. Inter-Group Collaboration

    Duration: 8 minutes (13:00-21:00)

    1. Case Study: 2023 Cryptocurrency Exchange Breach
      • Phase 1: Andariel Group initial compromise signatures
      • Phase 2: Kimsuky Group intelligence collection activities
      • Evidence of coordinated operational handoff between groups
    2. Hybrid Attack Strategies
      • How collaborative operations break traditional attribution models
      • Implications for incident response and threat hunting
  5. Tool and Personnel Migration

    Duration: 5 minutes (21:00-26:00)

    1. The Pebbledash Migration
      • Historical Lazarus Group exclusive tool appearing in Kimsuky operations
      • Surgical modifications: delivery mechanisms, C2 infrastructure, persistence methods
    2. Attribution Reliability Crisis
      • Pattern analysis showing systematic tool sharing across DPRK units
      • Why malware family attribution is becoming unreliable
  6. Emergence of New Actors

    Duration: 2 minutes (26:00-28:00)

    • December 2025 mystery group with zero historical lineage
    • Modified Talaus stealer, Donut loader, and Quasar RAT variants
    • Challenge of attributing actors without historical patterns
  7. Conclusion and Implications

    Duration: 2 minutes (28:00-30:00)

    • DPRK's systematic assault on attribution principles
    • Need for new correlation techniques and behavioral analytics

Access Everywhere.


Join Adversary Village Discord Server.

Join Adversary Village official Discord server to connect with our amazing community of adversary simulation experts and offensive security researchers!