Indicators of compromise and mitigation recommendations

North Korean ITW Threat Mitigations and IoC's

Please note, this limited intelligence is now over a year old and was first collected and published in early 2025, please be sure to check for up to date threat intelligence from reputable sources that monitor this issue closely such as from DTEX Systems or Google Threat Intelligence Group/Mandiant. The indicators and insights gained from this research have already been integrated into those aforementioned companies' recommendations.

These are the IP addresses the North Koreans used to connect to US based devices via remote desktop software, we collected this data in the summer/early fall of 2025 (June-September). We also gathered new intelligence showing how North Koreans are evading detection using trusted platforms like Webex, Microsoft Teams, etc to take control of the device without setting off EDR systems. They do this using "take control" features or plugins built into these tools. These pseudo-remote desktop control apps need to be stripped of their remote desktop control features in corporate environments as they cannot be easily detected via EDR systems.

‍IoC's:
155.94.255.2 – Rustdesk logs
104.223.97.2 – Rustdesk logs
83.234.227.35 – Rustdesk logs
83.234.227.37 – Rustdesk logs
83.234.227.38 – Rustdesk logs
104.223.98.2 – Rustdesk logs
83.234.227.33 – Rustdesk logs
83.234.227.34 – Rustdesk logs
173.205.94.156 – Rustdesk logs
83.234.227.36 – Rustdesk logs
38.170.181.10 – Rustdesk logs
209.127.228.186 – Rustdesk logs
51.195.140.214 – Rustdesk logs
207.126.86.121 – Rustdesk logs
51.161.196.51 – Rustdesk logs

Mitigation Recommendations:
Hand out company laptops instead of allowing employee's to bring their own device.
‍
Secure company devices and endpoints with EDR software and instruct your security team to add filters to detect usage of the above IP's as well as the other known AstrilVPN IP's from Spur: https://storage.googleapis.com/spur-astrill-vpn/ips.txt

Add filters to your EDR software to detect incoming IP addresses to endpoints from Russia, China, etc that consistently connect to devices during work hours.

Operationalize the freely available detailed indicators of compromise/insider risk indicators into rules/policies for your companies EDR, HR/Payroll, UEBA, UAM, and any other viable software your company can harden for insider risk protection and detection.

Reconfigure your companies Enterprise policies for online meeting software like Google Meet, Microsoft Teams, Zoom, Webex, etc to disable take control/remote desktop control features and disable the ability for users to install 3rd party extensions/add-ons that add this functionality.
‍
Perform online video interviews that allow you to see the participant as they respond.

Instruct applicants to show you the space they are conducting the interview in before you start. Look for things like: multiple laptops in one room, video calls or online meeting software visible on other screens than the one the meeting is taking place in, multiple sets of keyboards or mouses, multiple headsets, multiple camera's, etc. These should be seen as red flags, but not as a definite/strong indicator the person is a insider risk or North Korean ITW.

Instruction applicants to share their entire screen during interviews and if possible have their hands visible during the interview.

During video interviews pay attention to the candidates eyes, look for them to be going back and fourth as if they are reading from something. If they are, simply drill down on answers that seemed prepared from something they read. Try to catch them by asking specific or technical questions in that area/subject that they might not have answers prepared for ahead of time or that might be difficult to answer promptly if they are lieing, making something up, etc.

Currently the most effective manaul way to detect face swapping/deepfakes in an online interview is to ask the person to put their hand fully in front of their entire face and then press multiple of their fingers into their face simultanously.

There are plenty of commercial and open-source/free solutions you can deploy to detect deepfakes/AI automatically during online calls.
‍
Perform in-person interviews whenever possible.
‍
Require employee's to document the environment that they work in from home, such as regularly taking a picture of the space they keep their laptop in and work from.
‍
Require employee's to attend regular meetings on video, especially during the mornings where other jobs could conflict.
‍
Insure employee's participate during regular meetings and thoroughly understand the work that they have submitted to you recently.
‍
Instruct managers to look for inconsistencies in their employee's, such as their voices sounding different between meetings, their English suddenly being very broken, or them not being able to explain or talk about the work they performed very well; as if they were not the one's who performed it.
‍
Require employee's to submit in-person tests/processes such as physicals, drug tests, notarized documents, or fingerprinting services; even if you don't care about the results of the tests it adds a layer of difficulty for the North Koreans. This is especially important for highly sensitive positions with access to critical data or systems.
‍
Require employee's to attend in-person company events, retreats, meetings, conferences, etc at least once a year.