THREAT INTELLIGENCE: UNVEILING SUPPOSED APT38’S ATTACK INFRASTRUCTURE USING FAVICON HASH
APT38 — also known as NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima, Sapphire Sleet, and COPERNICIUM — has been linked to fraudulent job platforms, meeting services, and cryptocurrency-related websites.
Researchers discovered a favicon hash (1132615497) repeated across multiple suspicious domains, tying them to this North Korean-linked threat group.
Actor Profile
APT38 (also known as NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima, Sapphire Sleet, and COPERNICIUM) is highly active in financially driven cyber operations. Researchers recently uncovered multiple suspicious domains that share a single favicon hash (1132615497), connecting them to this North Korean-linked threat actor.
Key Findings
Analysis reveals that these domains, often presented as job portals, meeting platforms, and cryptocurrency-related services, likely serve as lures for phishing and malware attacks. The repeated favicon hash points to a coordinated infrastructure and reinforces the suspicion that APT38 recycles certain web elements across its malicious ecosystem.
Recommended Actions
Organizations should search for the favicon hash (1132615497) in their network logs and enforce strict monitoring for newly registered or low-reputation domains related to hiring, conferencing, and cryptocurrency. Training employees to recognize fake recruitment offers and suspicious crypto sites is critical. Incident response teams should incorporate checks for this favicon hash in their playbooks, while also using segmented network designs to reduce potential damage if a breach occurs.
IoC Reference
A comprehensive list of indicators tied to this campaign can be found at IoCs_list. Any matches should trigger immediate investigation and remediation actions.
Regular intelligence updates are crucial since APT38 and similar threat groups frequently adapt their tactics. By keeping a close watch on shared infrastructure components like favicons, security teams can spot and disrupt these campaigns before they achieve their objectives.
