#DPRK

DPRK-aligned threat activity (Lazarus, Kimsuky and adjacent clusters) attributed to North Korean state operations


#DPRK

DPRK-aligned threat activity (Lazarus, Kimsuky, adjacent)

IOCs by window

Today

0

IOCs tagged #DPRK

Week

92

IOCs tagged #DPRK

Month

92

IOCs tagged #DPRK

Year

92

IOCs tagged #DPRK

Counts as of 2026-04-29. Regenerated daily.

About #DPRK

  • Scope: umbrella tag for DPRK-aligned threat clusters: Lazarus (financial), Kimsuky (intelligence), Andariel (financial + cyber espionage), BlueNoroff (Lazarus subcluster, crypto-focused), and emerging operators (Konni, ScarCruft / APT37 in some attribution schemes).
  • Common objectives: cryptocurrency theft for sanctions evasion, intelligence collection on South Korea + adjacent geopolitical adversaries, supply-chain compromise of npm / PyPI / browser-extension ecosystems, defence-contractor reconnaissance.
  • Tactics: spearphishing with LinkedIn / Instagram lures, weaponised HWP / PDF documents, custom backdoors, DPRK-specific implants like AppleJeus (macOS), LightlessCan, Manuscrypt, BabyShark, GoldDragon.
  • References: G0032 Lazarus · G0094 Kimsuky · CISA North Korea.

Recent IOCs tagged #DPRK

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/dprk.

Date Type Value Source
Apr 28, 18:33 domain inlinepol1s.roxa.org @skocherhan
Apr 28, 18:33 url http://inlinepol1s.roxa.org @skocherhan
Apr 28, 18:33 domain docinfo.inlinepol1s.roxa.org @skocherhan
Apr 28, 18:33 url http://docinfo.inlinepol1s.roxa.org @skocherhan
Apr 28, 18:33 domain inlinepol19s.roxa.org @skocherhan
Apr 28, 18:33 url http://inlinepol19s.roxa.org @skocherhan
Apr 28, 18:33 domain inlinepol17s.roxa.org @skocherhan
Apr 28, 18:33 url http://inlinepol17s.roxa.org @skocherhan
Apr 28, 18:33 domain edoc.inlinepol14s.roxa.org @skocherhan
Apr 28, 18:33 url http://edoc.inlinepol14s.roxa.org @skocherhan

Related tags

Tags that frequently co-occur with #DPRK.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What does the #DPRK tag cover?

The #DPRK tag is an umbrella for any IOC researchers attribute to North Korean state-aligned activity, regardless of specific cluster. Sub-tags exist for the most active clusters - #Kimsuky and #Lazarus - so a researcher can either filter broadly with #DPRK or narrow to one cluster. An IOC frequently carries both #DPRK and a cluster-specific tag.

Which DPRK clusters are most active in this feed?

Kimsuky dominates volume (intelligence-collection campaigns generate large numbers of phishing domains and credential-harvesting URLs). Lazarus contributes fewer IOCs but with higher per-IOC operational impact (cryptocurrency theft infrastructure, custom backdoors). BlueNoroff and Andariel appear more sporadically, often piggybacking on Lazarus operations.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. DPRK-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this DPRK subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

DPRK IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).