Investigating Suspected DPRK-Linked Crypto Intrusions

This report documents a multi-stage campaign targeting the cryptocurrency supply chain: mass exploitation of React2Shell (CVE-2025-55182), abuse of pre-obtained AWS access tokens to enumerate S3, RDS, EKS, ECR and Secrets Manager, lateral movement from AWS to Kubernetes, and exfiltration of backend source code, Docker images and plaintext secrets; observed C2 includes VShell and FRP, IOCs (IPv4/IPv6/domain) and MITRE mappings are provided, and the authors assess moderate confidence of DPRK-affiliated involvement.