The analysis reveals a North Korean threat actor linked to the Polyfill.io supply chain attack of 2024 through multiple pieces of evidence including compromised credentials and internal communications. The DPRK operator used personas like "Brian" to manage Funnull’s backend infrastructure and had direct control over the weaponized Cloudflare tenant for Polyfill.io, confirming their role in executing the malware injection that redirected users to malicious sites. Google Translate telemetry captures discussions between Chinese handlers and the North Korean coder about modifying DNS routing and hiding the payload within GoEdge CDN builds, further implicating DPRK involvement in the attack's technical execution.
Read the full article at Malware Analysis, News and Indicators - Latest topics
Want to create content about this topic? Use Nemati AI tools to generate articles, social posts, and more.
