Astrill VPN: Silent Push Publicly Releases New IPs on VPN Service Heavily Used by North Korean Threat Actors
KEY FINDINGS
- Multiple threat actors from North Korea’s Lazarus Group continue to use Astrill VPN to hide their IP address during attacks, as of February 24, 2025.
- Recent infrastructure and logs acquired from the North Korean threat group “Contagious Interview,” also known as “Famous Chollima,” confirmed ongoing use of the Astrill VPN during infrastructure testing processes.
- Silent Push analysts recently confirmed details originally released by Google’s Mandiant in September 2024, indicating the DPRK Fake IT worker threats also continue to use Astrill VPN to hide their IPs from prospective employers.
- Silent Push analysts have developed a “Bulk Data Feed” of all the Astrill VPN IPs our team has mapped—updated in real time—that our customers can utilize to protect against any threats, whether North Korean or otherwise, when using our service.
Background
Silent Push analysts have been tracking North Korean hacking groups for years. We share private feeds and reports with clients, doing our best to make details public whenever it won’t compromise ongoing tracking efforts.
Our most recent research focused on the Lazarus subgroup Contagious Interview, also known as Famous Chollima. We explained there how we acquired some of their infrastructure, including log details from both the malicious operators and their victims.
Within these logs, we saw numerous references to a virtual private network (VPN) called “Astrill VPN” (astrill[.]com) that we have been tracking for some time.
We soon heard from several research sharing partners, who separately confirmed both Contagious Interview’s usage of Astrill VPN and the DPRK Fake IT workers’ continued use of this provider.
For months, it’s been public that attackers from Lazarus Group—from several of their subgroups—prefer to use the Astrill VPN to obfuscate their location during attacks.
Google’s Mandiant released details on September 23, 2024 about the DPRK fake IT worker threats and noted, “Connections to these remote management solutions primarily originated from IP addresses associated with Astrill VPN, likely originating from China or North Korea.”
And more recently, in February 2025, Recorded Future’s Insikt Group released additional details on DPRK IT worker scams, writing, “Insikt Group tracks PurpleBravo (formerly Threat Activity Group 120 [TAG-120]), a North Korean-linked cluster that overlaps with the “Contagious Interview” campaign, which primarily targets software developers in the cryptocurrency industry. …Insikt Group found evidence that PurpleBravo uses Astrill VPN to manage its command-and-control (C2) servers.”
Sign Up for a Free Silent Push Community Account
Register now for our free Community Edition to use all of the tools and queries mentioned in this blog.
Test Logs Confirm Lazarus Subgroup “Contagious Interview” Still Using Astrill VPN IPs
Silent Push Threat Analysts found a domain registered hours before the $1.4 billion ByBit heist – “bybit-assessment[.]com” – which had WHOIS records showing the email address “trevorgreer9312@gmail[.]com,” was used to register the domain. That email address had been found and documented in Tayvano’s GitHub repo, “BlueNoroff Research,” which is the public name of another Lazarus APT subgroup.
Details from Tayvano’s “BlueNoroff Research” folder also include two Astrill VPN IP addresses that were apparently used in the attack: “104.223.97[.]2 (an Astrill VPN IP), and 91.239.130[.]102 (also Astrill).”
After our team found this new domain that aligned with previous Lazarus research, we were able to make additional pivots (previously described in our public post) to acquire some of their infrastructure, which included admin and victim logs.
Within those logs, our team discovered and then shared 27 unique Astrill VPN IP addresses linked to test records created while configuring their setup, further confirming they heavily favor this VPN.
Astrill VPN IP Bulk Data Feed
In this post, Silent Push is sharing a sample list of some active IP addresses in our Bulk Data Feed that are used by Astrill VPN to support ongoing efforts within the community to track VPN tools utilized by North Korean APT groups. Our enterprise users have access to a feed containing many times this number, with more being added in real time as our investigation continues.
Here is the sample list of IP addresses:
- 103.130.145.210
- 104.129.22.2
- 113.20.30.139
- 134.195.197.175
- 167.88.61.250
- 169.38.132.135
- 169.57.129.31
- 172.93.100.166
- 172.96.141.172
- 185.108.128.54
Continuing to Track Astrill VPN
Our team continues to track Astrill VPN and will report our findings to the security community as we identify new developments around North Korean and other threat actors utilizing them as a resource.
We will also continue to share our research on threats we discover with law enforcement. If you have any tips about threat actors engaging in criminal activities, our team would love to hear from you.
Mitigation
While not all domains associated with Astrill VPN are malicious, Silent Push believes all domains associated with North Korean threat actors using VPNs – the Lazarus Group in particular – represent some level of risk.
Our analysts have constructed a series of Silent Push IOFA Feeds that provide a growing list of Indicators of Future Attack focused on scams supported by this technique as well as on North Korean APT groups, which are all available to our enterprise customers.
Silent Push Indicators of Future Attacks (IOFA) Feeds are available as part of an Enterprise subscription. Enterprise users can ingest IOFA Feed data into their security stack to inform their detection protocols or use it to pivot across attacker infrastructure using the Silent Push Console and Feed Analytics screen.
Register for Community Edition
Silent Push Community Edition is a free threat-hunting and cyber defense platform that offers advanced offensive and defensive lookups, web content queries, and enriched data types.
Click here to sign up for a free account.
