Anatomy of a Trojanized Toolkit: Reversing a Live DPRK-Linked C2 Channel | Intercept Cell

We pulled a trojanized CUDA installer from an active campaign delivering a multi-stage Python RAT with a live command-and-control server. We reversed the protocol, impersonated a compromised host, mapped the full operational playbook in real time, and identified significant overlaps with known DPRK/Lazarus Group tradecraft.

We identified and acquired a trojanized NVIDIA CUDA toolkit installer circulating in an active campaign. Initial triage confirmed a multi-component payload: a remote access trojan, an infostealer, and a cryptocurrency clipboard hijacker bundled into a single deployment chain. The installer appeared legitimate. The execution chain did not. We reversed the binary, broke the C2 (command-and-control) protocol, impersonated a compromised host, and mapped the entire operational playbook. What we found carries the fingerprints of Pyongyang. The campaign distributed a PowerShell dropper disguised as cuda_toolkit_sim_v12.4.ps1. On execution it downloaded a 19MB ZIP archive from camdriver[.]pro, extracted it to a temporary directory, and silently launched a VBScript bootstrap. The download URL referenced Realtek drivers rather than NVIDIA (hxxps://camdriver[.]pro/realtekwin.update?r=ffa752c6-84e9-4bb9-b3c8-a3ab09cbcbe6), suggesting the same infrastructure serves multiple lure variants targeting different developer audiences. The payload archive, driver.zip, contained a complete attack toolkit: 14 Python modules, two RSA-2048 public keys, a bundled Python 3.12 runtime packed into Module.zip at 16.5MB, and a renamed copy of pythonw.exe masquerading as svchost.exe. The VBScript launcher extracted the Python runtime and executed the RAT entry point (updatedriver.py) via the disguised interpreter, keeping the entire chain windowless and invisible to the user. The dropper established four independent persistence mechanisms to survive across privilege levels. With admin access: a scheduled task named svchost running at logon with HIGHEST privilege, plus a second task disguised as OneDrive Update Task-S-16-5-25-262930093-1106209884-352468633-100 executing from %TEMP% as SYSTEM. Without admin access: a startup folder shortcut at %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.lnk, and a registry Run key at HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\