Lazarus APT, the North Korean state-sponsored cyber attackers group, is known to buying access into other threat group’s pre-hacked servers. Lately, connections have been uncovered between the North Korean group and threat actors’ native to Russia. TA505, TrickBot, and Dridex are cyber threat groups connected to Russian-speaking nefarious attackers that sell breached systems’ access on the Dark web to other attackers.
The North Korean group has been known to use TrickBot’s codes in some of its attacks. The nefarious code is run as Malware-as-a-Service (MaaS) that can then be accessed by the highest-tier malicious actors. CISA has issued alerts regarding hackers based in North Korea that may be working or contracting criminal groups like TA505 for initial access.