Logo
/
Blog/Beyond Credentials: Identifying North Korean Website Visitors Through Cookie Analysis
June 16, 202613 min readdarkweb
Share:

Beyond Credentials: Identifying North Korean Website Visitors Through Cookie Analysis

By Threat Intelligence Unit

Overview

This report analyzes users who accessed North Korean (NK)-related websites using infostealer data collected through ARTHUR.

Most NK-related websites do not provide user authentication functionality, making traditional credential-based analysis ineffective for identifying visitors. ARTHUR addresses this limitation by analyzing browser cookies, browsing history, autofill records, screenshots, installed software, and geolocation information collected from infostealer infections.

Using these artifacts, ARTHUR identified and analyzed users who accessed NK-related websites regardless of whether they logged into a service.


Executive Summary

  • ARTHUR analyzed infostealer data to identify users who accessed North Korean (NK)-related websites
  • Browser cookie artifacts enabled the identification of website visitors, even when the websites did not provide authentication or login functionality
  • Analysis of visitors to the Naenara, KF Trade, and Air Koryo websites revealed additional information through autofill records, screenshots, and OSINT research
  • Identified artifacts included email addresses, phone numbers, travel information, and company information

Infostealer Malware

Infostealers are malware designed to steal sensitive information from infected systems. While historically focused on financial information and account credentials, modern infostealers routinely collect:

  • Browser passwords
  • Cookies
  • Session tokens
  • Browser history
  • Autofill data
  • Cryptocurrency wallet information
  • Screenshots
  • Installed software inventories
  • Geolocation data

The stolen information is frequently used for account compromise, initial access operations, and ransomware attacks.

Prominent infostealer families observed between 2024 and 2026 include Lumma Stealer, RedLine Stealer, Raccoon Stealer, Vidar, RisePro and Stealc.

Recently, Telegram has increasingly been used as a "Stealer Log Market" where operators distribute credentials, cookies, browser session data, and complete infection archives collected from compromised systems.


Analysis of NK-Related Website Access Through Multi-Artifact Infostealer Data

Most of the identified NK-related websites are static promotional websites that do not provide user login functionality. As a result, conventional credential-based analysis has limited effectiveness because credentials may not be available even when infostealer data has been collected from infected users.

ARTHUR automatically collects and analyzes infostealer information distributed through Telegram channels. While most security companies focus on infected users' IDs and passwords, ARTHUR provides visibility into a broader range of artifacts, including:

  • Credentials
  • Cookies
  • Browsing history
  • Autofill data
  • Installed software
  • Screenshots
  • Credit card information
  • Geolocation data

By leveraging these data sources, ARTHUR identifies and analyzes users who accessed NK-related websites beyond traditional credential-based approaches.


Domain Search and User Analysis via Cookie Artifacts (1)

Naenara (North Korea external promotion domain)

Analysis of browser cookie artifacts revealed records associated with www.naenara.com.kp, indicating user visits to the website.

The findings demonstrate that browser artifacts can be used to identify and attribute website visits to specific users, even when the website does not require authentication or provide login functionality.

Search for `www.naenara.com.kp` in the Cookie Domain tab

Figure 1. Search for www.naenara.com.kp in the Cookies tab

Selecting a specific record and clicking the Details button reveals a wide range of artifacts collected from a single browser, including:

  • Exfiltrated credentials
  • Email addresses
  • Passwords
  • Autofill data
  • Cookies
  • Installed software

The following email addresses were identified:

  • darkb761216@gmail.com
  • marketing.rep@universalinsuranceplc.com
  • star710928@gmail.com
Email addresses identified under More Credentials tab

Figure 2. Email addresses identified under More Credential tab

These email addresses matched information disclosed on a website concerning North Korean workers operating abroad, including personnel located in Nigeria, Guinea, and Oman.

Reference: https://chollima-group.io/posts/reframing-insights-our-research-msmt

Chollima Group’s geographic mapping of North Korean workers globally

Figure 3. Chollima Group’s geographic mapping of North Korean workers globally

Leaked credentials associated with worker Kim Yong Jin in Nigeria

Figure 4. Leaked credentials associated with worker "Kim Yong Jin" in Nigeria

Branding and operational details of Samhae Insurance Company

Figure 5. Branding and operational details of Samhae Insurance Company

Additional information identified within the Auto Fills tab included:

  • Samhae Insurance Company
  • Jang Yong Jin

These values were also found to be consistent with publicly disclosed information.

Autofill data showing Samhae Insurance Company connection

Figure 6. Autofill data showing Samhae Insurance Company connection

Identified Autofill credentials

Figure 7. Identified Autofill credentials

Further review of the Auto Fills tab identified:

  • Kim Nam Jin
  • Nigeria, Lagos
  • Flight itinerary information
Credentials found under Auto Fills tab

Figure 8. Additional credentials found under Auto Fills tab

Two values believed to be mobile phone numbers were also identified:

  • +234 [REDACTED] [REDACTED] 9976
  • +234 [REDACTED] [REDACTED] 6568
Identified mobile phone number credentials

Figure 9. Identified mobile phone number credentials

Within the Cookies tab, the domain www.naenara.com.kp was identified among websites visited through Chrome.

`www.naenara.com.kp` domain identified under Cookies tab

Figure 10. www.naenara.com.kp domain identified under Cookies tab

Additional email addresses identified included:

  • shojokur@gmail.com
  • yz.demix@gmail.com

OSINT analysis revealed:

Email AddressObservation
darkb761216@gmail.comMost recent activity observed on May 6, 2026
star710928@gmail.com
  • Most recent activity observed on July 17, 2020
  • Associated with Kim Uiryong
  • Uses accounts on LinkedIn, GitHub, Chess, and other platforms
shojokur@gmail.comMost recent activity observed on January 9, 2026
yz.demix@gmail.comUnable to verify
Linkedin account associated with `star710928@gmail.com`

Figure 11. Linkedin account associated with star710928@gmail.com


Domain Search and User Analysis via Cookie Artifacts (2)

KF Trade (North Korea foreign trade-related website)

A search for kftrade.com.kp revealed multiple records indicating previous access to the North Korean foreign trade website.

Search for `kftrade.com.kp` in the Cookie Domain tab

Figure 12. Search for kftrade.com.kp in the Cookies tab

Evidence of access to the website was confirmed within the associated cookie data.

Evidence of access to `kftrade.com.kp`

Figure 13. Evidence of access to kftrade.com.kp

The infection data associated with the user contained screenshots.

Analysis of the screenshots revealed:

  • Astrill VPN
  • 사모님 자료 (Madam's Documents)
  • 령사관 (Consulate)
  • 순회비행탄 (Cruise Missile)

Astrill VPN has been reported as software frequently utilized by North Korean users.

Exfiltrated infostealer screenshot of the victim's desktop

Figure 14. Exfiltrated infostealer screenshot of the victim's desktop

The value "shenyang sanjia chemical technology" identified within the Auto Fills tab is believed to be a company name.

A search for the company indicated that it is a chemical-related company located in Shenyang, China.

shenyang sanjia chemical technology identified within the Auto Fills tab

Figure 15. "shenyang sanjia chemical technology" identified within the Auto Fills tab

Open source search verification

Figure 16. Google search result for "shenyang sanjia chemical technology"

Official company profile and logistics footprint for the Shenyang-based chemical facility

Figure 17. Official company profile and logistics footprint for the Shenyang-based chemical facility

Additional values identified within the Auto Fills tab included:

  • Flight Missile
  • Mobile phone numbers
  • Myonghuan
  • Myongjin
  • Namho
Additional values identified within the Auto Fills tab (1)

Figure 18. Additional values identified within the Auto Fills tab (1)

Additional values identified within the Auto Fills tab (2)

Figure 19. Additional values identified within the Auto Fills tab (2)

Additional values identified within the Auto Fills tab (3)

Figure 20. Additional values identified within the Auto Fills tab (3)

Numerous email addresses associated with login activity on Upwork were also identified. A total of 23 email addresses were identified.

Numerous email addresses associated with login activity

Figure 21. Numerous email addresses associated with login activity

Among them, 3279546799@qq.com was associated through OSINT analysis with an individual employed by a company located in Shenyang, China.

The remaining email addresses are listed below:

Email AddressEmail Address
DavidKim0815@outlook.comRobertZheng105@outlook.com
doctor041093@outlook.comRobertZheng2690@outlook.com
HarryLee702@outlook.comRobertzheng402@outlook.com
jameslee615@outlook.comthomaslee115@outlook.com
JamesPak55@outlook.comThomasPak48@outlook.com
JamesPak55@outlook.krWilliamZheng125@outlook.com
lifengyanlgz1216@163.comyangtailong0730@outlook.com
liguangzhe716@gmail.comyongjiepiao555@yeah.net
morningsun51593@outlook.comYongjiepiao92182@yeah.net
RobertLee0308@outlook.comzhengminghuan0507@163.com
RobertLee102@outlook.comzhengminghuan0507@gmail.com

No additional attribution or identifying information could be obtained through OSINT analysis for these addresses.


Domain Search and User Analysis via Cookie Artifacts (3)

Air Koryo (Air Koryo official website)

A search for airkoryo.com.kp identified records indicating access to the official Air Koryo website.

Search for `airkoryo.com.kp` in the Cookie Domain tab

Figure 22. Search for airkoryo.com.kp in the Cookies tab

Email addresses, names, and phone numbers believed to belong to South Korean individuals were identified.

Examples included:

  • 0526[REDACTED]@naver.com
  • park[REDACTED]@gmail.com

Although access to this website is blocked from within South Korea, it is inferred that the site was accessed through software such as a VPN.

Leaked credentials confirming South Korean individual

Figure 23. Leaked credentials confirming South Korean individual


User Analysis via Email Credentials and Passwords

Users who accessed NK-related websites identified through the Accounts tab

A search for airkoryo.com.kp within the Accounts tab of ARTHUR revealed the email address neig[REDACTED]@gmail.com. This finding provides a significant lead for visitor identification and attribution.

OSINT analysis revealed that the email account neig[REDACTED]@gmail.com remained active until May 12, 2025. Furthermore, the account was associated with an individual currently residing in Australia.

Credentials used to access NK-related website

Figure 24. Credentials used to access NK-related website

In a separate analysis, a search for friend.com.kp within the Accounts tab of ARTHUR identified the password g7P5DTjZg4dJdU8. This password was subsequently used as the basis for visitor attribution analysis.

Passwords identified from Accounts tab

Figure 25. Passwords identified from Accounts tab

Using ARTHUR, additional websites accessed with the same password were identified. Analysis of these records revealed that the email address sinh[REDACTED]@gmail.com was associated with the password g7P5DTjZg4dJdU8, providing an additional attribution point linking activity across multiple websites.

OSINT analysis revealed that the email account sinh[REDACTED]@gmail.com remained active until May 23, 2026, and was associated with an individual located in Brazil.

Gmail account identified through password-based search

Figure 26. Gmail account identified through password-based search


Conclusion

This report analyzed users who accessed North Korean-related websites using infostealer data collected and processed through ARTHUR.

Unlike traditional credential-based approaches, ARTHUR enables analysis using browser cookies, autofill records, browsing history, installed software information, screenshots, and other browser artifacts.

Through this approach, users who accessed websites without authentication functionality were identified and analyzed.

The investigation identified access to multiple North Korean-related websites, including Naenara, KF Trade, and Air Koryo. Additional information identified from browser artifacts and account credentials included email addresses, screenshots, mobile phone numbers, travel-related information, and other user-generated data.

These findings demonstrate that browser artifacts collected through infostealer infections can be leveraged to identify website visitors, reconstruct user activity, and attribute associated information, even in cases where websites do not provide authentication or login functionality.