Beyond Credentials: Identifying North Korean Website Visitors Through Cookie Analysis
By Threat Intelligence Unit
Overview
This report analyzes users who accessed North Korean (NK)-related websites using infostealer data collected through ARTHUR.
Most NK-related websites do not provide user authentication functionality, making traditional credential-based analysis ineffective for identifying visitors. ARTHUR addresses this limitation by analyzing browser cookies, browsing history, autofill records, screenshots, installed software, and geolocation information collected from infostealer infections.
Using these artifacts, ARTHUR identified and analyzed users who accessed NK-related websites regardless of whether they logged into a service.
Executive Summary
- ARTHUR analyzed infostealer data to identify users who accessed North Korean (NK)-related websites
- Browser cookie artifacts enabled the identification of website visitors, even when the websites did not provide authentication or login functionality
- Analysis of visitors to the Naenara, KF Trade, and Air Koryo websites revealed additional information through autofill records, screenshots, and OSINT research
- Identified artifacts included email addresses, phone numbers, travel information, and company information
Infostealer Malware
Infostealers are malware designed to steal sensitive information from infected systems. While historically focused on financial information and account credentials, modern infostealers routinely collect:
- Browser passwords
- Cookies
- Session tokens
- Browser history
- Autofill data
- Cryptocurrency wallet information
- Screenshots
- Installed software inventories
- Geolocation data
The stolen information is frequently used for account compromise, initial access operations, and ransomware attacks.
Prominent infostealer families observed between 2024 and 2026 include Lumma Stealer, RedLine Stealer, Raccoon Stealer, Vidar, RisePro and Stealc.
Recently, Telegram has increasingly been used as a "Stealer Log Market" where operators distribute credentials, cookies, browser session data, and complete infection archives collected from compromised systems.
Analysis of NK-Related Website Access Through Multi-Artifact Infostealer Data
Most of the identified NK-related websites are static promotional websites that do not provide user login functionality. As a result, conventional credential-based analysis has limited effectiveness because credentials may not be available even when infostealer data has been collected from infected users.
ARTHUR automatically collects and analyzes infostealer information distributed through Telegram channels. While most security companies focus on infected users' IDs and passwords, ARTHUR provides visibility into a broader range of artifacts, including:
- Credentials
- Cookies
- Browsing history
- Autofill data
- Installed software
- Screenshots
- Credit card information
- Geolocation data
By leveraging these data sources, ARTHUR identifies and analyzes users who accessed NK-related websites beyond traditional credential-based approaches.
Domain Search and User Analysis via Cookie Artifacts (1)
Naenara (North Korea external promotion domain)
Analysis of browser cookie artifacts revealed records associated with www.naenara.com.kp, indicating user visits to the website.
The findings demonstrate that browser artifacts can be used to identify and attribute website visits to specific users, even when the website does not require authentication or provide login functionality.
Figure 1. Search for www.naenara.com.kp in the Cookies tab
Selecting a specific record and clicking the Details button reveals a wide range of artifacts collected from a single browser, including:
- Exfiltrated credentials
- Email addresses
- Passwords
- Autofill data
- Cookies
- Installed software
The following email addresses were identified:
darkb761216@gmail.commarketing.rep@universalinsuranceplc.comstar710928@gmail.com
Figure 2. Email addresses identified under More Credential tab
These email addresses matched information disclosed on a website concerning North Korean workers operating abroad, including personnel located in Nigeria, Guinea, and Oman.
Reference: https://chollima-group.io/posts/reframing-insights-our-research-msmt
Figure 3. Chollima Group’s geographic mapping of North Korean workers globally
Figure 4. Leaked credentials associated with worker "Kim Yong Jin" in Nigeria
Figure 5. Branding and operational details of Samhae Insurance Company
Additional information identified within the Auto Fills tab included:
- Samhae Insurance Company
- Jang Yong Jin
These values were also found to be consistent with publicly disclosed information.
Figure 6. Autofill data showing Samhae Insurance Company connection
Figure 7. Identified Autofill credentials
Further review of the Auto Fills tab identified:
- Kim Nam Jin
- Nigeria, Lagos
- Flight itinerary information
Figure 8. Additional credentials found under Auto Fills tab
Two values believed to be mobile phone numbers were also identified:
- +234 [REDACTED] [REDACTED] 9976
- +234 [REDACTED] [REDACTED] 6568
Figure 9. Identified mobile phone number credentials
Within the Cookies tab, the domain www.naenara.com.kp was identified among websites visited through Chrome.
Figure 10. www.naenara.com.kp domain identified under Cookies tab
Additional email addresses identified included:
shojokur@gmail.comyz.demix@gmail.com
OSINT analysis revealed:
| Email Address | Observation |
|---|---|
darkb761216@gmail.com | Most recent activity observed on May 6, 2026 |
star710928@gmail.com |
|
shojokur@gmail.com | Most recent activity observed on January 9, 2026 |
yz.demix@gmail.com | Unable to verify |
Figure 11. Linkedin account associated with star710928@gmail.com
Domain Search and User Analysis via Cookie Artifacts (2)
KF Trade (North Korea foreign trade-related website)
A search for kftrade.com.kp revealed multiple records indicating previous access to the North Korean foreign trade website.
Figure 12. Search for kftrade.com.kp in the Cookies tab
Evidence of access to the website was confirmed within the associated cookie data.
Figure 13. Evidence of access to kftrade.com.kp
The infection data associated with the user contained screenshots.
Analysis of the screenshots revealed:
- Astrill VPN
- 사모님 자료 (Madam's Documents)
- 령사관 (Consulate)
- 순회비행탄 (Cruise Missile)
Astrill VPN has been reported as software frequently utilized by North Korean users.
Figure 14. Exfiltrated infostealer screenshot of the victim's desktop
The value "shenyang sanjia chemical technology" identified within the Auto Fills tab is believed to be a company name.
A search for the company indicated that it is a chemical-related company located in Shenyang, China.
Figure 15. "shenyang sanjia chemical technology" identified within the Auto Fills tab
Figure 16. Google search result for "shenyang sanjia chemical technology"
Figure 17. Official company profile and logistics footprint for the Shenyang-based chemical facility
Additional values identified within the Auto Fills tab included:
- Flight Missile
- Mobile phone numbers
- Myonghuan
- Myongjin
- Namho
Figure 18. Additional values identified within the Auto Fills tab (1)
Figure 19. Additional values identified within the Auto Fills tab (2)
Figure 20. Additional values identified within the Auto Fills tab (3)
Numerous email addresses associated with login activity on Upwork were also identified. A total of 23 email addresses were identified.
Figure 21. Numerous email addresses associated with login activity
Among them, 3279546799@qq.com was associated through OSINT analysis with an individual employed by a company located in Shenyang, China.
The remaining email addresses are listed below:
| Email Address | Email Address |
|---|---|
DavidKim0815@outlook.com | RobertZheng105@outlook.com |
doctor041093@outlook.com | RobertZheng2690@outlook.com |
HarryLee702@outlook.com | Robertzheng402@outlook.com |
jameslee615@outlook.com | thomaslee115@outlook.com |
JamesPak55@outlook.com | ThomasPak48@outlook.com |
JamesPak55@outlook.kr | WilliamZheng125@outlook.com |
lifengyanlgz1216@163.com | yangtailong0730@outlook.com |
liguangzhe716@gmail.com | yongjiepiao555@yeah.net |
morningsun51593@outlook.com | Yongjiepiao92182@yeah.net |
RobertLee0308@outlook.com | zhengminghuan0507@163.com |
RobertLee102@outlook.com | zhengminghuan0507@gmail.com |
No additional attribution or identifying information could be obtained through OSINT analysis for these addresses.
Domain Search and User Analysis via Cookie Artifacts (3)
Air Koryo (Air Koryo official website)
A search for airkoryo.com.kp identified records indicating access to the official Air Koryo website.
Figure 22. Search for airkoryo.com.kp in the Cookies tab
Email addresses, names, and phone numbers believed to belong to South Korean individuals were identified.
Examples included:
0526[REDACTED]@naver.compark[REDACTED]@gmail.com
Although access to this website is blocked from within South Korea, it is inferred that the site was accessed through software such as a VPN.
Figure 23. Leaked credentials confirming South Korean individual
User Analysis via Email Credentials and Passwords
Users who accessed NK-related websites identified through the Accounts tab
A search for airkoryo.com.kp within the Accounts tab of ARTHUR revealed the email address neig[REDACTED]@gmail.com. This finding provides a significant lead for visitor identification and attribution.
OSINT analysis revealed that the email account neig[REDACTED]@gmail.com remained active until May 12, 2025. Furthermore, the account was associated with an individual currently residing in Australia.
Figure 24. Credentials used to access NK-related website
In a separate analysis, a search for friend.com.kp within the Accounts tab of ARTHUR identified the password g7P5DTjZg4dJdU8. This password was subsequently used as the basis for visitor attribution analysis.
Figure 25. Passwords identified from Accounts tab
Using ARTHUR, additional websites accessed with the same password were identified. Analysis of these records revealed that the email address sinh[REDACTED]@gmail.com was associated with the password g7P5DTjZg4dJdU8, providing an additional attribution point linking activity across multiple websites.
OSINT analysis revealed that the email account sinh[REDACTED]@gmail.com remained active until May 23, 2026, and was associated with an individual located in Brazil.
Figure 26. Gmail account identified through password-based search
Conclusion
This report analyzed users who accessed North Korean-related websites using infostealer data collected and processed through ARTHUR.
Unlike traditional credential-based approaches, ARTHUR enables analysis using browser cookies, autofill records, browsing history, installed software information, screenshots, and other browser artifacts.
Through this approach, users who accessed websites without authentication functionality were identified and analyzed.
The investigation identified access to multiple North Korean-related websites, including Naenara, KF Trade, and Air Koryo. Additional information identified from browser artifacts and account credentials included email addresses, screenshots, mobile phone numbers, travel-related information, and other user-generated data.
These findings demonstrate that browser artifacts collected through infostealer infections can be leveraged to identify website visitors, reconstruct user activity, and attribute associated information, even in cases where websites do not provide authentication or login functionality.