The Infostealer to APT Pipeline: How Lazarus Group Hijacked a Yemen Disinformation Network
Hudson Rock investigations reveal how a single infected computer in Yemen served as the bridge between a 2019 disinformation campaign and North Korea’s Lazarus Group.
In the world of Threat Intelligence, we often view Advanced Persistent Threats (APTs) as omnipotent operators who build their own sophisticated infrastructure. The reality, however, is far more opportunistic.
Following our recent exposure of a compromised North Korean hacker, Hudson Rock has uncovered another striking example of the “Infostealer to APT Pipeline.”
We have identified a specific computer in Yemen, infected by an Infostealer in 2020 and 2023, which granted administrative access to a network of news domains previously used for a massive disinformation campaign. Our analysis indicates that these same credentials were subsequently weaponized by the Lazarus Group (North Korea) to fuel their own operations.
Visualizing the Attack Chain
2019: Disinformation
Yemen-based actors establish alnagm-press.com to impersonate Arab media and spread fake news.
2020 (or earlier): The Infection
The campaign operator gets infected by RedLine Stealer. Admin credentials are exfiltrated to the Dark Web.
The Handover
Lazarus Group (APT38) acquires the logs, hijacking the trusted domains for C2 and malicious operations.
1. The Origin: A Yemen Disinformation Campaign
In 2019, security researchers at ClearSky exposed a large-scale influence operation based in Yemen. The operators created dozens of fake media outlets designed to mimic legitimate news sources from the Gulf and the Arabian Peninsula.
The goal was simple: spread pro-Houthi narratives and fake news stories—including false reports about the deaths of Israeli celebrities—to sow confusion. Domains like alnagm-press.com, azal-press.com, and gulfnaw.com were central to this network.
2. Patient Zero: De-anonymizing the Operator
Using Hudson Rock’s database, we analyzed the machine responsible for managing these domains. The forensic data from the infection (dated 2020) provides an unprecedented look into the operator behind the disinformation network.
Victim Profile
- IP Address:
175.110.9.173 - Location: At Turbah, Ta’izz, Yemen
- Computer Name:
dell - OS: Windows 10 Enterprise x64
- Infection Type: RedLine Stealer
Installed Tools
- SEO SpyGlass: For aggressive search engine manipulation.
- MS Office (Arabic): Content creation.
The passwords.txt file recovered from this machine is a “keys to the kingdom” event. It contains administrative logins for the entire disinformation ring:
Username: mohammed_slah81@gmail.com
Password: ******** (censored)
===============
URL: https://azal-press.com/wp-login.php
Username: adminnews
Password: ******** (censored)
===============
URL: https://isr.gulfnaw.com/wp-login.php
Username: adminisr
Password: ******** (censored)
3. The Pivot: Lazarus Group enters the Chat
This is where the story shifts from “disinformation” to “Advanced Persistent Threat.” Hudson Rock intelligence suggests that the credentials stolen from this Yemeni operator were acquired by Lazarus Group.
Lazarus, a North Korean state-sponsored actor, is notorious for its adaptability. Rather than building new infrastructure that might be flagged by security vendors, they often hijack existing, aged domains.
According to a technical analysis by the South Korean cybersecurity team at Alyac (ESTsecurity), North Korean threat actors have been observed specifically utilizing alnagm-press.com as part of their command and control infrastructure. The Alyac report identifies this domain being used to distribute malware or host phishing pages targeting South Korean entities.
Why did Lazarus want this machine?
The alnagm-press.com network was a perfect target for an APT:
- Domain Authority: The sites had been active since 2016/2019, making them less likely to be blocked by security filters than brand-new domains.
- Trusted Category: Categorized as “News/Media” by web filters.
- Command & Control (C2): Compromised WordPress sites are frequently used by Lazarus to hide C2 traffic.
The Alyac report further corroborates this pattern, noting that North Korean groups frequently exploit poorly secured WordPress sites to serve malicious scripts and exfiltrate data, effectively turning a disinformation tool into a cyber-weapon.
By using the credentials found in the Passwords.txt file—specifically the WP-Admin and Cpanel access—Lazarus effectively took over the disinformation infrastructure to launch their own campaigns, targeting financial institutions or conducting espionage, masking their traffic behind the noise of a “Yemeni news site.”
Conclusion
This investigation highlights the dangerous reality of the Infostealer to APT Pipeline. A single infection on a computer in Ta’izz, Yemen, did not just expose a disinformation campaign; it provided a top-tier nation-state actor with free, stealthy infrastructure.
For deeper insights into how Infostealers are fueling the world’s most dangerous cyberattacks, read our related investigation into a compromised North Korean hacker or explore similar cases at InfoStealers.com.
