HOMETHREATSLarva-24005
APT / THREAT GROUP

Larva-24005

🇰🇵North Korea-attributed
1
campaigns
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Larva-24005 is a threat actor that breaches servers in Korea to establish a web server and PHP environment for phishing attacks, primarily targeting individuals involved with North Korea and university professors researching the regime. They exploit the BlueKeep vulnerability for initial access and utilize RDPWrap and a custom keylogger post-compromise. Phishing emails are crafted to appear as legitimate communications, often containing malicious URLs or compressed files. The actor has been observed storing phishing pages in the IIS_USER account and XAMPP home folder, although traces of these pages were later deleted.

Threat Analysis

Larva-24005 is a known-sophistication threat actor attributed to North Korea, engaged in cyber operations with a primary motivation of unknown activity patterns.

Known Campaigns

Larva-24005 — Active Operations March 2026

Larva-24005 is a unknown-motivation threat actor attributed to North Korea. Larva-24005 is a threat actor that breaches servers in Korea to establish a web server and PHP environment for phishing attacks, primarily targeting individuals involved with North Korea and university professors researching the regime. They exploit the BlueKeep vulnerability for...

ACTIVEMEDIUM2026

External References

Quick Facts

TypeAPT / Threat Group
Origin🇰🇵 North Korea
Aliases1
SourceMalpedia

Also Known As

Larva-24005

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Larva-24005 — APT / Threat Group | Threat Intelligence | CTIWATCH.COM