| SYMBOL | COMMON_NAME | aka. SYNONYMS |
The Larva-24010 threat actor is distributing malware through the website of a Korean VPN service provider. As a result, when a user downloads and runs the installer from the VPN website, malware can be installed on the system. Since at least 2023, the Larva-24010 threat actor has been targeting Korean VPN users to spread malware, ultimately installing various backdoors such as MeshAgent, gs-netcat, and NKNShell. Through this, the attacker can control infected systems where the VPN is installed and steal sensitive information stored on those systems.
There are currently no families associated with this actor.
| 2025-11-17
⋅
AhnLab
⋅
NKNShell Malware Distributed via VPN Website Larva-24010 |