PUBLISHED on 1 April 2026, DomainTools’ DPRK Malware Modularity study describes North Korea’s cyber programme as a deliberately fragmented ecosystem built for mission-specific resilience and attribution resistance. It argues that what looks like a fracture externally is actually a mature portfolio model with parallel malware pipelines aligned to discrete objectives, enabling espionage, revenue generation, and disruption to run concurrently without cross-contamination.
The analysis stresses a burn-and-replace approach, where toolchains and infrastructure are disposable and replaced to maintain operational viability under sustained defensive pressure. It notes that this compartmentalisation, along with society-wide reuse of cloud and developer tooling, complicates attribution and slows defender decisions, with social engineering remaining the primary initial access vector across tracks.
The espionage track is most commonly linked to Kimsuky, the financial track to Lazarus Group, and the disruptive track to Andariel, with the report framing these associations as claims supported by multiple sources. Overall, the piece positions DPRK operations as a deliberately industrialised model, not a disorderly collection of campaigns, designed to endure exposure and sustain multi-domain engagement.