Executive Summary

DEVIL MARLBORO, also identified as MARLBORO Group, released a commercial offer claiming to possess approximately 419 GB of information linked to North Korea and two relevant actors within its cyber ecosystem: Kimsuky and Lazarus Group.

The publication presents the material as the result of a prolonged collection effort involving contact with informants and access to restricted devices. The alleged contents include offensive tools, vulnerabilities, digital certificates, information about operators, cryptocurrency wallets and data linked to sensitive North Korean facilities.

The actor offers the collection as a complete package or through separate modules. To date, iQBlack has not identified independent public evidence capable of confirming the authenticity, freshness or provenance of the advertised material.

Key Judgments

• The publication introduces an intelligence offer allegedly linked to North Korean cyber actors associated with strategic objectives, espionage operations and illicit financial activity.
• The extraordinarily broad nature of the advertised collection requires caution. The package may combine authentic information, recycled data, previously exposed material or content presented under an exaggerated commercial framing.
• The discrepancy between the alleged strategic value of the package and the requested price constitutes a relevant element when assessing the credibility of the offer.
• Even if the material proves partial, outdated or overstated, the publication remains relevant as an indicator of the possible commercial circulation of information related to actors linked to state structures.

What Happened

DEVIL MARLBORO published a Russian-language message announcing the alleged acquisition of 419 GB of information related to North Korea.

The actor claims that the material includes source code for offensive tools, vulnerabilities allegedly used by North Korean actors, backdoor and rootkit components, digital certificates, identifying information on operators and records associated with cryptocurrency wallets.

The publication also claims to possess information on military and nuclear facilities, research centers and locations connected to North Korea’s strategic capabilities.

The complete package is offered for USD 2,350 during an initial seven-day period. The publication also allows specific modules to be purchased separately.

The available evidence confirms the existence of the commercial offer and the scope declared by the seller. It does not confirm that the full content exists, that it was obtained recently or that it derives from direct compromises of North Korean infrastructure.

Analyst Note

The actor’s official account includes the phrase FSO & FSB employee data leak in its description. Over the past few days, it has also adopted as its avatar a modified image visually associated with the mascot used by NoName057(16), a widely known pro-Russian collective within the hacktivist ecosystem.

Taken together, these two elements present a notable contradiction. The use of this visual resource could reflect symbolic appropriation, provocation, a search for visibility or an attempt to build reputation. It could also suggest that NoName057(16) may be closely linked to Russian state structures.

Operational Assessment

The relevance of the publication lies in the type of material offered and the actors mentioned. Kimsuky and Lazarus Group form part of a North Korean cyber ecosystem associated with intelligence operations, information theft, illicit fundraising and support for the regime’s strategic objectives.

The collection advertised by DEVIL MARLBORO exceeds the usual pattern of access or credential sales. The actor seeks to position it as an operational intelligence package capable of exposing tools, identities, financial infrastructure and assets linked to sensitive structures.

However, the breadth of the announcement also requires consideration of alternative hypotheses. The package may bring together information obtained from open sources, previous leaks, partially authentic material or recycled data presented under a new commercial framing.

An authentic, recent and exclusive collection containing operational vulnerabilities, offensive tools, operator identities and strategic information would likely command a substantially higher value within clandestine markets or restricted intelligence channels. For this reason, the requested price reinforces the need for caution.

The discrepancy does not automatically invalidate the offer, but it may indicate a strategy designed to attract buyers, build reputation or rapidly monetize a collection whose quality has not yet been demonstrated.

Intelligence Significance

The announcement warrants monitoring because it raises the possibility of commercial circulation of information associated with cyber actors linked to North Korea.

If a substantial portion of the package is authentic and recent, the exposure could affect operational capabilities, support investigations into infrastructure used by the actors mentioned or provide elements for tracing financial flows associated with illicit activity.

If the material proves outdated, incomplete or partially assembled from recycled information, the offer would remain relevant as an indicator of the commercial use of intelligence allegedly linked to state actors to strengthen a seller’s reputational position within the clandestine ecosystem.

Analytical Closing

The offer released by DEVIL MARLBORO constitutes a preliminary indicator of possible commercial circulation of information linked to Kimsuky and Lazarus Group. Pending verifiable technical evidence, iQBlack maintains a cautious assessment regarding the authenticity and provenance of the advertised package.