By looking at the logs for ‘Victor’, we found an entry that stands out: the IP address and location do not match the previously observed Touch VPN exit nodes, but rather a residential China Mobile IP address (223.104.144.97) located in Jiaxing, China. We believe that this was an operational security mistake, which ended up leaking the attacker’s original IP address.

Quote

Sources

Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics