North Korea’s favorite anti-virus software is just an old, ripped off Trend Micro product

Check Point researchers found that the North Korean software was constructed using a 10-year-old file scanning engine, which Trend Micro first created.
North Korea
(Flickr / CC0)

An anti-virus program that’s implemented throughout North Korea, software known as “SiliVaccine,” was built using old, ripped-off code belonging to global cybersecurity giant Trend Micro, according to new research.

The findings by Israeli firm Check Point show how North Korean software makers were able to leverage an illegally copied and repackaged code library to engineer a bootstrapped security platform. This suspicious anti-virus product is still reportedly used in North Korea to stop hackers from targeting the small group of dignitaries allowed to access the internet.

Traditionally, Pyongyang has restricted internet usage to a small select segment of  the country’s population. Prior research by cybersecurity firm RecordedFuture detailed how North Korean elites would use the internet to check popular social media sites and play online games.

The SiliVaccine program acquired by Check Point was originally turned over by a South Korean journalist who received a phishing email, which contained other North Korean malware. The malicious email had a version of SiliVaccine embedded in the malware.


Check Point researchers found that the North Korean software was constructed using a 10-year-old file scanning engine, known as VSAPI, which Trend Micro first created.

It’s not clear how Trend Micro’s code was acquired by the North Koreans. But the stolen library in question remains part of various Trend Micro and even third-party security products, which follow valid partner license agreements.

A Trend Micro spokesperson told Forbes that the stolen computer code could have come from a product sold by an original equipment manufacturer (OEM).

“It appears that a compiled code library was illegally copied, repacked and then wrapped with additional application code not originating from Trend Micro to build a normal AV scanning application called SiliVaccine,” the spokesperson told Forbes.

Researchers with Recorded Future’s internal “Insikt” intelligence collection unit told CyberScoop that the discovery and nature of SiliVaccine is unsurprising based on the company’s own analysis of North Korean internet activity.


“We assess due to the majority of the North Korean population not being connected to the wider internet, having an AV product that is built around 10 year old code is something that may be sufficient for the country’s domestic internet,” a Recorded Future spokesperson said. “It is effectively a quarantined environment, except of course, for any malicious code introduced through the proliferation of smuggled USBs of South Korean TV drama’s.”

They continued, “Plagiarism of software and technology is core to the North Korea R&D cycle, as can be demonstrated by their development of the native Red Star operating system which was built on a Linux platform with a visual similarity to MacOS.”

It’s not uncommon for hackers to test their homegrown malware against anti-virus engines to check if it gets detected. As a result, it’s possible that an operational security mistake allowed for the discovery of SiliVaccine’s code by Check Point.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts