Image: Micha Brändli

North Korean hackers target security researchers with new zero-day

State-backed North Korean hackers are reportedly targeting security researchers using at least one zero-day vulnerability, Google warned in a report released Thursday.

For the past two-and-a-half years, the researchers have been tracking campaigns by the threat actors they believe are behind the recent attacks.

The analysis of the attacks is still in progress, but Google decided to give an early warning and alerted the affected vendor, who is now working on fixing the issue.

“We hope this will remind security researchers that they could be targets of government-backed attackers and to stay vigilant of security practices,” the company said.

As in previous campaigns documented by researchers, North Korean hackers used social media platforms like X (formerly Twitter) and Mastodon to make contact with their targets — security specialists involved in vulnerability research and development. These social media platforms are popular among the infosec community.

In one case, the hackers engaged in a months-long conversation with a security researcher to collaborate on shared interests. Hackers started this conversation on X and later moved to encrypted messaging apps like Signal, WhatsApp, or Wire.

After establishing a relationship with the targeted researcher, the hackers sent a malicious file containing at least one zero-day exploit for popular software.

In addition to targeting researchers with zero-day exploits, the hackers behind this campaign also created a separate Windows tool meant to download debugging information from Microsoft, Google, Mozilla, and Citrix servers for reverse engineers, according to Google.

Debugging information refers to data on how a computer program operates internally, including the code structure, variable names, function calls, and other relevant data that can help software developers and reverse engineers understand the program.

The tool's source code was initially shared on GitHub back in 2022. It can be helpful for researchers when fixing software problems or researching vulnerabilities. But it also has the ability to download and execute malicious code from an attacker-controlled domain.

For those who have downloaded the tool, Google suggests taking precautions, which may include reinstalling the operating system.

Google said that it will continue to provide updates to the security community regarding the attacks, including information about the zero-day vulnerability that was exploited, the name of the vulnerable software, and the goal of these attacks.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.