{ "id": "3a6cc198-f485-4847-a34e-c63026fec491", "created_at": "2026-04-06T00:21:00.852557Z", "updated_at": "2026-04-10T13:12:28.334204Z", "deleted_at": null, "sha1_hash": "75fe84b6f322ced1dd5710fcf24bf6d2a716a2f4", "title": "Countering threats from North Korea", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57427, "plain_text": "Countering threats from North Korea\r\nBy Adam Weidemann\r\nPublished: 2022-03-24 · Archived: 2026-04-05 16:41:55 UTC\r\nOn February 10, Threat Analysis Group discovered two distinct North Korean government-backed attacker groups\r\nexploiting a remote code execution vulnerability in Chrome, CVE-2022-0609. These groups' activity has been\r\npublicly tracked as Operation Dream Job and Operation AppleJeus.\r\nWe observed the campaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and\r\nfintech industries. However, other organizations and countries may have been targeted. One of the campaigns has\r\ndirect infrastructure overlap with a campaign targeting security researchers which we reported on last year. The\r\nexploit was patched on February 14, 2022. The earliest evidence we have of this exploit kit being actively\r\ndeployed is January 4, 2022.\r\nWe suspect that these groups work for the same entity with a shared supply chain, hence the use of the same\r\nexploit kit, but each operate with a different mission set and deploy different techniques. It is possible that other\r\nNorth Korean government-backed attackers have access to the same exploit kit.\r\nIn this blog, we will walk through the observed tactics, techniques and procedures, share relevant IOCs and\r\nanalyze the exploit kit used by the attackers. In line with our current disclosure policy, we are providing these\r\ndetails 30 days after the patch release.\r\nCampaign targeting news media and IT companies\r\nThe campaign, consistent with Operation Dream Job, targeted over 250 individuals working for 10 different news\r\nmedia, domain registrars, web hosting providers and software vendors. The targets received emails claiming to\r\ncome from recruiters at Disney, Google and Oracle with fake potential job opportunities. The emails contained\r\nlinks spoofing legitimate job hunting websites like Indeed and ZipRecruiter.\r\nExample of spoofed job hunting websites\r\nVictims who clicked on the links would be served a hidden iframe that would trigger the exploit kit.\r\nAttacker-Owned Fake Job Domains:\r\ndisneycareers[.]net\r\nfind-dreamjob[.]com\r\nindeedus[.]org\r\nvarietyjob[.]com\r\nziprecruiters[.]org\r\nExploitation URLs:\r\nhttps://blog.google/threat-analysis-group/countering-threats-north-korea/\r\nPage 1 of 3\n\nhttps[:]//colasprint[.]com/about/about.asp (legitimate but compromised website)\r\nhttps[:]//varietyjob[.]com/sitemap/sitemap.asp\r\nCampaign targeting cryptocurrency and Fintech organizations\r\nAnother North Korean group, whose activity has been publicly tracked as Operation AppleJeus, targeted over 85\r\nusers in cryptocurrency and fintech industries leveraging the same exploit kit. This included compromising at least\r\ntwo legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other\r\ncases, we observed fake websites — already set up to distribute trojanized cryptocurrency applications — hosting\r\niframes and pointing their visitors to the exploit kit.\r\nAttacker-Owned Websites:\r\nblockchainnews[.]vip\r\nchainnews-star[.]com\r\nfinancialtimes365[.]com\r\nfireblocks[.]vip\r\ngatexpiring[.]com\r\ngbclabs[.]com\r\ngiantblock[.]org\r\nhumingbot[.]io\r\nonlynova[.]org\r\nteenbeanjs[.]com\r\nCompromised Websites (Feb 7 - Feb 9):\r\nwww.options-it[.]com\r\nwww.tradingtechnologies[.]com\r\nExploitation URLs:\r\nhttps[:]//financialtimes365[.]com/user/finance.asp\r\nhttps[:]//gatexpiring[.]com/gate/index.asp\r\nhttps[:]//humingbot[.]io/cdn/js.asp\r\nhttps[:]//teenbeanjs[.]com/cloud/javascript.asp\r\nExploit kit overview\r\nThe attackers made use of an exploit kit that contained multiple stages and components in order to exploit targeted\r\nusers. The attackers placed links to the exploit kit within hidden iframes, which they embedded on both websites\r\nthey owned as well as some websites they compromised.\r\nThe kit initially serves some heavily obfuscated javascript used to fingerprint the target system. This script\r\ncollected all available client information such as the user-agent, resolution, etc. and then sent it back to the\r\nexploitation server. If a set of unknown requirements were met, the client would be served a Chrome RCE exploit\r\nand some additional javascript. If the RCE was successful, the javascript would request the next stage referenced\r\nhttps://blog.google/threat-analysis-group/countering-threats-north-korea/\r\nPage 2 of 3\n\nwithin the script as “SBX”, a common acronym for Sandbox Escape. We unfortunately were unable to recover any\r\nof the stages that followed the initial RCE.\r\nCareful to protect their exploits, the attackers deployed multiple safeguards to make it difficult for security teams\r\nto recover any of the stages. These safeguards included:\r\nOnly serving the iframe at specific times, presumably when they knew an intended target would be visiting\r\nthe site.\r\nIn some email campaigns the targets received links with unique IDs. This was potentially used to enforce a\r\none-time-click policy for each link and allow the exploit kit to only be served once.\r\nThe exploit kit would AES encrypt each stage, including the clients’ responses with a session-specific key.\r\nAdditional stages were not served if the previous stage failed.\r\nAlthough we recovered a Chrome RCE, we also found evidence where the attackers specifically checked for\r\nvisitors using Safari on MacOS or Firefox (on any OS), and directed them to specific links on known exploitation\r\nservers. We did not recover any responses from those URLs.\r\nExample Exploit Kit:\r\n03a41d29e3c9763093aca13f1cc8bcc41b201a6839c381aaaccf891204335685\r\nThe attackers made multiple attempts to use the exploit days after the vulnerability was patched on February 14,\r\nwhich stresses the importance of applying security updates as they become available.\r\nProtecting Our Users\r\nAs part of our efforts to combat serious threat actors, we use results of our research to improve the safety and\r\nsecurity of our products. Upon discovery, all identified websites and domains were added to Safe Browsing to\r\nprotect users from further exploitation. We also sent all targeted Gmail and Workspace users government-backed\r\nattacker alerts notifying them of the activity. We encourage any potential targets to enable Enhanced Safe\r\nBrowsing for Chrome and ensure that all devices are updated.\r\nTAG is committed to sharing our findings as a way of raising awareness with the security community, and with\r\ncompanies and individuals that might have been targeted or suffered from these activities. We hope that improved\r\nunderstanding of the tactics and techniques will enhance threat hunting capability and lead to stronger user\r\nprotections across industry.\r\nRelated stories\r\nSource: https://blog.google/threat-analysis-group/countering-threats-north-korea/\r\nhttps://blog.google/threat-analysis-group/countering-threats-north-korea/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.google/threat-analysis-group/countering-threats-north-korea/" ], "report_names": [ "countering-threats-north-korea" ], "threat_actors": [ { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434860, "ts_updated_at": 1775826748, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/75fe84b6f322ced1dd5710fcf24bf6d2a716a2f4.pdf", "text": "https://archive.orkl.eu/75fe84b6f322ced1dd5710fcf24bf6d2a716a2f4.txt", "img": "https://archive.orkl.eu/75fe84b6f322ced1dd5710fcf24bf6d2a716a2f4.jpg" } }