{ "id": "cf588676-9593-431a-9f0a-36d737aa413a", "created_at": "2026-04-06T00:14:43.287839Z", "updated_at": "2026-04-10T13:12:43.934666Z", "deleted_at": null, "sha1_hash": "7e39bf3cd6897f7be0279c322db0c7b446850573", "title": "Google: North Korean hackers have targeted security researchers via social media", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1860999, "plain_text": "Google: North Korean hackers have targeted security researchers\r\nvia social media\r\nBy Catalin Cimpanu\r\nPublished: 2021-01-26 · Archived: 2026-04-05 21:33:08 UTC\r\nGroup of hooded hackers shining through a digital north korean flag cybersecurity concept\r\nMichael Borgers, Getty Images/iStockphoto\r\nGoogle said today that a North Korean government hacking group has targeted members of the cyber-security\r\ncommunity engaging in vulnerability research.\r\nThe attacks have been spotted by the Google Threat Analysis Group (TAG), a Google security team specialized in\r\nhunting advanced persistent threat (APT) groups.\r\nIn a report published earlier today, Google said North Korean hackers used multiple profiles on various social\r\nnetworks, such as Twitter, LinkedIn, Telegram, Discord, and Keybase, to reach out to security researchers using\r\nfake personas.\r\nEmail was also used in some instances, Google said.\r\n\"After establishing initial communications, the actors would ask the targeted researcher if they wanted to\r\ncollaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project,\" said\r\nhttps://www.zdnet.com/article/google-north-korean-hackers-have-targeted-security-researchers-via-social-media/\r\nPage 1 of 3\n\nAdam Weidemann, a security researcher with Google TAG.\r\nThe Visual Studio project contained malicious code that installed malware on the targeted researcher's operating\r\nsystem. The malware acted as a backdoor, contacting a remote command and control server and waiting for\r\ncommands.\r\nThis malware was later linked to the Lazarus Group, a well-known North Korean state-sponsored operation.\r\nKTAE code similarity analysis for the malware used to target security researchers\r\ninvolved in 0day analysis and development. \"Manuscrypt\" (also known as FALLCHILL)\r\nis typically used by the Lazarus APT. 👉 pic.twitter.com/hXxuJIj9Lc\r\n— Costin Raiu (@craiu) January 26, 2021\r\nNew mysterious browser attack also discovered\r\nBut Wiedemann said that the attackers didn't always distribute malicious files to their targets. In some other cases,\r\nthey asked security researchers to visit a blog they had hosted at blog[.]br0vvnn[.]io (do not access).\r\nGoogle said the blog hosted malicious code that infected the security researcher's computer after accessing the\r\nsite.\r\n\"A malicious service was installed on the researcher's system and an in-memory backdoor would begin beaconing\r\nto an actor-owned command and control server,\" Weidemann said.\r\nBut Google TAG also added that many victims who accessed the site were also running \"fully patched and up-to-date Windows 10 and Chrome browser versions\" and still got infected.\r\nDetails about the browser-based attacks are still scant, but some security researchers believe the North Korean\r\ngroup most likely used a combination of Chrome and Windows 10 zero-day vulnerabilities to deploy their\r\nmalicious code.\r\nAs a result, the Google TAG team is currently asking the cyber-security community to share more details about\r\nthe attacks, if any security researchers believe they were infected.\r\nThe Google TAG report includes a list of links for the fake social media profiles that the North Korean actor used\r\nto lure and trick members of the infosec community.\r\nSecurity researchers are advised to review their browsing histories and see if they interacted with any of these\r\nprofiles or if they accessed the malicious blog.br0vvnn.io domain.\r\nnk-apt-twitter-profiles.png\r\nImage: Google\r\nIn case they did, they are most likely to have been infected, and certain steps need to be taken to investigate their\r\nown systems.\r\nhttps://www.zdnet.com/article/google-north-korean-hackers-have-targeted-security-researchers-via-social-media/\r\nPage 2 of 3\n\nThe reason for targeting security researchers is pretty obvious as it could allow the North Korean group to steal\r\nexploits for vulnerabilities discovered by the infected researchers, vulnerabilities that the threat group could\r\ndeploy in its own attacks with little to no development costs.\r\nIn the meantime, several security researchers have already disclosed on social media that they received messages\r\nfrom the attackers' accounts, although, none have admitted to having systems compromised.\r\nWARNING! I can confirm this is true and I got hit by @z0x55g who sent me a Windows\r\nkernel PoC trigger. The vulnerability was real and complex to trigger. Fortunately I only\r\nran it in VM.. in the end the VMDK I was using was actually corrupted and non-bootable,\r\nso it self-imploded https://t.co/dvdCWsZyne\r\n— Richard Johnson (@richinseattle) January 26, 2021\r\nSource: https://www.zdnet.com/article/google-north-korean-hackers-have-targeted-security-researchers-via-social-media/\r\nhttps://www.zdnet.com/article/google-north-korean-hackers-have-targeted-security-researchers-via-social-media/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.zdnet.com/article/google-north-korean-hackers-have-targeted-security-researchers-via-social-media/" ], "report_names": [ "google-north-korean-hackers-have-targeted-security-researchers-via-social-media" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434483, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7e39bf3cd6897f7be0279c322db0c7b446850573.pdf", "text": "https://archive.orkl.eu/7e39bf3cd6897f7be0279c322db0c7b446850573.txt", "img": "https://archive.orkl.eu/7e39bf3cd6897f7be0279c322db0c7b446850573.jpg" } }