{
	"id": "498f5eeb-032a-4b57-a3ee-6ebbf55fcb72",
	"created_at": "2026-04-06T00:06:39.492344Z",
	"updated_at": "2026-04-10T03:22:12.617037Z",
	"deleted_at": null,
	"sha1_hash": "cfca42eb697bc3d24b0eb5c68f8d86ff2861738a",
	"title": "New campaign targeting security researchers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54473,
	"plain_text": "New campaign targeting security researchers\r\nBy Adam Weidemann\r\nPublished: 2021-01-25 · Archived: 2026-04-05 18:07:56 UTC\r\nOver the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers\r\nworking on vulnerability research and development at different companies and organizations. The actors behind this\r\ncampaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to\r\ntarget researchers which we will outline below. We hope this post will remind those in the security research community that\r\nthey are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not\r\npreviously interacted with.\r\nIn order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter\r\nprofiles to interact with potential targets. They've used these Twitter profiles for posting links to their blog, posting videos of\r\ntheir claimed exploits and for amplifying and retweeting posts from other accounts that they control.\r\nActor controlled Twitter profiles.\r\nTheir blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including “guest” posts from\r\nunwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.\r\nExample of an analysis done by the actor about a publicly disclosed vulnerability.\r\nWhile we are unable to verify the authenticity or the working status of all of the exploits that they have posted videos of, in\r\nat least one case, the actors have faked the success of their claimed working exploit. On Jan 14, 2021, the actors shared via\r\nTwitter a YouTube video they uploaded that proclaimed to exploit CVE-2021-1647, a recently patched Windows Defender\r\nvulnerability. In the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful\r\nreview of the video shows the exploit is fake. Multiple comments on YouTube identified that the video was faked and that\r\nthere was not a working exploit demonstrated. After these comments were made, the actors used a second Twitter account\r\n(that they control) to retweet the original post and claim that it was “not a fake video.”\r\nTweets demonstrating the actors' “exploits”\r\nSecurity researcher targeting\r\nThe actors have been observed targeting specific security researchers by a novel social engineering method. After\r\nestablishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on\r\nvulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio\r\nProject would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through\r\nVisual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains. An example of the VS Build Event can be seen in the image below.\r\nVisual Studio Build Events command executed when building the provided VS Project files\r\nIn addition to targeting users via social engineering, we have also observed several cases where researchers have been\r\ncompromised after visiting the actors’ blog. In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an\r\nin-memory backdoor would begin beaconing to an actor-owned command and control server. At the time of these visits, the\r\nhttps://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/\r\nPage 1 of 4\n\nvictim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. At this time we’re\r\nunable to confirm the mechanism of compromise, but we welcome any information others might have. Chrome\r\nvulnerabilities, including those being exploited in the wild (ITW), are eligible for reward payout under Chrome's\r\nVulnerability Reward Program. We encourage anyone who discovers a Chrome vulnerability to report that activity via the\r\nChrome VRP submission process.\r\nThese actors have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram,\r\nDiscord, Keybase and email. We are providing a list of known accounts and aliases below. If you have communicated with\r\nany of these accounts or visited the actors’ blog, we suggest you review your systems for the IOCs provided below. To date,\r\nwe have only seen these actors targeting Windows systems as a part of this campaign.\r\nIf you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using\r\nseparate physical or virtual machines for general web browsing, interacting with others in the research community, accepting\r\nfiles from third parties and your own security research.\r\nActor controlled sites and accounts\r\nResearch Blog\r\nhttps://blog.br0vvnn[.]io\r\nTwitter Accounts\r\nhttps://twitter.com/br0vvnn\r\nhttps://twitter.com/BrownSec3Labs\r\nhttps://twitter.com/dev0exp\r\nhttps://twitter.com/djokovic808\r\nhttps://twitter.com/henya290 \r\nhttps://twitter.com/james0x40\r\nhttps://twitter.com/m5t0r\r\nhttps://twitter.com/mvp4p3r\r\nhttps://twitter.com/tjrim91\r\nhttps://twitter.com/z0x55g\r\nLinkedIn Accounts\r\nhttps://www.linkedin.com/in/billy-brown-a6678b1b8/\r\nhttps://www.linkedin.com/in/guo-zhang-b152721bb/\r\nhttps://www.linkedin.com/in/hyungwoo-lee-6985501b9/\r\nhttps://www.linkedin.com/in/linshuang-li-aa696391bb/\r\nhttps://www.linkedin.com/in/rimmer-trajan-2806b21bb/\r\nKeybase\r\nhttps://keybase.io/zhangguo\r\nTelegram\r\nhttps://t.me/james50d\r\nSample Hashes\r\nhttps://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/\r\nPage 2 of 4\n\nhttps://www.virustotal.com/gui/file/4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244/detection\r\n(VS Project DLL)\r\nhttps://www.virustotal.com/gui/file/68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7/detection\r\n(VS Project DLL)\r\nhttps://www.virustotal.com/gui/file/25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc/detection\r\n(VS Project Dropped DLL)\r\nhttps://www.virustotal.com/gui/file/a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855/detection\r\n(VS Project Dropped DLL)\r\nhttps://www.virustotal.com/gui/file/a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15/detection\r\n(Service DLL)\r\nC2 Domains: Attacker-Owned\r\nangeldonationblog[.]com\r\ncodevexillium[.]org\r\ninvestbooking[.]de\r\nkrakenfolio[.]com\r\nopsonew3org[.]sg\r\ntransferwiser[.]io\r\ntransplugin[.]io\r\nC2 Domains: Legitimate but Compromised\r\ntrophylab[.]com\r\nwww.colasprint[.]com\r\nwww.dronerc[.]it\r\nwww.edujikim[.]com\r\nwww.fabioluciani[.]com\r\nC2 URLs\r\nhttps[:]//angeldonationblog[.]com/image/upload/upload.php\r\nhttps[:]//codevexillium[.]org/image/download/download.asp\r\nhttps[:]//investbooking[.]de/upload/upload.asp\r\nhttps[:]//transplugin[.]io/upload/upload.asp\r\nhttps[:]//www.dronerc[.]it/forum/uploads/index.php\r\nhttps[:]//www.dronerc[.]it/shop_testbr/Core/upload.php\r\nhttps[:]//www.dronerc[.]it/shop_testbr/upload/upload.php\r\nhttps[:]//www.edujikim[.]com/intro/blue/insert.asp\r\nhttps[:]//www.fabioluciani[.]com/es/include/include.asp\r\nhttp[:]//trophylab[.]com/notice/images/renewal/upload.asp\r\nhttp[:]//www.colasprint[.]com/_vti_log/upload.asp\r\nHost IOCs\r\nRegistry Keys\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\KernelConfig\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DriverConfig\r\nhttps://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/\r\nPage 3 of 4\n\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SSL Update \r\nFile Paths\r\nC:\\Windows\\System32\\Nwsapagent.sys\r\nC:\\Windows\\System32\\helpsvc.sys\r\nC:\\ProgramData\\USOShared\\uso.bin\r\nC:\\ProgramData\\VMware\\vmnat-update.bin\r\nC:\\ProgramData\\VirtualBox\\update.bin\r\nRelated stories\r\nSource: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/\r\nhttps://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/"
	],
	"report_names": [
		"new-campaign-targeting-security-researchers"
	],
	"threat_actors": [],
	"ts_created_at": 1775433999,
	"ts_updated_at": 1775791332,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cfca42eb697bc3d24b0eb5c68f8d86ff2861738a.pdf",
		"text": "https://archive.orkl.eu/cfca42eb697bc3d24b0eb5c68f8d86ff2861738a.txt",
		"img": "https://archive.orkl.eu/cfca42eb697bc3d24b0eb5c68f8d86ff2861738a.jpg"
	}
}