North Korean Hackers Target Security Researchers

North Korean Hackers Target Security Researchers — Again

This time, theyre creating elaborate impostor profiles and using a fresh zero-day and a fake Windows tool to lure in the suspecting.

North Korean state-supported threat actors are targeting security researchers — the second such campaign in the last few years.
Google first discovered DPRK attackers
werent going after innocent, vulnerable individuals or organizations in January 2021, but rather
the cybersecurity professionals themselves
. Now the attackers are back, with an all new zero-day vulnerability, a fake software tool, and some remarkably extensive phishing to go along with it,
according to a new blog post
from Googles Threat Analysis Group.
Unfortunately, the targeting of those involved in cybersecurity research is not rare. In fact, it has grown more frequent and sophisticated over the years, says Callie Guenther, cyber threat research senior manager at Critical Start. These operations are multifaceted, aiming not just to steal information but also to gain insights into defense mechanisms, refine their tactics, and better evade future detection.
Researchers from Google first caught wind of this strange hacker outfit more than two years ago, when it began to pepper the inboxes of security professionals on social media. The accounts in question were given largely generic-sounding American names like James Willy and Billy Brown, and the social engineers even created real cybersecurity research content in order to lend legitimacy to their fake personas.
That level of effort is on display once again in their latest campaign. For example, using
a since-deactivated account on X (formerly Twitter)
, the attackers conducted a monthslong conversation with one of their targets, discussing areas of shared interest and the possibility of a future collaboration.
Conversations then typically moved to an encrypted messaging app like Signal or WhatsApp. Once sufficient trust was established, the threat actor would finally forward a file containing a zero-day vulnerability in a popular software package. (Google is withholding further details about either, until the vendor has had time to patch.)
If the victim fell for the bait and executed the file, the downloaded shellcode would first check if its running on a virtual machine — in which case, it would be ineffectual — before sending information about the compromised device, including a screenshot, to attacker-controlled command-and-control (C2) infrastructure.
Besides this more involved path, the attackers appear to have concocted one more lax method to ensnare the average researcher passerby.
From
the Github account dbgsymbol
, the attackers extend their researcher persona, posting proofs-of-concept (PoCs) and security tools.
The most popular among them — getsymbol,
published last September, and updated multiple times since — markets itself as a simple tool to download debugging symbols from Microsoft, Google, Mozilla, and Citrix symbol servers for reverse engineers compatible with Windows 8.1, 10 and 11.
getsymbol actually does what it says it does. However, it also enables the developers to run arbitrary code on the machine of any researcher who downloaded it. It has been forked 23 times as of this writing.
As the protectors of digital security worldwide, Guenther emphasizes, security professionals need to make extra certain that they dont succumb to these sorts of tricks.
The hacking of security researchers is not just about a single successful breach, she says, nor is it just a game to these adversaries. Its a strategic move. Security researchers are on the forefront of discovering vulnerabilities and developing mitigation techniques. By infiltrating their systems, malicious actors can gain access to yet-to-be-disclosed vulnerabilities, proprietary tools, and valuable databases of threat intelligence. Furthermore, these researchers might be involved in projects of national significance, making them attractive targets for espionage.
In an email to Dark Reading, Google TAG offered some advice for potential targets: Be extremely cautious about what you run and open from unknown third parties. This group has shown theyre willing to invest the time to build rapport before attempting any malicious actions.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
North Korean Hackers Target Security Researchers — Again