Folk Nature

Google’s Threat Analysis Group: North Korean State Hackers Target Security Researchers

In the constantly shifting landscape of cybersecurity, state-sponsored hackers often set their sights on individuals and entities engaged in vulnerability research and development. A recent revelation from Google’s Threat Analysis Group (TAG) highlights a disconcerting trend: North Korean state hackers have resumed their targeting of security researchers, employing zero-day vulnerabilities within an undisclosed, widely-used software. This article delves into the specifics of this campaign and its implications within the cybersecurity community.

The Covert Attacks

Exploiting Zero-Day Vulnerabilities

TAG has uncovered that these attacks make use of at least one zero-day vulnerability. However, the precise details concerning the exploited flaw and the vulnerable software remain undisclosed. This is likely due to the software vendor still working on patching the vulnerability, which is why Google has refrained from disclosing further information.

Clement Lecigne and Maddie Stone from Google TAG have shared, “TAG is aware of at least one actively exploited 0-day being used to target security researchers in the past several weeks.” They have also reassured that the vulnerability has been reported to the affected vendor and is currently in the process of being patched.

Enticing Researchers

The attackers employ a sophisticated approach to entice security researchers into their trap. They utilize platforms such as Twitter and Mastodon to initiate contact with their targets. Once a rapport is established, they persuade the researchers to transition to encrypted messaging platforms like Signal, Wire, or WhatsApp.

Malicious Payload

Once trust is established, the attackers send malicious files designed to exploit the zero-day vulnerability. The payload, deployed on the researchers’ systems, checks if it is running within a virtual machine and subsequently transmits collected information, including screenshots, to the attackers’ command and control servers.

Unexpected Tools

In an unexpected twist, the attackers utilize an open-source tool named GetSymbol. Originally created for reverse engineers to download debugging symbols for major software vendors such as Microsoft, Google, Mozilla, and Citrix, it has been repurposed to download and execute arbitrary code. If you have downloaded or run this tool, TAG recommends taking precautions to ensure your system is in a known clean state, which may necessitate reinstalling the operating system.

A Familiar Pattern

This campaign bears a striking resemblance to a previous attack exposed in January 2021. In that instance, the attackers also leveraged social media platforms like LinkedIn, Telegram, Discord, and Keybase for initial contact. It is believed that the same threat actors orchestrated both campaigns.

During the January 2021 attacks, North Korean threat actors utilized zero-day vulnerabilities to infect fully patched Windows 10 systems with backdoors and information-stealing malware. Microsoft also reported monitoring these attacks and observed Lazarus Group operators infecting researchers’ devices using MHTML files with malicious JavaScript code.

Perpetual Threats

The saga continued in March 2021, with Google TAG revealing a resurgence in attacks. Security researchers were targeted through fake LinkedIn and Twitter accounts and a fictitious company named SecuriElite. Additionally, Mandiant, a cybersecurity firm, identified and exposed a suspected North Korean hacking group earlier this year. They were found to be targeting security researchers and media organizations in the United States and Europe, using fake job offers to deliver new malware.

The Unrevealed Objectives

While Google has not explicitly outlined the objectives of these attacks, it is apparent that their primary goal is to acquire undisclosed security vulnerabilities and exploits. By specifically targeting researchers, the attackers aim to gain access to valuable information that could potentially compromise the security of widely-used software and systems.


The cybersecurity landscape is perpetually evolving, and this latest revelation by Google TAG underscores the persistent threats posed by state-sponsored actors. Security researchers play a pivotal role in identifying and mitigating vulnerabilities, making them high-value targets. As the situation unfolds, it is imperative that individuals and organizations involved in cybersecurity remain vigilant and take appropriate precautions to safeguard their systems and data.

Frequently Asked Questions

What is a zero-day vulnerability?

A zero-day vulnerability is a security flaw in software or hardware that is unknown to the vendor and, therefore, unpatched. Attackers exploit these vulnerabilities because there are no known defenses or fixes.

Who are the Lazarus Group?

The Lazarus Group is a notorious hacking group believed to be linked to the North Korean government. They are known for conducting cyber-espionage, financial cyberattacks, and other malicious activities.

How can security researchers protect themselves from such attacks?

Security researchers can protect themselves by being cautious when establishing online relationships, avoiding downloading files from untrusted sources, and regularly updating their security software.

What is the role of Google’s Threat Analysis Group (TAG)?

TAG is a team of security experts at Google responsible for protecting the company’s users from state-sponsored attacks and identifying emerging threats in the cyber landscape.

How can I stay updated on cybersecurity threats and best practices?

To stay informed about cybersecurity threats and best practices, follow reputable cybersecurity blogs, subscribe to industry newsletters, and participate in online forums and communities dedicated to cybersecurity discussions.

Leave a Comment