Google said today that a North Korean government hacking group has targeted members of the cyber-security community engaging in vulnerability research.
The attacks have been spotted by the Google Threat Analysis Group (TAG), a Google security team specialized in hunting advanced persistent threat (APT) groups.
Google said North Korean hackers used multiple profiles on various social networks, such as Twitter, LinkedIn, Telegram, Discord, and Keybase, to reach out to security researchers using fake personas.
“After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project,” said Adam Weidemann, a security researcher with Google TAG.
The Visual Studio project contained malicious code that installed malware on the targeted researcher’s operating system. The malware acted as a backdoor, contacting a remote command and control server and waiting for commands.
This malware was later linked to the Lazarus Group, a well-known North Korean state-sponsored operation.