New campaign targeting security researchers
Contents
New campaign targeting security researchers
Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.
In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.
Actor controlled Twitter …
Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.
In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.
Actor controlled Twitter …
IoC
25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc
4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244
68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7
a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15
a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855
http://angeldonationblog.com
http://blog.br0vvnn.io
http://codevexillium.org
http://investbooking.de
http://krakenfolio.com
http://opsonew3org.sg
http://transferwiser.io
http://transplugin.io
http://trophylab.com
http://trophylab.com/notice/images/renewal/upload.asp
http://www.colasprint.com
http://www.colasprint.com/_vti_log/upload.asp
http://www.dronerc.it
http://www.edujikim.com
http://www.fabioluciani.com
https://angeldonationblog.com/image/upload/upload.php
https://blog.br0vvnn.io
https://codevexillium.org/image/download/download.asp
https://investbooking.de/upload/upload.asp
https://keybase.io/zhangguo
https://t.me/james50d
https://transplugin.io/upload/upload.asp
https://twitter.com/BrownSec3Labs
https://twitter.com/br0vvnn
https://twitter.com/dev0exp
https://twitter.com/djokovic808
https://twitter.com/henya290
https://twitter.com/james0x40
https://twitter.com/m5t0r
https://twitter.com/mvp4p3r
https://twitter.com/tjrim91
https://twitter.com/z0x55g
https://www.dronerc.it/forum/uploads/index.php
https://www.dronerc.it/shop_testbr/Core/upload.php
https://www.dronerc.it/shop_testbr/upload/upload.php
https://www.edujikim.com/intro/blue/insert.asp
https://www.fabioluciani.com/es/include/include.asp
https://www.linkedin.com/in/billy-brown-a6678b1b8/
https://www.linkedin.com/in/guo-zhang-b152721bb/
https://www.linkedin.com/in/hyungwoo-lee-6985501b9/
https://www.linkedin.com/in/linshuang-li-aa696391bb/
https://www.linkedin.com/in/rimmer-trajan-2806b21bb/
https://www.virustotal.com/gui/file/25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc/detection
https://www.virustotal.com/gui/file/4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244/detection
https://www.virustotal.com/gui/file/68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7/detection
https://www.virustotal.com/gui/file/a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15/detection
https://www.virustotal.com/gui/file/a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855/detection
4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244
68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7
a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15
a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855
http://angeldonationblog.com
http://blog.br0vvnn.io
http://codevexillium.org
http://investbooking.de
http://krakenfolio.com
http://opsonew3org.sg
http://transferwiser.io
http://transplugin.io
http://trophylab.com
http://trophylab.com/notice/images/renewal/upload.asp
http://www.colasprint.com
http://www.colasprint.com/_vti_log/upload.asp
http://www.dronerc.it
http://www.edujikim.com
http://www.fabioluciani.com
https://angeldonationblog.com/image/upload/upload.php
https://blog.br0vvnn.io
https://codevexillium.org/image/download/download.asp
https://investbooking.de/upload/upload.asp
https://keybase.io/zhangguo
https://t.me/james50d
https://transplugin.io/upload/upload.asp
https://twitter.com/BrownSec3Labs
https://twitter.com/br0vvnn
https://twitter.com/dev0exp
https://twitter.com/djokovic808
https://twitter.com/henya290
https://twitter.com/james0x40
https://twitter.com/m5t0r
https://twitter.com/mvp4p3r
https://twitter.com/tjrim91
https://twitter.com/z0x55g
https://www.dronerc.it/forum/uploads/index.php
https://www.dronerc.it/shop_testbr/Core/upload.php
https://www.dronerc.it/shop_testbr/upload/upload.php
https://www.edujikim.com/intro/blue/insert.asp
https://www.fabioluciani.com/es/include/include.asp
https://www.linkedin.com/in/billy-brown-a6678b1b8/
https://www.linkedin.com/in/guo-zhang-b152721bb/
https://www.linkedin.com/in/hyungwoo-lee-6985501b9/
https://www.linkedin.com/in/linshuang-li-aa696391bb/
https://www.linkedin.com/in/rimmer-trajan-2806b21bb/
https://www.virustotal.com/gui/file/25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc/detection
https://www.virustotal.com/gui/file/4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244/detection
https://www.virustotal.com/gui/file/68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7/detection
https://www.virustotal.com/gui/file/a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15/detection
https://www.virustotal.com/gui/file/a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855/detection