September 25, 2023

North Korean state-sponsored hackers posed as Samsung recruiters and sent fake job offers to employees at South Korean security companies that sell anti-malware software.


The emails included a PDF allegedly claiming to be of a job description for a role at Samsung, the PDFs were malformed and did not open in a standard PDF reader.

If targets complained that they couldn’t open the job offer archive, the hackers offered to help by providing them with a link to a “Secure PDF Reader” app users could install. But the file was a modified version of PDFTron, a legitimate PDF reader, altered to install a backdoor trojan on the victim’s computers.

Google security team which detected the malicious emails, attributed the attacks to the same team of North Korean hackers who previously targeted security researchers on Twitter and other social networks in late 2020 and throughout 2021.

Tracked by Microsoft under the codename of “Zinc,” this threat actor’s tactics believed acquiring unreleased vulnerabilities and exploits from some of their naive and careless members.


The attack on South Korean antivirus makers might be different since compromising their employees might provide the group with access to the means to carry out a targeted supply chain attack against South Korean organizations, where those companies’ anti-malware software might be running.

Leave a Reply

%d bloggers like this: