September 22, 2023

North Korean-based threat actors UNC4034 are using trojanized versions of the PuTTY SSH open-source terminal emulator to install backdoors on victims’ devices.

The campaign, trying to trick victims into clicking on malicious files as part of a fake Amazon job assessment, would build on a previous, existing one called Operation Dream Job. The methodology used by UNC4034 would now be evolving.


During the month of July 2022, researchers identified a novel spear phish methodology employed by the threat cluster tracked as UNC4034. Its established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility.

The executable embedded in each ISO file by UNC4034 is a fully functional PuTTY application but also contains malicious code that writes an embedded payload on the disk and launches it. Once after the launch, a new scheduled task will get created that executes daily

This is likely one of several malware delivery techniques being employed by North Korean actors after a target has responded to a fabricated job lure.

This research was done and documented by experts from Mandiant Managed Threat Defence


Indicators Of Compromise

Leave a Reply

%d bloggers like this: