October 2, 2023

North Korean threat actors have used social media sites like X to build rapport with their targets.

In recent case, they built a collaboration with a security researcher. After initial contact via X, the collaboration continued encrypted messaging apps. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package.

Upon successful exploitation, the shellcode conducts a series of anti-virtual machine checks and then sends the collected information, along with a screenshot, back to an attacker-controlled command and control domain. The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits.


The vulnerability has been reported to the affected vendor and is in the process of being patched. The technical details are not revealed at this time.

The threat actors also developed a standalone Windows tool that has the stated goal of ‘download debugging symbols from Microsoft, Google, Mozilla, and Citrix symbol servers for reverse engine.

The source code for this tool was first published on GitHub on September 30, 2022, with several updates being released since. That appears to be a useful utility for quickly and easily downloading symbol information from a number of different sources. Symbols provide additional information about a binary that can be helpful when debugging software issues or while conducting vulnerability research.


The tool also has the ability to download and execute arbitrary code from an attacker-controlled domain. If you have downloaded or run this tool, TAG recommends taking precautions to ensure your system is in a known clean state, likely requiring a reinstall of the operating system.

Upon discovery, all identified websites and domains are added to safe browsing to protect users from further exploitation. TAG also sends all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity and encourages potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated.

Indicators of Compromise

Leave a Reply

%d bloggers like this: