Tuesday, May 13, 2025
HomeCyber Security NewsNorth Korean Hackers Use 0-Day Exploits to Attack Security Researchers

North Korean Hackers Use 0-Day Exploits to Attack Security Researchers

Published on

SIEM as a Service

Follow Us on Google News

Google’s Threat Analysis Group (TAG) has issued an update regarding an ongoing campaign by North Korean threat actors targeting security researchers. 

This campaign, which first came to light in January 2021, involved using 0-day exploits to compromise the security of researchers engaged in vulnerability research and development.

Over the past two and a half years, TAG has diligently tracked and disrupted multiple campaigns orchestrated by these North Korean actors, unearthing 0-day vulnerabilities and safeguarding online users. 

- Advertisement - Google News

Recently, TAG identified a new campaign bearing similarities to the previous one. Disturbingly, they have confirmed the active exploitation of at least one 0-day vulnerability in the past few weeks, prompting them to take immediate action.

TAG has reported this vulnerability to the affected vendor, and efforts are underway to patch it. 

While their analysis of this campaign is ongoing, TAG has chosen to provide early notification to the security research community. 

This is a stark reminder that security researchers can become targets of government-backed attackers, underscoring the importance of maintaining vigilance in security practices.

The tactics employed by these North Korean threat actors mirror those from the prior campaign. 

They contact potential targets through social media platforms such as X (formerly Twitter) and gradually build trust. 

Actor-controlled Twitter profile

Once a rapport is established, they transition to encrypted messaging apps like Signal, WhatsApp, or Wire. 

Subsequently, the threat actors send malicious files containing at least one 0-day exploit hidden within popular software packages.

Upon successful exploitation, the malicious code performs a series of anti-virtual machine checks and transmits the collected data, including screenshots, to a command and control domain controlled by the attackers. 

The shellcode used in these exploits exhibits similarities to previous North Korean exploits.

In addition to 0-day exploits, these threat actors have developed a standalone Windows tool to download debugging symbols from central symbol servers, including Microsoft, Google, Mozilla, and Citrix

However, this tool can also download and execute arbitrary code from attacker-controlled domains, posing a significant risk to those who have used it.

GitHub repository for GetSymbol

TAG strongly advises individuals who have downloaded or run this tool to take precautions, including ensuring their systems are clean, which may require complete OS reinstallation.

As part of its commitment to combating these severe threats, TAG utilizes its research findings to enhance the safety and security of Google’s products. 

They swiftly add identified websites and domains to Safe Browsing to protect users from further exploitation. 

Additionally, TAG notifies targeted Gmail and Workspace users of government-backed attacker alerts, encouraging potential targets to activate Enhanced Safe Browsing for Chrome and ensure their devices are up-to-date.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Latest articles

Apple Releases Security Patches to Fix Critical Data Exposure Flaws

Apple released critical security updates for macOS Sequoia 15.5 on May 12, 2025, addressing...

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Apple Releases Security Patches to Fix Critical Data Exposure Flaws

Apple released critical security updates for macOS Sequoia 15.5 on May 12, 2025, addressing...

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...