Hacking: North Korea is coming back through the back door

On by Informertower
Piratage : la Corée du Nord revient par la porte de derrière
Estimated read time 2 min read

Hacking: North Korea is coming back through the back door

We take the same ones and start over. More than two years after denouncing a malicious campaign by North Korea targeting security researchers, the Threat Analysis Group (TAG), Google’s security team specialized in hunting advanced persistent threat groups, has just launched a new alert.


The new campaign is “probably led by the same actors”, with “similarities” with the previous malicious action. According to Google specialists, at least one zero-day vulnerability, these unknown flaws actively searched for by attackers, has been used to target security researchers in recent weeks. As Bleeping computer reports, it is likely that the final objective of the North Korean hackers was to get hold of security vulnerabilities not yet disclosed.

Fake profiles

The targeted security researchers would have first been approached on the social network X (ex-Twitter). A screenshot shared by Google reveals one of the attackers’ usernames: @Paul091_, whose profile photo represents a cat profile on a branch, in front of threatening clouds, claims here to be a security researcher and a developer of getSymbol.


The exchanges then moved to messaging applications, such as Signal, WhatsApp and Wire. Once the security researcher was trusted, the attackers sent a malicious file exploiting the mentioned vulnerability of an unspecified software package. This flaw is being corrected after having been reported to the software publisher.

Backdoor on an open source tool

getSymbol, the software mentioned by “Paul091_”, has also attracted the attention of Google experts. This open source tool intended for reverse engineering, the source code of which was published in September 2022, would in fact be a kind of dangerous Trojan horse.



This potential secondary vector of infection would indeed make it possible to execute code remotely from a domain controlled by an attacker. Google experts recommend that researchers who have installed this tool take their precautions, for example by reinstalling their operating system.

Informertower https://informertower.com

You May Also Like

More From Author