Fake Twitter personas, bogus blog delivered North Korea-linked malware to researchers

The goal was to spy on the work of cybersecurity researchers by exploiting their natural inclination to collaborate.
(Getty Images)

Hackers linked to North Korea targeted cybersecurity researchers through a seemingly legitimate research blog and friendly social media accounts, Google said Monday.

The goal of those social engineering techniques was simple: Earn trust, trick researchers into interacting online, and then implant file-stealing malware on their computers.

There were also a few cases where unwitting researchers’ machines were infected simply by visiting the security blog, Google said. That part of the campaign worked even if the researchers were using “fully patched and up-to-date Windows 10 and Chrome browser versions,” according to Google’s Threat Analysis Group.

Google’s findings serve as a reminder that even the most security-minded people can still be vulnerable in the digital realm. The hacking campaign preyed upon the natural inclination of many researchers to collaborate on projects and share findings. For a nation-state trying to expand its arsenal of hacking tools, anyone with a deep interest in software vulnerabilities is an inviting target.


“We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with,” Google’s Adam Weidemann wrote in the blog post.

The social media interactions included accounts on Twitter, LinkedIn, Telegram, Discord and Keybase, Google said. The personas had names like “James Willy,” “Billy Brown,” “Zhang Guo” and “BrownSec3 Labs.” The blog, meanwhile, “contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including ‘guest’ posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.” Email was also another way the attackers contacted potential targets, Google said.

The news prompted many researchers to dive into their social media histories to see if they’d interacted with any of the bogus accounts. Reuters journalist Raphael Satter posted screenshots of his interactions with the “Zhang Guo” account. Zero Day Initiative researcher Hossein Lotfi said he found a similar attempt “too shady to interact.”

Ultimately the attackers sought to interact directly with potential victims on projects in Microsoft’s Visual Studio code development platform, Google said. The bait was the chance to research a specific vulnerability. The Visual Studio project would include that code, plus “custom malware that would immediately begin communicating with actor-controlled [command-and-control] domains.”


Although Google attributed the activity to “a government-backed entity based in North Korea,” the report did not specify a known North Korean hacking group. Kaspersky researcher Costin Raiu later suggested that an initial analysis pointed to Lazarus Group, according to ZDnet.

Lazarus Group, which tends to focus on espionage, recently has been blamed for other social engineering campaigns, including one that focused on job applicants in the defense industry.

Latest Podcasts