Active North Korean Campaign Targeting Security Researchers

North Korean threat actors have been targeting security researchers using social media platforms and encrypted messaging apps, sending malicious files containing 0-day exploits. A standalone Windows tool called GetSymbol, which appears to be a useful utility for downloading symbol information, has the ability to download and execute arbitrary code from an attacker-controlled domain. Google's Threat Analysis Group (TAG) has issued an update on a campaign by North Korean threat actors targeting security researchers. TAG has discovered a new campaign with similarities to a previous campaign, including the use of social media sites to build rapport with targets. The threat actors then engage in encrypted messaging and send a malicious file containing at least one 0-day exploit. The vulnerability has been reported to the affected vendor and is being patched. Additionally, the threat actors have developed a tool that can download and execute arbitrary code. Google TAG is actively working to protect users, sharing findings with the security community, adding identified websites and domains to Safe Browsing, and notifying targeted users of government-backed attacker alerts.