Security Experts:

Connect with us

Hi, what are you looking for?



Companies Using Zeplin Platform Targeted by Korean Hackers

A Korean threat actor known as Higaisa has been employing malicious LNK files in recent attacks targeting organizations that use the Zeplin collaboration platform.

A Korean threat actor known as Higaisa has been employing malicious LNK files in recent attacks targeting organizations that use the Zeplin collaboration platform.

Active since at least 2016, the hacking group was first detailed last year, when it was associated with the Korean peninsula. The actor, believed to be state-sponsored, was observed using Trojans such as Gh0st and PlugX to target government officials and human rights organizations, among others.

Over the past several weeks, the hackers launched multi-stage attacks that employed malicious shortcut (LNK) files and resulted in the delivery of decoy PDF documents, malicious scripts, and payloads.

The LNK file was included in an archive likely distributed via spear-phishing, with two different versions of the attack observed between May 12 and May 31, featuring the “Project link and New copyright policy.rar” and “CV_Colliers.rar” archive files, respectively.

Only the former targets product teams that are using Zeplin. The archive contains two LNK files and a PDF document, all of them referencing Zeplin.

According to security researchers at Prevailion, the threat actor prepared the first attack at least one week before launch, by creating a decoy PDF file on May 5, followed by the creation of additional files used in the attack.

The malicious LNK file was created on May 11, the same day the intended victims started receiving the trojanized RAR file. The “Project link and New copyright policy.rar” archive was first submitted to VirusTotal the next day, while the domain used in the attack stopped resolving on May 16.

The second attack, which started on May 30, switched to the use of a malicious curriculum vitae (CV) impersonating a college student named “Wang Lei” from Hong Kong, the security researchers say.

Malwarebytes too observed the attacks, explaining that the LNK files in this campaign were designed to execute the same commands that were detailed by Anomali in a report describing COVID-19 attacks in March.

All of the attacks appear associated with Higaisa and show the threat actor’s ability to tailor its attacks based on current events: the hackers started leveraging not only the increased interest in the COVID-19 crisis, but also the increased adoption of collaboration tools to facilitate working from home (WFH) during the pandemic.

“By analyzing individual elements of this campaign, we noted a number of correlations to prior threat actor reporting. […] Based upon the totality of available information, we assess with high confidence that this campaign was performed by the same actors responsible for the Coronavirus, Covid-19, themed campaign in March,” Prevailion’s researchers say.

Based on Google trends, Prevailion discovered that the Zeplin app that was targeted in early May was of interest in the United States, United Kingdom, and India, which could be a possible hint at the targeted entities.

Related: State-Backed Players Join Pandemic Cyber Crime Attacks

Related: North Korean Hackers Release Mac Variant of Dacls RAT

Related: U.S. Cyber Command Shares More North Korean Malware Variants

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.