Security Experts:

Connect with us

Hi, what are you looking for?



Companies Using Zeplin Platform Targeted by Korean Hackers

A Korean threat actor known as Higaisa has been employing malicious LNK files in recent attacks targeting organizations that use the Zeplin collaboration platform.

A Korean threat actor known as Higaisa has been employing malicious LNK files in recent attacks targeting organizations that use the Zeplin collaboration platform.

Active since at least 2016, the hacking group was first detailed last year, when it was associated with the Korean peninsula. The actor, believed to be state-sponsored, was observed using Trojans such as Gh0st and PlugX to target government officials and human rights organizations, among others.

Over the past several weeks, the hackers launched multi-stage attacks that employed malicious shortcut (LNK) files and resulted in the delivery of decoy PDF documents, malicious scripts, and payloads.

The LNK file was included in an archive likely distributed via spear-phishing, with two different versions of the attack observed between May 12 and May 31, featuring the “Project link and New copyright policy.rar” and “CV_Colliers.rar” archive files, respectively.

Only the former targets product teams that are using Zeplin. The archive contains two LNK files and a PDF document, all of them referencing Zeplin.

According to security researchers at Prevailion, the threat actor prepared the first attack at least one week before launch, by creating a decoy PDF file on May 5, followed by the creation of additional files used in the attack.

The malicious LNK file was created on May 11, the same day the intended victims started receiving the trojanized RAR file. The “Project link and New copyright policy.rar” archive was first submitted to VirusTotal the next day, while the domain used in the attack stopped resolving on May 16.

The second attack, which started on May 30, switched to the use of a malicious curriculum vitae (CV) impersonating a college student named “Wang Lei” from Hong Kong, the security researchers say.

Malwarebytes too observed the attacks, explaining that the LNK files in this campaign were designed to execute the same commands that were detailed by Anomali in a report describing COVID-19 attacks in March.

All of the attacks appear associated with Higaisa and show the threat actor’s ability to tailor its attacks based on current events: the hackers started leveraging not only the increased interest in the COVID-19 crisis, but also the increased adoption of collaboration tools to facilitate working from home (WFH) during the pandemic.

“By analyzing individual elements of this campaign, we noted a number of correlations to prior threat actor reporting. […] Based upon the totality of available information, we assess with high confidence that this campaign was performed by the same actors responsible for the Coronavirus, Covid-19, themed campaign in March,” Prevailion’s researchers say.

Based on Google trends, Prevailion discovered that the Zeplin app that was targeted in early May was of interest in the United States, United Kingdom, and India, which could be a possible hint at the targeted entities.

Related: State-Backed Players Join Pandemic Cyber Crime Attacks

Related: North Korean Hackers Release Mac Variant of Dacls RAT

Related: U.S. Cyber Command Shares More North Korean Malware Variants

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...