Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

North Korean .Gov Hackers Back With Fake Pen-Test Company

A North Korean government-backed APT group has been caught using a fake pen-testing company and a range of sock puppet social media accounts in an escalation of a hacking campaign targeting security research professionals.

A North Korean government-backed APT group has been caught using a fake pen-testing company and a range of sock puppet social media accounts in an escalation of a hacking campaign targeting security research professionals.

The notorious hacking group, first exposed by Google earlier this year, returned on March 17th with a website for a fake penetration testing company.

“The new website claims the company is an offensive security company located in Turkey that offers pentests, software security assessments and exploits,” according to Adam Weidemann, a researcher in Google’s TAG (Threat Analysis Group).

Like previous websites used by this actor, Google said the new website even has a link to a PGP public key at the bottom of the page that was connected to the earlier January attacks.

[ RELATED: North Korean Gov Hackers Targeting Security Researchers ]

“In January, targeted researchers reported that the PGP key hosted on the attacker’s blog acted as the lure to visit the site where a browser exploit was waiting to be triggered,” Weidemann explained.

In addition to the fake “SecuriElite” security assessment company, the campaign also included a batch of carefully crafted social media profiles used to lend credibility to the fake outfit.

Google’s Weidemann explains:

The attacker’s latest batch of social media profiles continue the trend of posing as fellow security researchers interested in exploitation and offensive security. On LinkedIn, we identified two accounts impersonating recruiters for antivirus and security companies. We have reported all identified social media profiles to the platforms to allow them to take appropriate action.

At this time, we have not observed the new attacker website serve malicious content, but we have added it to Google Safebrowsing as a precaution.

Weidemann said the group has already used exploits for zero-days in Microsoft’s Internet Explorer browser and warns that the threat actor has advanced capabilities.

“Based on their activity, we continue to believe that these actors are dangerous, and likely have more 0-days. We encourage anyone who discovers a Chrome vulnerability to report that activity through the Chrome Vulnerabilities Rewards Program submission process,” Weidemann added.

Google released data on multiple fake Twitter handles, sock puppet LinkedIn profiles, and attacker-controlled websites belonging to the North Korean APT group. 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.