Connect with us

Hi, what are you looking for?


Application Security

North Korean Gov Hackers Caught Rigging Legit Software

Threat hunters at Microsoft have intercepted a notorious North Korean government hacking group lacing legitimate open source software with custom malware capable of data theft, espionage, financial gain and network destruction.

Threat hunters at Microsoft have intercepted a notorious North Korean government hacking group lacing legitimate open source software with custom malware capable of data theft, espionage, financial gain and network destruction.

The hackers, a sub-group of Lazarus that Microsoft calls ZINC, are weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installers in a new wave of malware attacks.

Redmond described the attackers as a “highly operational, destructive, and sophisticated nation-state activity group” and warned that its LinkedIn networking portal was also being abused to trawl for targets.  

In a report documenting the discovery, Microsoft said the hackers use LinkedIn to connect with and befriend employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia. 

“Beginning in June 2022, ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets. Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads,” Microsoft added. 

[ READ: North Korean Hackers Targeting Security Researchers With Zero-Days ]

The company is calling urgent attention to this threat because of the wide use and distribution of the booby-trapped legitimate software products. “[This] could pose a significant threat to individuals and organizations across multiple sectors and regions,” the company said.

Advertisement. Scroll to continue reading.

In the report, Microsoft said the Lazarus sub-group has used spear-phishing as a primary tacticin the past but also managed strategic website compromises and social engineering across social media networks like LinkedIn and Twitter. 

At LinkedIn, the company’s threat prevention and defense team said it detected the North Koreans creating fake profiles claiming to be recruiters working at technology, defense, and media entertainment companies.  The goal was to lure targets away from LinkedIn and to the encrypted messaging app WhatsApp for the delivery of malware. 

The hackers primarily targeted engineers and technical support professionals working at media and information technology companies located in the U.S., U.K., and India. 

Once a connection with the target is established, the group pushes malicious versions of two SSH clients — PuTTY and KiTTY — that acted as the entry vector for the malware implant. Microsoft said the two utilities provide terminal emulator support for different networking protocols, making them attractive programs for individuals commonly targeted in these attacks.

Related: Google Warning: North Korean Gov Hackers Targeting Security Researchers

Related: North Korea Lazarus Hackers Blamed for $100 Million Horizon Bridge Heist

Related: North Korea APT Lazarus Targeting Chemical Sector

Related: U.S. Gov Blames North Korea Hackers for $600M Cryptocurrency Heist

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.