Connect with us

Hi, what are you looking for?


Mobile & Wireless

North Korean Hackers Caught Using Malware With Microphone Wiretapping Capabilities

A hacking group linked to the North Korean government has been caught using new malware with microphone wiretapping capabilities.

North Korean hacking Ulchi Freedom Shield

A hacking group linked to the North Korean government has been caught using new wiretapping malware in recent surveillance attacks, according to an advisory from cybersecurity firm AhnLab.

The APT, flagged as APT37, was seen using a Go-based backdoor that exploits the real-time data transfer and messaging platform Ably, and a previously unknown information stealer that has microphone wiretapping capabilities

AhnLab, based in South Korea, said it discovered the latest attacks in May 2023 and warned that the hackers are using a CHM (Compiled HTML Help File) payload disguised as a password, delivered via spear phishing emails that also carried a password-protected document, luring intended victims into executing the CHM file to view the document.

When opened, the CHM file displays a password and executes a malicious script via MSHTA. The script is a PowerShell backdoor that achieves persistence by registering a key registry, and which can execute commands received from the command-and-control (C&C) server.

The backdoor can exfiltrate file information, files, and compressed folders, can download files, edit registries, register task schedulers, modify file names, and delete files, AhnLab said.

The North Korean hackers were also seen escalating privileges, exfiltrating data, and deploying malware via a Go-based backdoor that uses the Ably platform service for data transfer.

Ultimately, the AblyGo backdoor and the PowerShell script were used to execute an information stealer in memory, AhnLab says. Dubbed FadeStealer, the malware can take screenshots, steal data from removable devices, and log keystrokes, but also has wiretapping capabilities.

Advertisement. Scroll to continue reading.

“[APT37’s] primary focus is on information theft, and an info-stealer with a feature to wiretap microphones was discovered in this recent attack case. Unauthorized eavesdropping on individuals in South Korea is considered a violation of privacy and is strictly regulated under relevant laws. Despite this, the threat actor monitored everything victims did on their PC and even conducted wiretapping,” AhnLab added.

Also known as Group123, InkySquid, Reaper, RedEyes, and ScarCruft, the hacking team has documented links to the North Korean government and is known for the targeting of North Korean defectors, human rights activists, journalists, and policy makers, for surveillance purposes.

Related: North Korean Hackers Blamed for $35M Crypto Theft

Related: US, South Korea Detail North Korea’s Hacking Techniques

Related: Internet Explorer Zero-Day Exploited by North Korean Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.


Microsoft blames a “Russian-based threat actor” for in-the-wild attacks hitting its flagship Microsoft Outlook and has released a detection script to help defenders.