A cyber-espionage campaign with links to North Korea is targeting companies in the energy and aerospace industries, according to new research from Mandiant.
The group behind the campaign, tracked as UNC2970, is likely linked to North Korea and overlaps with another Pyongyang-backed threat actor, TEMP.Hermit.
Researchers at the Google-owned cyber outfit uncovered UNC2970’s recent campaign in June 2024 and released their findings on Tuesday. The group was first identified in 2021 and has since targeted victims in the U.S., U.K., the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong and Australia.
According to the report, UNC2970 hackers engage with their victims via email and WhatsApp, posing as recruiters for prominent companies. They ultimately share a malicious archive purported to contain a job description in PDF file format.
The PDF file can only be opened with a trojanized version of the legitimate open-source document viewer, SumatraPDF, which delivers a backdoor named Mistpen via the Burnbook launcher.
Researchers noted that the hackers modified the open-source code of an older version of SumatraPDF for this campaign, and that the actual SumatraPDF service was not compromised.
UNC2970 relies on legitimate job description content to target, among others, victims employed in U.S. critical infrastructure sectors.
The Mistpen malware is a modification of a legitimate plugin for the Notepad++ open-source text and source code editor. The backdoor has been improved over time with new features and an added network connectivity check, which complicates sample analysis, researchers said.
Although Mandiant does not name the specific victims targeted in this campaign, researchers believe the hackers are likely aiming to reach senior- or manager-level employees.
“This suggests the threat actor aims to gain access to sensitive and confidential information typically restricted to higher-level employees,” researchers said. The hackers also tailor their malicious messages to better align with the victim’s profile, they added.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.