North Korea Goes Full AI While Windows Notepad Becomes an Attack Vector

Page content

North Korea Goes Full AI While Windows Notepad Becomes an Attack Vector

I’ve been tracking some particularly interesting developments this week that show just how creative threat actors are getting. From North Korean hackers using deepfakes to infiltrate crypto companies to a Windows Notepad vulnerability that caught everyone off guard, we’re seeing attack methods that would have seemed like science fiction just a few years ago.

When Your Video Call Isn’t Really a Video Call

The most fascinating story has to be North Korea’s UNC1069 group and their sophisticated campaign against cryptocurrency firms. These aren’t your typical phishing attempts – they’re using deepfake video calls to build trust with targets before deploying their payloads.

Here’s how it works: The attackers start by compromising legitimate Telegram accounts, then use those to reach out to employees at Web3 companies. They’ll suggest moving to a video call, but instead of showing up themselves, they use deepfake technology to impersonate someone trustworthy. Once they’ve established that relationship, they deploy what’s called a “ClickFix” attack – essentially tricking the victim into running malicious code under the guise of fixing a technical issue.

What makes this particularly clever is the psychological aspect. We’ve all been trained to be suspicious of text-based communications, but a video call feels more legitimate. The fact that they’re using AI to generate convincing fake video adds a whole new layer of sophistication that most organizations aren’t prepared for.

The campaign combines multiple attack vectors including stolen accounts, fake video calls, and traditional malware deployment. It’s a good reminder that we need to start thinking about identity verification in video calls, especially for sensitive business discussions.

Notepad: The Unexpected Attack Surface

Meanwhile, Microsoft quietly patched what might be one of the most unexpected vulnerabilities I’ve seen in a while. Windows 11 Notepad – yes, the simple text editor we’ve all used for decades – had a remote code execution flaw that allowed attackers to run programs through specially crafted Markdown links.

The vulnerability worked by bypassing Windows security warnings entirely. An attacker could craft a Markdown link that, when clicked in Notepad, would execute local or remote programs without showing the user any indication that something dangerous was happening. Microsoft has since patched this issue, but it’s a perfect example of how attack surfaces can exist in the most mundane applications.

This reminds me why we need to think beyond the obvious targets. Everyone focuses on browsers, email clients, and network services, but simple utilities like Notepad can become vectors too. It’s particularly concerning because users don’t expect security risks from basic text editors, making them more likely to click without thinking twice.

The First Malicious Outlook Add-In in the Wild

Speaking of unexpected attack vectors, researchers discovered what appears to be the first known malicious Microsoft Outlook add-in being used in active attacks. This is a supply chain attack with a twist – the attackers claimed the domain of an abandoned legitimate add-in and used it to serve fake Microsoft login pages.

The attack was remarkably effective, stealing over 4,000 credentials. What’s particularly sneaky about this approach is that users were already familiar with the add-in, so they didn’t question its legitimacy. When the fake login prompt appeared, it seemed like normal behavior.

This highlights a gap in how we think about add-in security. Most organizations have policies around installing new software, but add-ins often fly under the radar. We need better visibility into what add-ins are installed across our environments and mechanisms to detect when legitimate add-ins get compromised or hijacked.

SSH Worms Are Still a Thing

On the infrastructure side, there’s been analysis of a particularly fast-moving SSH worm that can propagate through networks in as little as four seconds. The self-propagating malware uses cryptographically signed command and control communications, making it harder to detect and block.

SSH worms aren’t new, but the speed of this one is concerning. Four seconds from initial compromise to lateral movement doesn’t give most monitoring systems enough time to detect and respond. It’s a good reminder that we need to have proper network segmentation and SSH key management in place before an incident occurs.

What This Means for Us

These stories share a common thread: attackers are finding success in places we don’t expect. Whether it’s using AI to make social engineering more convincing, exploiting simple text editors, or hijacking abandoned software domains, the creativity is impressive and concerning.

The North Korean deepfake campaign in particular represents a new category of threat that most security awareness training doesn’t address. We’re going to need to start teaching people to verify identities even in video calls, which feels surreal to say.

For immediate action items, I’d suggest reviewing your add-in policies, making sure Notepad is updated across your Windows 11 systems, and having conversations with teams that handle cryptocurrency or blockchain technologies about these new social engineering techniques.

Sources