Targeted Deception Campaigns
A state sponsored threat group linked to North Korea has been running four distinct spear phishing campaigns in the first half of 2025. The operation targets corporate recruiters, cryptocurrency investors, defense officials, and graduate school administrators. Each campaign uses a different lure, such as fake resumes, business cards, Solana meme coin content, or defense competition documents, to trick victims into opening malicious files.
The attackers show a high degree of sophistication. They route their command and control traffic through trusted platforms like GitHub raw APIs, Microsoft CDN, and VSCode tunnels. This blending with normal internet traffic makes detection by reputation based security tools more difficult. Each victim is tracked using unique identifiers, IP addresses, and MAC addresses, indicating a personalized approach.
Attack Execution and Defense Evasion
Within five minutes of a victim opening the bait file, the malware begins aggressive defense evasion. It disables Windows User Account Control, registers exceptions in Windows Defender, and installs itself into the Task Scheduler for persistence across reboots. The attack flow consistently displays a decoy document while silently dropping a malicious payload, then securing a remote control channel.
Analysts at LogPresso noted that blocking based on individual indicators of compromise has clear limitations. Defenders need behavior based detection that covers the entire attack chain to catch these intrusions. The group has shown an ability to adapt lures quickly while maintaining a consistent technical playbook.
Source: Cyber Security News
