A campaign by government-backed actors in North Korea is believed to be using zero-day exploits to target security researchers working on vulnerability research and development.\n\nGoogle\u2019s threat analysis group (TAG) said it has been tracking the campaign since January 2021 and has found a zero-day exploit being used recently in the campaign.\n\n\u201cTAG is aware of at least one actively exploited 0-day being used to target security researchers in the past several weeks,\u201d said the threat-hunting arm of Google. \u201cThe vulnerability has been reported to the affected vendor and is in the process of being patched.\u201d\n\nTAG has released an early notification to warn security researchers of its initial findings and says that it continues to analyze the DPRK-backed campaign.\n\nThe campaign targets security researchers\n\nNorth Korean threat actors used media sites like X (formerly Twitter) to build rapport with their targets, according to TAG.\n\n\u201cIn one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest,\u201d TAG said. \u201cAfter initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire.\u201d\n\nAfter establishing a connection with the targeted researcher, the threat actors sent a malicious file that included at least one zero-day in a widely used software package Google refrained from naming in the notification.\n\nOnce the exploitation is successful, the shellcode performs a series of anti-virtual machine checks to send collected information and screenshots back to an attacker-controlled C2 domain.\n\nThe attack has a secondary infection vector\n\nApart from the zero-day exploits, the threat actors also plant a standalone Windows tool they developed to download debugging symbols, and critical program metadata from Microsoft, Google, Mozilla, and Citrix symbol servers.\n\n\u201cOn the surface, this tool appears to be a useful utility for quickly and easily downloading symbol information from a number of different sources,\u201d TAG said. \u201cThe source code for this tool was first published on GitHub on September 30, 2022, with several updates being released since.\u201d\n\nSymbol servers provide additional information about a binary that can be helpful when debugging software issues or while conducting vulnerability research. The tool also has the ability to download and execute arbitrary code from an attacker-controlled domain, TAG added.