North Korea-linked hacking groups are rapidly advancing their cyberattack methods, ranging from psychological warfare through social media to AI-assisted fake job applications for infiltrating companies. The attacks are evolving to exploit human trust and penetrate organizations from within rather than directly targeting technical vulnerabilities, requiring heightened vigilance.
According to the security industry on January 13, Genians Security Center and Group-IB each released reports analyzing the latest attack patterns of North Korea-linked threat groups.
Genians' analysis found that the North Korea-linked group APT37 has been conducting attacks that build rapport with targets on Facebook before distributing malware. The group approached targets using accounts posing as North Korean defectors, naturally building relationships before moving conversations to Telegram to lower their targets' guard.
The attackers then used tactics such as offering to provide "encrypted military weapons documents" while tricking victims into installing a fake PDF viewer. This "pretexting" tactic deceives targets through false scenarios, and the files victims installed were confirmed to be malicious software disguised as legitimate programs.
To avoid suspicion, the attackers exploited the Seoul branch website of a Japanese real estate information service as a command-and-control (C2) server. They also established a multi-stage structure that disguised malicious files as image files (JPG) to execute follow-up commands.
During the attacks, North Korean-style foreign word spellings such as "콤퓨터" (computer) and "프로그람" (program) were discovered, and stolen information was found to have been exfiltrated through Zoho WorkDrive, a legitimate cloud service.
Genians Security Center emphasized that social engineering attacks exploiting user trust rather than technical vulnerabilities are on the rise, urging strict adherence to security protocols regarding non-work-related contacts through social media and receiving files from unverified sources.
Meanwhile, Group-IB reported detecting cases of North Korean IT workers using AI tools to gain fraudulent employment at global companies. According to the report, these operatives attempted to access company systems by bypassing existing security controls using synthetic identities, AI-based job applications, and various digital platforms.
The investigation revealed they had established an ecosystem of fake developer organizations operating on GitHub, freelancer marketplaces, and portfolio sites. Their activities were traced back to at least 2012 and continued through March of this year.
These operatives evaded tracking by repeatedly using a single developer persona or modifying it for different purposes while maintaining technical profiles and only changing personal histories. They also used generative AI to create convincing job applications and communicate naturally with employers.
The discovery of a "synthetic identity package repository" containing systematic employment procedures revealed that the operation was being run at an industrialized scale rather than by individuals.
Group-IB noted that this threat extends beyond simple IT security issues. Companies that unknowingly hire North Korea-linked personnel could face legal risks including violations of international sanctions.
The security industry emphasized that as cyberattacks shift from technology-focused to human-focused approaches, both individuals and companies must raise their level of vigilance.
