HomeWinBuzzer NewsMicrosoft APT: North Korean Lazarus Threat Group Targeting Social Media Accounts

Microsoft APT: North Korean Lazarus Threat Group Targeting Social Media Accounts

Microsoft APT says a threat group is using social media for a phishing campaign that uses bogus job posts to trick workers.


Advanced Persistent Threat (APT) research group and Microsoft Threat Intelligence Center (MSTIC) are warning users that hackers are using vulnerable open source solutions and fake accounts to infiltrate organizations and install malware.

To trick IT and software staff, the threat actors are using fake job posts that entice people. In some ways, the hack preys on employment mobility in tech and business.

Microsoft APT says the phishing attack is being perpetrated by a group with links to the North Korea military. It is worth noting this is the same group that was behind the infamous Sony Pictures Entertainment hack of 2014.

Adding to the warning, the Microsoft Threat Intelligence Center (MSTIC) says the group uses Sumatra PDF Reader, KiTTY, muPDF/Subliminal Recording, TightVNC, and PuTTY to carry the malware.

In a blog post, MSTIC says these attacks have been ongoing since April.

The group – best known as Lazarus but also called ZINC by Microsoft – is known for spear-phishing campaigns. For example, Cloud Mandiant threat analysis has also been tracking such attacks since July.

“Microsoft researchers have observed spear-phishing as a primary tactic of ZINC actors, but they have also been observed using strategic website compromises and social engineering across social media to achieve their objectives,” MSTIC points out.

“ZINC targets employees of companies it's attempting to infiltrate and seeks to coerce these individuals into installing seemingly benign programs or opening weaponized documents that contain malicious macros. Targeted attacks have also been carried out against security researchers over and LinkedIn.”

Targeting Social Media

Security teams within Microsoft's LinkedIn have seen the group create fake profiles on the business social network. The goal of these profiles is to mimic business recruiters for various sectors and pretend to be offering jobs.

Targets who interact with LinkedIn and other networks such as that the group uses are taken off those platforms. This is where links are provided loaded with malware. As well as LinkedIn and WhatsApp, the group has also been spotted on , Discord, Twitter, Telegram, and via emails.

LinkedIn's Threat Prevention and Defense team says it shut down the fake accounts:.

“Targets received outreach tailored to their profession or background and were encouraged to apply for an open position at one of several legitimate companies. In accordance with their policies, for accounts identified in these attacks, LinkedIn quickly terminated any accounts associated with inauthentic or fraudulent behavior.”

Tip of the day: Having problems with pop-ups and unwanted programs in Windows? Try the hidden adware blocker of Windows Defender. We show you how to turn it on in just a few steps.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News