OSINT - New campaign targeting security researchers
OSINT - New campaign targeting security researchers
AI Analysis
Technical Summary
This threat describes a new campaign targeting security researchers through OSINT (Open Source Intelligence) techniques. The campaign involves creating fake social media profiles, pages, and groups to build credible social network personas. These personas are then used to conduct social engineering attacks aimed at deceiving security researchers. The attackers leverage misinformation patterns to manipulate targets into divulging sensitive information or performing actions that compromise their security posture. The campaign is characterized by external analysis and network activity that facilitates payload delivery, although no specific payload details or exploits in the wild have been reported. The campaign's technical details indicate a moderate threat level and analysis rating, with no direct vulnerabilities or software exploits involved. The campaign relies heavily on psychological manipulation and trust exploitation rather than technical vulnerabilities, making it a sophisticated social engineering threat vector.
Potential Impact
For European organizations, especially those involved in cybersecurity research and defense, this campaign poses a significant risk to confidentiality and operational security. Security researchers targeted by these fake personas may inadvertently disclose sensitive research data, internal methodologies, or credentials, which could be leveraged by threat actors for further attacks or espionage. The campaign could also lead to reputational damage if compromised researchers unknowingly propagate misinformation or become vectors for malware delivery. Given the reliance on social engineering, the threat can bypass traditional technical defenses, making it particularly dangerous for organizations that do not have strong awareness and training programs. Additionally, the campaign could disrupt collaborative research efforts and trust within the European infosec community, potentially hindering collective defense initiatives.
Mitigation Recommendations
European organizations should implement targeted countermeasures beyond generic advice. First, enhance security awareness training specifically focused on recognizing sophisticated social engineering tactics, including the identification of fake social media personas and misinformation campaigns. Encourage verification of new contacts through multiple channels before sharing sensitive information. Employ OSINT tools and threat intelligence platforms to monitor for suspicious social media activity related to the organization or its researchers. Implement strict policies on information sharing and social media use among security teams. Use multi-factor authentication and robust access controls to limit the impact of any potential credential compromise. Regularly review and update incident response plans to include scenarios involving social engineering and misinformation. Collaboration with trusted cybersecurity communities and sharing indicators of compromise can also help in early detection and mitigation of such campaigns.
Affected Countries
United Kingdom, Germany, France, Netherlands, Sweden, Finland
Indicators of Compromise
- link: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
- domain: angeldonationblog.com
- domain: codevexillium.org
- domain: investbooking.de
- domain: krakenfolio.com
- domain: opsonew3org.sg
- domain: transferwiser.io
- domain: transplugin.io
- domain: trophylab.com
- domain: www.colasprint.com
- domain: www.dronerc.it
- domain: www.edujikim.com
- domain: www.fabioluciani.com
- url: https://angeldonationblog.com/image/upload/upload.php
- url: https://codevexillium.org/image/download/download.asp
- url: https://investbooking.de/upload/upload.asp
- url: https://transplugin.io/upload/upload.asp
- url: https://www.dronerc.it/forum/uploads/index.php
- url: https://www.dronerc.it/shop_testbr/Core/upload.php
- url: https://www.dronerc.it/shop_testbr/upload/upload.php
- url: https://www.edujikim.com/intro/blue/insert.asp
- url: https://www.fabioluciani.com/es/include/include.asp
- url: http://trophylab.com/notice/images/renewal/upload.asp
- url: http://www.colasprint.com/_vti_log/upload.asp
- file: %WINDIR%\System32\Nwsapagent.sys
- file: %WINDIR%\System32\helpsvc.sys
- file: %ALLUSERSPROFILE%\USOShared\uso.bin
- file: %ALLUSERSPROFILE%\VMware\vmnat-update.bin
- file: %ALLUSERSPROFILE%\VirtualBox\update.bin
- url: https://www.linkedin.com/in/billy-brown-a6678b1b8/
- url: https://www.linkedin.com/in/guo-zhang-b152721bb/
- url: https://www.linkedin.com/in/hyungwoo-lee-6985501b9/
- url: https://www.linkedin.com/in/linshuang-li-aa696391bb/
- url: https://www.linkedin.com/in/rimmer-trajan-2806b21bb/
- hash: 4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244
- hash: 68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7
- hash: 25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc
- hash: a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855
- hash: a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15
- text: Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with. In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.
- text: zhangguo
- text: james50d
- hash: b52e05683b15c6ad56cebea4a5a54990
- hash: baf97d3b9095911fb7c9c8d7152fdc32ca7b33aa
- hash: 68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7
- datetime: 2021-01-26T11:03:02+00:00
- link: https://www.virustotal.com/gui/file/68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7/detection/f-68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7-1611658982
- text: 24/66
- hash: 56018500f73e3f6cf179d3b853c27912
- hash: a3060a3efb9ac3da444ef8abc99143293076fe32
- hash: 4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244
- datetime: 2021-01-26T11:01:49+00:00
- link: https://www.virustotal.com/gui/file/4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244/detection/f-4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244-1611658909
- text: 20/69
- hash: ae17ce1eb59dd82f38efb9666f279044
- hash: 3b3acb4a55ba8e2da36223ae59ed420f856b0aaf
- hash: a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15
- datetime: 2021-01-26T11:04:20+00:00
- link: https://www.virustotal.com/gui/file/a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15/detection/f-a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15-1611659060
- text: 18/66
- hash: 9e9f69ed56482fff18933c5ec8612063
- hash: 4ff6c02140ab1daf217b6e01ec042460389e2e92
- hash: 25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc
- datetime: 2021-01-26T11:03:31+00:00
- link: https://www.virustotal.com/gui/file/25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc/detection/f-25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc-1611659011
- text: 13/70
- hash: f5475608c0126582081e29927424f338
- hash: 8e88fd82378794a17a4211fbf2ee2506b9636b02
- hash: a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855
- datetime: 2021-01-26T11:03:46+00:00
- link: https://www.virustotal.com/gui/file/a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855/detection/f-a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855-1611659026
- text: 15/70
OSINT - New campaign targeting security researchers
Description
OSINT - New campaign targeting security researchers
AI-Powered Analysis
Technical Analysis
This threat describes a new campaign targeting security researchers through OSINT (Open Source Intelligence) techniques. The campaign involves creating fake social media profiles, pages, and groups to build credible social network personas. These personas are then used to conduct social engineering attacks aimed at deceiving security researchers. The attackers leverage misinformation patterns to manipulate targets into divulging sensitive information or performing actions that compromise their security posture. The campaign is characterized by external analysis and network activity that facilitates payload delivery, although no specific payload details or exploits in the wild have been reported. The campaign's technical details indicate a moderate threat level and analysis rating, with no direct vulnerabilities or software exploits involved. The campaign relies heavily on psychological manipulation and trust exploitation rather than technical vulnerabilities, making it a sophisticated social engineering threat vector.
Potential Impact
For European organizations, especially those involved in cybersecurity research and defense, this campaign poses a significant risk to confidentiality and operational security. Security researchers targeted by these fake personas may inadvertently disclose sensitive research data, internal methodologies, or credentials, which could be leveraged by threat actors for further attacks or espionage. The campaign could also lead to reputational damage if compromised researchers unknowingly propagate misinformation or become vectors for malware delivery. Given the reliance on social engineering, the threat can bypass traditional technical defenses, making it particularly dangerous for organizations that do not have strong awareness and training programs. Additionally, the campaign could disrupt collaborative research efforts and trust within the European infosec community, potentially hindering collective defense initiatives.
Mitigation Recommendations
European organizations should implement targeted countermeasures beyond generic advice. First, enhance security awareness training specifically focused on recognizing sophisticated social engineering tactics, including the identification of fake social media personas and misinformation campaigns. Encourage verification of new contacts through multiple channels before sharing sensitive information. Employ OSINT tools and threat intelligence platforms to monitor for suspicious social media activity related to the organization or its researchers. Implement strict policies on information sharing and social media use among security teams. Use multi-factor authentication and robust access controls to limit the impact of any potential credential compromise. Regularly review and update incident response plans to include scenarios involving social engineering and misinformation. Collaboration with trusted cybersecurity communities and sharing indicators of compromise can also help in early detection and mitigation of such campaigns.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 2
- Analysis
- 2
- Uuid
- e82f98b7-0734-44f9-99c4-1ac38805dbad
- Original Timestamp
- 1611668896
Patch Information
Indicators of Compromise
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/ | — | |
linkhttps://www.virustotal.com/gui/file/68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7/detection/f-68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7-1611658982 | — | |
linkhttps://www.virustotal.com/gui/file/4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244/detection/f-4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244-1611658909 | — | |
linkhttps://www.virustotal.com/gui/file/a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15/detection/f-a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15-1611659060 | — | |
linkhttps://www.virustotal.com/gui/file/25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc/detection/f-25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc-1611659011 | — | |
linkhttps://www.virustotal.com/gui/file/a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855/detection/f-a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855-1611659026 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainangeldonationblog.com | C2 Domains: Attacker-Owned | |
domaincodevexillium.org | C2 Domains: Attacker-Owned | |
domaininvestbooking.de | C2 Domains: Attacker-Owned | |
domainkrakenfolio.com | C2 Domains: Attacker-Owned | |
domainopsonew3org.sg | C2 Domains: Attacker-Owned | |
domaintransferwiser.io | C2 Domains: Attacker-Owned | |
domaintransplugin.io | C2 Domains: Attacker-Owned | |
domaintrophylab.com | C2 Domains: Legitimate but Compromised | |
domainwww.colasprint.com | C2 Domains: Legitimate but Compromised | |
domainwww.dronerc.it | C2 Domains: Legitimate but Compromised | |
domainwww.edujikim.com | C2 Domains: Legitimate but Compromised | |
domainwww.fabioluciani.com | C2 Domains: Legitimate but Compromised |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://angeldonationblog.com/image/upload/upload.php | C2 URLs | |
urlhttps://codevexillium.org/image/download/download.asp | C2 URLs | |
urlhttps://investbooking.de/upload/upload.asp | C2 URLs | |
urlhttps://transplugin.io/upload/upload.asp | C2 URLs | |
urlhttps://www.dronerc.it/forum/uploads/index.php | C2 URLs | |
urlhttps://www.dronerc.it/shop_testbr/Core/upload.php | C2 URLs | |
urlhttps://www.dronerc.it/shop_testbr/upload/upload.php | C2 URLs | |
urlhttps://www.edujikim.com/intro/blue/insert.asp | C2 URLs | |
urlhttps://www.fabioluciani.com/es/include/include.asp | C2 URLs | |
urlhttp://trophylab.com/notice/images/renewal/upload.asp | C2 URLs | |
urlhttp://www.colasprint.com/_vti_log/upload.asp | C2 URLs | |
urlhttps://www.linkedin.com/in/billy-brown-a6678b1b8/ | LinkedIn Accounts | |
urlhttps://www.linkedin.com/in/guo-zhang-b152721bb/ | LinkedIn Accounts | |
urlhttps://www.linkedin.com/in/hyungwoo-lee-6985501b9/ | LinkedIn Accounts | |
urlhttps://www.linkedin.com/in/linshuang-li-aa696391bb/ | LinkedIn Accounts | |
urlhttps://www.linkedin.com/in/rimmer-trajan-2806b21bb/ | LinkedIn Accounts |
File
| Value | Description | Copy |
|---|---|---|
file%WINDIR%\System32\Nwsapagent.sys | — | |
file%WINDIR%\System32\helpsvc.sys | — | |
file%ALLUSERSPROFILE%\USOShared\uso.bin | — | |
file%ALLUSERSPROFILE%\VMware\vmnat-update.bin | — | |
file%ALLUSERSPROFILE%\VirtualBox\update.bin | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244 | — | |
hash68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7 | — | |
hash25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc | — | |
hasha75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855 | — | |
hasha4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15 | — | |
hashb52e05683b15c6ad56cebea4a5a54990 | — | |
hashbaf97d3b9095911fb7c9c8d7152fdc32ca7b33aa | — | |
hash68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7 | — | |
hash56018500f73e3f6cf179d3b853c27912 | — | |
hasha3060a3efb9ac3da444ef8abc99143293076fe32 | — | |
hash4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244 | — | |
hashae17ce1eb59dd82f38efb9666f279044 | — | |
hash3b3acb4a55ba8e2da36223ae59ed420f856b0aaf | — | |
hasha4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15 | — | |
hash9e9f69ed56482fff18933c5ec8612063 | — | |
hash4ff6c02140ab1daf217b6e01ec042460389e2e92 | — | |
hash25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc | — | |
hashf5475608c0126582081e29927424f338 | — | |
hash8e88fd82378794a17a4211fbf2ee2506b9636b02 | — | |
hasha75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855 | — |
Text
| Value | Description | Copy |
|---|---|---|
textOver the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.
In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control. | — | |
textzhangguo | — | |
textjames50d | — | |
text24/66 | — | |
text20/69 | — | |
text18/66 | — | |
text13/70 | — | |
text15/70 | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2021-01-26T11:03:02+00:00 | — | |
datetime2021-01-26T11:01:49+00:00 | — | |
datetime2021-01-26T11:04:20+00:00 | — | |
datetime2021-01-26T11:03:31+00:00 | — | |
datetime2021-01-26T11:03:46+00:00 | — |
Threat ID: 682acdbebbaf20d303f0f230
Added to database: 5/19/2025, 6:20:46 AM
Last enriched: 7/2/2025, 7:10:05 AM
Last updated: 7/31/2025, 12:13:13 PM
Views: 13
Related Threats
Elastic EDR 0-day: Microsoft-signed driver can be weaponized to attack its own host
MediumEncryptHub abuses Brave Support in new campaign exploiting MSC EvilTwin flaw
MediumThreatFox IOCs for 2025-08-15
MediumThe Hidden Infrastructure Behind VexTrio's TDS
MediumThreatFox IOCs for 2025-08-14
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.