OSINT - New campaign targeting security researchers
OSINT - New campaign targeting security researchers
AI Analysis
Technical Summary
This threat describes a new campaign targeting security researchers through OSINT (Open Source Intelligence) techniques. The campaign involves creating fake social media profiles, pages, and groups to build credible social network personas. These personas are then used to conduct social engineering attacks aimed at deceiving security researchers. The attackers leverage misinformation patterns to manipulate targets into divulging sensitive information or performing actions that compromise their security posture. The campaign is characterized by external analysis and network activity that facilitates payload delivery, although no specific payload details or exploits in the wild have been reported. The campaign's technical details indicate a moderate threat level and analysis rating, with no direct vulnerabilities or software exploits involved. The campaign relies heavily on psychological manipulation and trust exploitation rather than technical vulnerabilities, making it a sophisticated social engineering threat vector.
Potential Impact
For European organizations, especially those involved in cybersecurity research and defense, this campaign poses a significant risk to confidentiality and operational security. Security researchers targeted by these fake personas may inadvertently disclose sensitive research data, internal methodologies, or credentials, which could be leveraged by threat actors for further attacks or espionage. The campaign could also lead to reputational damage if compromised researchers unknowingly propagate misinformation or become vectors for malware delivery. Given the reliance on social engineering, the threat can bypass traditional technical defenses, making it particularly dangerous for organizations that do not have strong awareness and training programs. Additionally, the campaign could disrupt collaborative research efforts and trust within the European infosec community, potentially hindering collective defense initiatives.
Mitigation Recommendations
European organizations should implement targeted countermeasures beyond generic advice. First, enhance security awareness training specifically focused on recognizing sophisticated social engineering tactics, including the identification of fake social media personas and misinformation campaigns. Encourage verification of new contacts through multiple channels before sharing sensitive information. Employ OSINT tools and threat intelligence platforms to monitor for suspicious social media activity related to the organization or its researchers. Implement strict policies on information sharing and social media use among security teams. Use multi-factor authentication and robust access controls to limit the impact of any potential credential compromise. Regularly review and update incident response plans to include scenarios involving social engineering and misinformation. Collaboration with trusted cybersecurity communities and sharing indicators of compromise can also help in early detection and mitigation of such campaigns.
Affected Countries
United Kingdom, Germany, France, Netherlands, Sweden, Finland
Indicators of Compromise
- link: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
- domain: angeldonationblog.com
- domain: codevexillium.org
- domain: investbooking.de
- domain: krakenfolio.com
- domain: opsonew3org.sg
- domain: transferwiser.io
- domain: transplugin.io
- domain: trophylab.com
- domain: www.colasprint.com
- domain: www.dronerc.it
- domain: www.edujikim.com
- domain: www.fabioluciani.com
- url: https://angeldonationblog.com/image/upload/upload.php
- url: https://codevexillium.org/image/download/download.asp
- url: https://investbooking.de/upload/upload.asp
- url: https://transplugin.io/upload/upload.asp
- url: https://www.dronerc.it/forum/uploads/index.php
- url: https://www.dronerc.it/shop_testbr/Core/upload.php
- url: https://www.dronerc.it/shop_testbr/upload/upload.php
- url: https://www.edujikim.com/intro/blue/insert.asp
- url: https://www.fabioluciani.com/es/include/include.asp
- url: http://trophylab.com/notice/images/renewal/upload.asp
- url: http://www.colasprint.com/_vti_log/upload.asp
- file: %WINDIR%\System32\Nwsapagent.sys
- file: %WINDIR%\System32\helpsvc.sys
- file: %ALLUSERSPROFILE%\USOShared\uso.bin
- file: %ALLUSERSPROFILE%\VMware\vmnat-update.bin
- file: %ALLUSERSPROFILE%\VirtualBox\update.bin
- url: https://www.linkedin.com/in/billy-brown-a6678b1b8/
- url: https://www.linkedin.com/in/guo-zhang-b152721bb/
- url: https://www.linkedin.com/in/hyungwoo-lee-6985501b9/
- url: https://www.linkedin.com/in/linshuang-li-aa696391bb/
- url: https://www.linkedin.com/in/rimmer-trajan-2806b21bb/
- hash: 4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244
- hash: 68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7
- hash: 25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc
- hash: a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855
- hash: a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15
- text: Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with. In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.
- text: zhangguo
- text: james50d
- hash: b52e05683b15c6ad56cebea4a5a54990
- hash: baf97d3b9095911fb7c9c8d7152fdc32ca7b33aa
- hash: 68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7
- datetime: 2021-01-26T11:03:02+00:00
- link: https://www.virustotal.com/gui/file/68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7/detection/f-68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7-1611658982
- text: 24/66
- hash: 56018500f73e3f6cf179d3b853c27912
- hash: a3060a3efb9ac3da444ef8abc99143293076fe32
- hash: 4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244
- datetime: 2021-01-26T11:01:49+00:00
- link: https://www.virustotal.com/gui/file/4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244/detection/f-4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244-1611658909
- text: 20/69
- hash: ae17ce1eb59dd82f38efb9666f279044
- hash: 3b3acb4a55ba8e2da36223ae59ed420f856b0aaf
- hash: a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15
- datetime: 2021-01-26T11:04:20+00:00
- link: https://www.virustotal.com/gui/file/a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15/detection/f-a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15-1611659060
- text: 18/66
- hash: 9e9f69ed56482fff18933c5ec8612063
- hash: 4ff6c02140ab1daf217b6e01ec042460389e2e92
- hash: 25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc
- datetime: 2021-01-26T11:03:31+00:00
- link: https://www.virustotal.com/gui/file/25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc/detection/f-25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc-1611659011
- text: 13/70
- hash: f5475608c0126582081e29927424f338
- hash: 8e88fd82378794a17a4211fbf2ee2506b9636b02
- hash: a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855
- datetime: 2021-01-26T11:03:46+00:00
- link: https://www.virustotal.com/gui/file/a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855/detection/f-a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855-1611659026
- text: 15/70
OSINT - New campaign targeting security researchers
Description
OSINT - New campaign targeting security researchers
AI-Powered Analysis
Technical Analysis
This threat describes a new campaign targeting security researchers through OSINT (Open Source Intelligence) techniques. The campaign involves creating fake social media profiles, pages, and groups to build credible social network personas. These personas are then used to conduct social engineering attacks aimed at deceiving security researchers. The attackers leverage misinformation patterns to manipulate targets into divulging sensitive information or performing actions that compromise their security posture. The campaign is characterized by external analysis and network activity that facilitates payload delivery, although no specific payload details or exploits in the wild have been reported. The campaign's technical details indicate a moderate threat level and analysis rating, with no direct vulnerabilities or software exploits involved. The campaign relies heavily on psychological manipulation and trust exploitation rather than technical vulnerabilities, making it a sophisticated social engineering threat vector.
Potential Impact
For European organizations, especially those involved in cybersecurity research and defense, this campaign poses a significant risk to confidentiality and operational security. Security researchers targeted by these fake personas may inadvertently disclose sensitive research data, internal methodologies, or credentials, which could be leveraged by threat actors for further attacks or espionage. The campaign could also lead to reputational damage if compromised researchers unknowingly propagate misinformation or become vectors for malware delivery. Given the reliance on social engineering, the threat can bypass traditional technical defenses, making it particularly dangerous for organizations that do not have strong awareness and training programs. Additionally, the campaign could disrupt collaborative research efforts and trust within the European infosec community, potentially hindering collective defense initiatives.
Mitigation Recommendations
European organizations should implement targeted countermeasures beyond generic advice. First, enhance security awareness training specifically focused on recognizing sophisticated social engineering tactics, including the identification of fake social media personas and misinformation campaigns. Encourage verification of new contacts through multiple channels before sharing sensitive information. Employ OSINT tools and threat intelligence platforms to monitor for suspicious social media activity related to the organization or its researchers. Implement strict policies on information sharing and social media use among security teams. Use multi-factor authentication and robust access controls to limit the impact of any potential credential compromise. Regularly review and update incident response plans to include scenarios involving social engineering and misinformation. Collaboration with trusted cybersecurity communities and sharing indicators of compromise can also help in early detection and mitigation of such campaigns.
Affected Countries
Technical Details
- Threat Level
- 2
- Analysis
- 2
- Uuid
- e82f98b7-0734-44f9-99c4-1ac38805dbad
- Original Timestamp
- 1611668896
Patch Information
Indicators of Compromise
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/ | — | |
linkhttps://www.virustotal.com/gui/file/68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7/detection/f-68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7-1611658982 | — | |
linkhttps://www.virustotal.com/gui/file/4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244/detection/f-4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244-1611658909 | — | |
linkhttps://www.virustotal.com/gui/file/a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15/detection/f-a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15-1611659060 | — | |
linkhttps://www.virustotal.com/gui/file/25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc/detection/f-25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc-1611659011 | — | |
linkhttps://www.virustotal.com/gui/file/a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855/detection/f-a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855-1611659026 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainangeldonationblog.com | C2 Domains: Attacker-Owned | |
domaincodevexillium.org | C2 Domains: Attacker-Owned | |
domaininvestbooking.de | C2 Domains: Attacker-Owned | |
domainkrakenfolio.com | C2 Domains: Attacker-Owned | |
domainopsonew3org.sg | C2 Domains: Attacker-Owned | |
domaintransferwiser.io | C2 Domains: Attacker-Owned | |
domaintransplugin.io | C2 Domains: Attacker-Owned | |
domaintrophylab.com | C2 Domains: Legitimate but Compromised | |
domainwww.colasprint.com | C2 Domains: Legitimate but Compromised | |
domainwww.dronerc.it | C2 Domains: Legitimate but Compromised | |
domainwww.edujikim.com | C2 Domains: Legitimate but Compromised | |
domainwww.fabioluciani.com | C2 Domains: Legitimate but Compromised |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://angeldonationblog.com/image/upload/upload.php | C2 URLs | |
urlhttps://codevexillium.org/image/download/download.asp | C2 URLs | |
urlhttps://investbooking.de/upload/upload.asp | C2 URLs | |
urlhttps://transplugin.io/upload/upload.asp | C2 URLs | |
urlhttps://www.dronerc.it/forum/uploads/index.php | C2 URLs | |
urlhttps://www.dronerc.it/shop_testbr/Core/upload.php | C2 URLs | |
urlhttps://www.dronerc.it/shop_testbr/upload/upload.php | C2 URLs | |
urlhttps://www.edujikim.com/intro/blue/insert.asp | C2 URLs | |
urlhttps://www.fabioluciani.com/es/include/include.asp | C2 URLs | |
urlhttp://trophylab.com/notice/images/renewal/upload.asp | C2 URLs | |
urlhttp://www.colasprint.com/_vti_log/upload.asp | C2 URLs | |
urlhttps://www.linkedin.com/in/billy-brown-a6678b1b8/ | LinkedIn Accounts | |
urlhttps://www.linkedin.com/in/guo-zhang-b152721bb/ | LinkedIn Accounts | |
urlhttps://www.linkedin.com/in/hyungwoo-lee-6985501b9/ | LinkedIn Accounts | |
urlhttps://www.linkedin.com/in/linshuang-li-aa696391bb/ | LinkedIn Accounts | |
urlhttps://www.linkedin.com/in/rimmer-trajan-2806b21bb/ | LinkedIn Accounts |
File
| Value | Description | Copy |
|---|---|---|
file%WINDIR%\System32\Nwsapagent.sys | — | |
file%WINDIR%\System32\helpsvc.sys | — | |
file%ALLUSERSPROFILE%\USOShared\uso.bin | — | |
file%ALLUSERSPROFILE%\VMware\vmnat-update.bin | — | |
file%ALLUSERSPROFILE%\VirtualBox\update.bin | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244 | — | |
hash68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7 | — | |
hash25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc | — | |
hasha75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855 | — | |
hasha4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15 | — | |
hashb52e05683b15c6ad56cebea4a5a54990 | — | |
hashbaf97d3b9095911fb7c9c8d7152fdc32ca7b33aa | — | |
hash68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7 | — | |
hash56018500f73e3f6cf179d3b853c27912 | — | |
hasha3060a3efb9ac3da444ef8abc99143293076fe32 | — | |
hash4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244 | — | |
hashae17ce1eb59dd82f38efb9666f279044 | — | |
hash3b3acb4a55ba8e2da36223ae59ed420f856b0aaf | — | |
hasha4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15 | — | |
hash9e9f69ed56482fff18933c5ec8612063 | — | |
hash4ff6c02140ab1daf217b6e01ec042460389e2e92 | — | |
hash25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc | — | |
hashf5475608c0126582081e29927424f338 | — | |
hash8e88fd82378794a17a4211fbf2ee2506b9636b02 | — | |
hasha75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855 | — |
Text
| Value | Description | Copy |
|---|---|---|
textOver the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.
In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control. | — | |
textzhangguo | — | |
textjames50d | — | |
text24/66 | — | |
text20/69 | — | |
text18/66 | — | |
text13/70 | — | |
text15/70 | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2021-01-26T11:03:02+00:00 | — | |
datetime2021-01-26T11:01:49+00:00 | — | |
datetime2021-01-26T11:04:20+00:00 | — | |
datetime2021-01-26T11:03:31+00:00 | — | |
datetime2021-01-26T11:03:46+00:00 | — |
Threat ID: 682acdbebbaf20d303f0f230
Added to database: 5/19/2025, 6:20:46 AM
Last enriched: 7/2/2025, 7:10:05 AM
Last updated: 2/7/2026, 11:24:38 AM
Views: 38
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2026-02-06
MediumThreatFox IOCs for 2026-02-05
MediumHundreds of Malicious Crypto Trading Add-Ons Found in Moltbot/OpenClaw
MediumThreatFox IOCs for 2026-02-04
MediumAI-assisted cloud intrusion achieves admin access in 8 minutes
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.