Go to listing page

New UNC2970 Espionage Campaign Targets Media and Tech Companies

New UNC2970 Espionage Campaign Targets Media and Tech Companies
The North Korean cyberespionage group UNC2970 has been targeting media and tech companies in the U.S. and Europe since June 2022, reveals Mandiant. The group carries out delivers a plethora of new malicious tools via spear phishing attacks. As noted by experts, its TTPs are consistent with several other North Korean espionage groups.

Phishing via fake job schemes

According to Mandiant researchers, UNC2970 specifically targets security researchers of an enterprise using a job recruitment theme.
  • The attackers create fake accounts on LinkedIn, posing as professional recruiters. These accounts are used to approach the targeted victims and socially engineer them into having a Whatsapp conversation.
  • During the conversation, attackers deliver a malicious payload, primarily Word documents claiming to be a job description, directly via Whatsapp or email.

Malware taking over operations

  • To establish a foothold, UNC2970 deploys PLANKWALK, a C++ backdoor, executed through a launcher. The backdoor further allows attackers to distribute additional tools on the target machine.
  • PLANKWALK communicates with the C2 server (mostly compromised WordPress sites) and then leverages a wide variety of additional tooling, including TOUCHSHIFT (a malware dropper), TOUCHSHOT (screenshot grabber), TOUCHKEY (keylogger), HOOKSHOT (a TCP tunneling tool), TOUCHMOVE (a loader), and SIDESHOW (C/C++ backdoor) to gather intelligence.
  • It abuses Microsoft Intune to upload custom PowerShell scripts containing malicious code to be deployed, including CLOUDBURST (a C-based backdoor).
  • The attack continues further with an in-memory-only dropper called LIGHTSHIFT. This dropper drops the LIGHTSHOW utility, which uses anti-analysis techniques to hinder both static and dynamic analysis.


  • The activities of the UNC2970 group have been linked, with high confidence, to the UNC577 group (aka Temp.Hermit), one of the sub-groups working under the Lazarus collective.
  • Spear-phishing attacks leveraging a job-recruitment theme via fake LinkedIn profiles have some overlaps with Operation Dream Job that has been tracked and reported by several agencies including Clearsky, Google, and Proofpoint.

The bottom line

North Korean adversaries are known to share their tools and tactics. It implies that the tools could be leveraged in their future espionage campaigns as well. Organizations are suggested to leverage the available IOCs and deploy actionable and context-rich threat intelligence-sharing solutions to detect and contain such incidents.
Cyware Publisher