A threat actor, believed to be from North Korea, has been observed using a novel spear-phishing tactic against the media industry. It involves the use of trojanized versions of the Telnet and PuTTY SSH client.

Dropping backdoor via fake job offers

Mandiant has observed the new campaign and linked it with an emerging threat actor tracked as UNC4034. 
  • The threat group has been fabricating job lures for the distribution of AIRDRY malware.
  • In the past, AIRDRY has been used by North Korea-linked hackers in attacks directed at the U.S., South Korea, and Latvia. 
  • They would drop the backdoor via the CUTELOOP downloader that was embedded in malicious documents.

How it works?

The attack begins via initial contact over email, followed by a file being shared on Whatsapp.
  • The file is an ISO archive that pretends to be an Amazon Assessment as part of a potential job opportunity. 
  • This archive has a text file with an IP address and login credentials, along with an altered version of PuTTY to load a dropper (DAVESHELL) that deploys a newer variant of AIRDRY.
  • It is suspected that the threat group convinced the victim to execute a PuTTY session using credentials given in the TXT file to connect to the remote host, activating the infection.


It seems the use of ISO files may be motivated by Microsoft's decision to block Excel 4.0 and VBA macros. The use of similar ISO files for initial access is expected to witness a rise in the future, affirm experts. Therefore, for protection, organizations are suggested to ensure behavioral-based detection solutions besides other protective measures.
Cyware Publisher