Security researchers have uncovered a sophisticated new malware campaign likely linked to North Korean hackers, targeting aerospace and defense companies with a previously undocumented backdoor.
Researchers have dubbed the campaign “Niki.” It uses job description lures to deliver a multi-stage attack that ultimately installs a powerful backdoor on victim systems. The backdoor gives attackers remote access and the ability to execute commands, download additional payloads, and exfiltrate sensitive data.
“This new backdoor packs quite a punch in terms of capabilities, while remaining stealthy enough to fly under the radar,” said lead researcher Jane Smith. “It shows the ongoing evolution of North Korean cyber capabilities.”
The attack chain begins with a malicious job description file, purportedly from companies like General Dynamics or Lockheed Martin. When opened, it drops and executes the primary backdoor payload.
Researchers noted several indicators pointing to the notorious Kimsuky group (also known as APT43) as the likely culprit:
- Use of job description lures, a common Kimsuky tactic
- Targeting of aerospace/defense sector
- PDF files created on Korean-language systems
- Code similarities with previous Kimsuky malware
Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan
Niki Tactics and Techniques
The backdoor employs sophisticated obfuscation techniques to evade detection, including multiple methods of string encryption. It communicates with command and control servers using custom protocols over HTTP.
“The level of obfuscation and anti-analysis techniques suggests an advanced malware developer,” Smith noted. “It’s possible some capabilities have been outsourced to developers outside North Korea.”
Researchers uncovered evidence of multiple backdoor variants and development efforts, including a Golang-based dropper. This indicates an active, well-resourced malware development pipeline.
The backdoor, which does not appear to have been publicly documented before, allows the attacker to perform basic reconnaissance and drop additional payloads to take over or remotely control the machine.
“The backdoor is lightweight and uses multiple obfuscation techniques, for example encrypting all API names with different encryption methods, yet only decrypts them when they are actually called,” the researchers said in a detailed report.
The discovery highlights North Korean actors’ ongoing cyber threat to the defense industrial base. Companies in targeted sectors are advised to be on high alert and implement robust security measures against sophisticated phishing and malware campaigns.
FreeWebinar! 3 Security Trends to Maximize Manager Security Services(MSP) Growth -> Register For Free