North Korean actors impersonate web3 recruiters to steal credentials and source code. MeshCentral agents masquerading as Azure endpoints used in education sector attacks. Short-form video platforms become a new vector for infostealer distribution.
Show Notes
Social engineering continues to dominate the threat landscape, with adversaries leveraging impersonation across recruitment, cloud management tools, and social media platforms. This episode covers three notable developments: North Korean threat actors targeting web3 and AI firms through fake hiring processes, the abuse of legitimate remote management tools like MeshCentral disguised as Azure endpoints for lateral movement, and the emergence of short-form video platforms as a distribution channel for infostealers. The common thread is credential theft and infrastructure access, with adversaries adapting their tradecraft to exploit trust in familiar platforms and workflows.
In this episode we cover:
- North Korean threat groups impersonate recruiters for web3 and AI firms to steal credentials, source code, and VPN/SSO access.
- MeshCentral agents masquerading as Azure endpoints were used in education sector attacks, deploying a custom lateral movement script. Investigators should note that searching for MeshCentral instances without proper OPSEC can expose their own infrastructure, and the report does not specify whether the agents were signed with valid certificates.
- Short-form video platforms like TikTok and Instagram Reels are exploited to trick users into running PowerShell commands or visiting malicious download sites.
- The UNK_DeadDrop campaign targets developers via malicious GitHub repositories, with multi-OS payloads attributed to North Korea.
- Court-documented recruitment tradecraft reveals fake identities, cryptocurrency payments, and pressure to share insider reports.
- Service desk compromise is highlighted as a common first step in ransomware attacks, with M&S losing £3.8M daily during a five-day outage.
- Over 20,000 Instagram accounts are stolen in a Meta AI support hack, demonstrating real-world abuse of AI customer-facing systems.
Links
- DPRK Fake Job Scams Self-Propagate in “Contagious Interview” — Dark Reading
- ShinyHunters Exploit Oracle PeopleSoft Zero-Day (MeshCentral agents posing as Azure) — The Hacker News
- Free Spotify Premium “hacks” spread Vidar via TikTok and Instagram Reels — Malwarebytes Labs
- UNK_DeadDrop: Phishing Campaign Targets Developers to Steal Crypto — Proofpoint
- North Korean IT-Worker Scam Facilitators Sentenced — The Register
- M&S Confirms Social Engineering Led to Ransomware Attack — BleepingComputer
- Arup $25M Deepfake Video-Call Fraud — CNN
- Over 20,000 Instagram Accounts Stolen in Meta AI Support Hack — BleepingComputer
← back to The Glasshouse on ryanlabouve.com