Microsoft has recently discovered social engineering activities by an actor we trace as ZINC that weaponized legal open-source software. In the US, UK, India, and Russia, the Microsoft Threat Intelligence Center (MSTIC) has detected activities aimed against employees of businesses in a variety of industries. The industries include media, defense and aerospace, and IT services. ZINC is a state-sponsored organization based in North Korea with goals of espionage, data theft, financial gain, and network devastation. It is the group MSTIC most confidently links this campaign to based on the observed tradecraft, infrastructure, tooling, and account affiliations.

Starting in June 2022, ZINC used conventional social engineering techniques by initially establishing connections. Initially with people on LinkedIn to build trust with their targets. After establishing a link, ZINC urged users to keep in touch using WhatsApp to spread their malicious payloads.

MSTIC saw ZINC using a variety of open-source programmes, such as the installers for muPDF/Subliminal Recording, Sumatra PDF Reader, KiTTY, TightVNC, PuTTY, and KiTTY, to carry out these assaults. ZINC making an effort to migrate laterally and exfiltrate data from target networks. Since June 2022, the actors have successfully compromised a number of organizations. Mandiant also reported on the ongoing campaign with the weaponized PuTTY earlier last month. ZINC might represent a serious threat to people and organizations across numerous industries and countries. Because of the widespread use of the platforms and software, it uses in its campaign.

Microsoft Defender provides a comprehensive defense against ZINC-specific tools for Endpoint, including ZetaNile. Customers will be able to thoroughly search their environments for pertinent signs and hunting questions provided at the end of this article.

Who is ZINC?

ZINC is a nation-state activity organization that is highly operational, destructive, and sophisticated. The action group, which has been active since 2009, increased its level of public prominence in 2014 as a result of its successful attack on Sony Pictures Entertainment. Microsoft has identified FoggyBrass and PhantomStar as two of the proprietary remote access tools (RATs) used by ZINC in their arsenal.

According to Microsoft researchers, ZINC actors have been observed mostly using spear-phishing, but they have also been observed using social engineering on social networking sites and targeted website hacks to further their objectives. ZINC aims to convince employees of the firms it is trying to infiltrate to open weaponized documents that include hazardous macros or install what appear to be innocent apps. On Twitter and LinkedIn, security researchers have also been the victim of targeted assaults.

ZINC attacks appear to be motivated by traditional cyberespionage, data theft from people and companies, financial gain, and corporate network destruction. The similarities between ZINC assaults and state-sponsored activities include increased operational security, sophisticated malware that evolves over time, and politically motivated targets.

ZINC, also known as Labyrinth Chollima and Black Artemis, was observed conducting this campaign from late April until mid-September 2022.

ZINC campaign
Figure 1. Attack flow diagram for recent ZINC campaign (Microsoft Security)

The activity

Impersonation and establishing contact

ZINC was discovered by LinkedIn Threat Prevention and Defense making phoney accounts purporting to be recruiters for tech, defense, and media entertainment firms with the intention of diverting targets away from LinkedIn and into the secure messaging platform WhatsApp for the distribution of malware. Engineers and technical support staff employed by media and IT businesses with locations in the US, UK, and India were the main targets of ZINC. Targets got outreach that was specific to their industry or educational background and was urged to submit an application for a position at one of several reputable businesses. LinkedIn swiftly canceled any accounts connected to fraudulent or dishonest behavior for accounts uncovered in these assaults in compliance with its policy.

Fraudulent recruiter profile
Figure 2. Fraudulent recruiter profile

Multiple methods used for delivery of ZetaNile

The ZetaNile virus family has been identified as the source of at least five techniques of trojanized open-source apps that contain harmful payloads and shellcode. The ZetaNile implants, also referred to as BLINDINGCAN, have been discussed in reports from CISA and JPCERT. The implant DLLs of the ZetaNile malware family are either encrypted with unique algorithms or loaded with commercial software protectors like Themida and VMProtect. Figure 3 shows malicious DLL’s payload is decrypted using a special key. The special key is given during the DLL search order hijacking of the genuine Windows process.

The ZetaNile implants send command and control (C2) HTTP requests to known exploited C2 domains using proprietary or AES encryption. These C2 communications can blend legal traffic by encoding the victim information in the parameters for popular keywords like game type or bbs in the HTTP POSTs.

PuTTY – scheduled task as part of persistence
Figure 3. PuTTY – scheduled task as part of persistence

The weaponization of Sumatra PDF reader and muPDF/Subliminal Recording installer

Sumatra PDF and muPDF/Subliminal Recording installation are two malicious versions of PDF readers that ZINC has operationalized. They serve as the entry point for the ZetaNile implant. This method of delivered using fake job advertising sent to targets looking for IT and defense industries. The recipient will find an executable file inside that archive. The muPDF/Subliminal Recording installer can set up the backdoor without loading any malicious PDF files. In contrast to the malicious Sumatra PDF reader. Sumatra is a fully working PDF reader and can load the harmful implant from a false PDF.


Employ these security considerations to mitigate the methods the actor used:

  • Investigate the environment and make an assessment of any potential intrusions using the indicators of compromise present.
  • Block incoming traffic from the IPs listed in the table “Indicators of Compromise.”
  • To ensure validity and look into any unusual activity. Review all authentication activity for the remote access infrastructure, paying special attention to accounts set up using single-factor authentication.
  • To reduce the risk of credentials stealing, enable multifactor authentication (MFA). Also, make sure to enforce any remote connectivity. NOTE: To secure your accounts, Microsoft highly advises all customers to download and use password-less solutions like Microsoft Authenticator.
  • Inform end users about how to avoid infecting with malware. They include how to ignore or delete unusual and unwanted emails that contain ISO attachments. Encourage end users to exercise excellent credential hygiene.
  • Restrict access to accounts with local or domain admin rights. Enable Microsoft Defender Firewall to stop malware spread and infect.
  • End users should receive instructions on how to secure their private and professional information on social media. Filter unwelcome mail, spot spear-phishing emails, and watering holes, and report any unusual behavior or recon attempts.