GoldBackdoor malware used by an APT group to target Journalists

GoldBackdoor Malware APT37 Threat Group North Korea South Korea Journalists Phishing

A North Korean state-sponsored threat group called APT37 has been discovered targeting journalists specialising in the Korean republic using the GoldBackdoor malware. Reports stated that the threat actors distribute the malware through several phishing campaigns.

A researcher discovered the attack and immediately contacted a malware expert for assistance and analysis last month. The malware expert then found the GoldBackdoor and attributed it to Bluelight.

The phishing attack utilises a two-stage infection process that provides attackers with the freedom to launch a malicious payload while designing it as a hard to analyse malware.

Furthermore, the phishing emails sent by the threat actors impersonate a former director of South Korea’s National Intelligence Service, whose account was previously infected by the earlier mentioned North Korean-backed threat group.

The phishing emails disseminated to the targeted journalists included a link to download ZIP archives with LINK files. The researchers name these files as ‘Kang Min-chol edits’ to lure targets since Kang Min-chol is the minister of mining industries in North Korea.

Moreover, the [.]LNK file includes a document icon and padding to increase its size to over 200 MB. The threat actors purposely do this to make the payload harder to detect and upload to VirusTotal.

The threat actors also use a PowerShell script that deploys and opens a decoy document to distract security solutions. The attached script will then download and run a shellcode payload loaded on Microsoft OneDrive.


GoldBackdoor only receives common commands for a more straightforward infection process.


The researchers indicated that the hackers operate the GoldBackdoor as a PE file and receive standard commands remotely and steal data. It then utilises a set of Application Programming Interface (API) keys to authenticate to Azure and gather orders for execution.

The commands are connected to the basic Remote Code Execution (RCE), keylogging, file operations, and removal of itself from the system.

They also found that the malware exploits legitimate cloud services such as OneDrive, to exfiltrate files. The targeted files are documents and media, which are common, like PDFs and XLSs.

Since the threat actors’ targets are revealed, experts suggest that journalists should never open unwanted emails, especially if there is an attached link. Journalists prone to attacks should practice good internet hygiene to mitigate getting infected by a phishing email.

About the author


Leave a Reply