Discovered a new stealthy trojan in the organization and a technique to hide malicious code in extended attributes. Learn how this advanced persistent threat (APT) evades detection and the steps you can take to protect yourself.

Cybersecurity researchers report that a North Korean government-backed organization is currently deploying a new Trojan named "". This malware, combined with a new evasion technique, allows the group to carry out its operations undetected.

Since [year] [month], the group has been using a technique to hide malicious code in the extended attributes () of files on the [system] by exploiting a [Trojan]. Extended attributes are hidden data containers attached to files that can store additional information beyond standard attributes like size or creation date. This method is particularly tricky because these attributes are not visible by default in applications like [application] or [application]. However, attackers can easily access and exploit this hidden data using the . command.

Researchers pointed out in a blog post shared with . that in 2022, adware used similar techniques to hide its payload in resource forks, which stored structured data on legacy systems. A possible attack scenario involves a seemingly legitimate malicious application built using the framework. It would display fake files related to job opportunities or cryptocurrencies, which align with the theme of .

For your reference, the framework is a tool for creating lightweight desktop applications, enabling developers to execute malicious scripts using 、、 and on the front-end and back-end respectively. These scripts reveal two lures: one retrieves files from file hosting services containing issues related to game project development and funding; the other displays a dialog indicating that the application does not support the specified version, while requests to the staging server are processed in the background.

The malicious script is hidden in a custom extension attribute named "". The application utilizes a file named "" to interact with the hidden script. This code uses the functionality to retrieve the script from the extension attribute and execute it. Researchers revealed, "Interestingly, the next behavior is as follows—if the attribute exists, the user interface is not displayed, but if the attribute does not exist, a fake webpage is shown."

Malicious components are hidden within extended attributes, making them undetectable by antivirus scanners. These applications were initially signed with leaked certificates (now revoked) but were not notarized, bypassing another layer of potential detection. Although researchers have not identified any confirmed victims, they believe this technique may be being experimented with for future attacks.

This discovery is significant because it represents a completely new strategy that has not yet been documented in the & framework, which serves as the standard reference for attack techniques. The organization's methods are becoming increasingly sophisticated and expanding, indicating their efforts to evade detection and infiltrate systems.

To ensure safety, please verify the source and legality of files before downloading or executing them, avoiding downloading seemingly harmless content without checking, even if they appear legitimate. Keep enabled, as it prevents untrusted applications from executing. Finally, utilize advanced threat intelligence solutions to stay informed about emerging threats and develop effective protection strategies.