2023-06-07_ìì_ëì_ë³ê³ìëêíë_ìíìì_ìííìì.pdf (642 KB)

Hauri reported that Lazarus weaponized open-source tools including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording as part of job-themed attacks. Since June 2022, the group allegedly approached engineers on LinkedIn while impersonating recruiters from specific companies and delivered modified software such as a TightVNC-based "Amazon Workspaces.exe" inside a skill-assessment ISO. The modified tools did not execute malicious behavior immediately, instead waiting for events such as opening a specific PDF or connecting to a particular server to evade sandbox analysis.