Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970

2023-03-09 Mandiant

https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970

Thumbnail for Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970

Mandiant tracks UNC2970 as a suspected North Korean espionage cluster targeting Western media and technology organizations, including security researchers, with job-recruitment themed spear phishing. The group used fake LinkedIn recruiter personas to move conversations to WhatsApp, then delivered malicious Word documents or ZIP/ISO payloads disguised as job descriptions or skills assessments. Observed tooling included PLANKWALK, LIDSHIFT, TOUCHMOVE, SIDESHOW, and TOUCHSHIFT, with remote-template injection and compromised WordPress sites used for C2 or payload staging. The activity overlaps UNC577/Temp.Hermit tradecraft and shows UNC2970 adapting social engineering, cloud-environment operations, and EDR-aware intrusion tactics.

Indicators of Compromise

Type Value First Seen Last Seen
URL http://mantis.quick.net.pl/libr… 2023-03-09 2023-09-29
URL http://www.keewoom.co.kr/prod_i… 2023-03-09 2023-09-29
DOMAIN mantis.quick.net.pl 2023-03-09 2023-09-29
HASH 3bf748baecfc24def6c0393bc2354771 2023-03-09 2023-03-09
HASH 41dcd8db4371574453561251701107bc 2023-03-09 2023-03-09
HASH 8c597659ede15d97914cb27512a55fc7 2023-03-09 2023-03-09
HASH 49425d6dedb5f88bddc053cc8fd5f0f4 2023-03-09 2023-03-09
HASH 30358639af2ecc217bbc26008c5640a7 2023-03-09 2023-03-09
HASH 300103aff7ab676a41e47ec3d615ba3f 2023-03-09 2023-03-09
HASH a9e30c16df400c3f24fc4e9d76db78ef 2023-03-09 2023-03-09
HASH a2109276dc704dedf481a4f6c8914c6e 2023-03-09 2023-03-09
HASH 05b6f459be513bf6120e9b2b85f6c844 2023-03-09 2023-03-09
HASH 91b6d6efa5840d6c1f10a72c66e925ce 2023-03-09 2023-03-09
HASH e97b13b7e91edeceeac876c3869cc4eb 2023-03-09 2023-03-09
HASH abd91676a814f4b50ec357ca1584567e 2023-03-09 2023-03-09
HASH f910ffb063abe31e87982bad68fd0d87 2023-03-09 2023-03-09
HASH 866f9f205fa1d47af27173b5eb464363 2023-03-09 2023-03-09
URL https://toptradenews.com/wp-con… 2023-03-09 2023-03-09
URL http://webinternal.anyplex.com/… 2023-03-09 2023-03-09
URL http://www.ruscheltelefonia.com… 2023-03-09 2023-03-09
URL https://ajayjangid.in/js/jquery… 2023-03-09 2023-03-09
URL https://leadsblue.com/wp-conten… 2023-03-09 2023-03-09
URL https://sede.lamarinadevalencia… 2023-03-09 2023-03-09
URL http://abba-servicios.mx/wordpr… 2023-03-09 2023-03-09
URL https://crickethighlights.today… 2023-03-09 2023-03-09
URL https://doug.org/wp-includes/ad… 2023-03-09 2023-03-09
URL http://www.fainstec.com/assets/… 2023-03-09 2023-03-09
URL https://olidhealth.com/wp-inclu… 2023-03-09 2023-03-09
DOMAIN toptradenews.com 2023-03-09 2023-03-09
DOMAIN sede.lamarinadevalencia.com 2023-03-09 2023-03-09
DOMAIN leadsblue.com 2023-03-09 2023-03-09
DOMAIN abba-servicios.mx 2023-03-09 2023-03-09
DOMAIN crickethighlights.today 2023-03-09 2023-03-09
DOMAIN doug.org 2023-03-09 2023-03-09
DOMAIN ajayjangid.in 2023-03-09 2023-03-09
DOMAIN webinternal.anyplex.com 2023-03-09 2023-03-09
DOMAIN olidhealth.com 2022-09-29 2023-03-09

Related Actors

Related Reports

2023-04-20 • 28% Match
#YARA #SupplyChain #3CXDesktopApp #SmoothOperator #UNC4736 #X_Trader #UNC4469 #UNC3782 #T1082 #T1140 #T1070.004 #T1071.001 #T1195.002 #T1112 #T1083 #T1497 #T1036 #T1027 #T1071 #T1195 #T1497.001 #T1105 #T1055 #T1620 #T1574.002 #T1622 #T1190 #T1588 #T1574 #T1573.002 #T1614 #T1573 #T1608 #T1070 #T1614.001 #T1071.004 #T1012 #T1588.004 #T1565.001 #T1036.001 #T1070.001 #T1608.003 #T1565
Shares tag: YARA • Same author: Mandiant
« Back