Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR_Fm70I4B.pdf (407 KB)

Stairwell analyzed a GOLDBACKDOOR deployment chain from malicious artifacts NK News received in a spear-phishing campaign targeting journalists focused on the DPRK. The campaign delivered a ZIP containing a large Windows shortcut named “Kang Min-chol Edits 2.lnk,” which opened a decoy document while running PowerShell to stage additional code. Stairwell assessed with medium-high confidence that GOLDBACKDOOR is a successor to, or used alongside, BLUELIGHT malware attributed to APT37/Ricochet Chollima, based on technical overlaps and the impersonation of DPRK-focused media. The infrastructure included a dailynk.us domain likely chosen to mimic Daily NK, and the multi-stage design allowed the actor to separate initial infection from final payload deployment.