Hacking

North Korea-Linked UNC2970 Targets Energy and Aerospace Sectors with MISTPEN Backdoor

Published  ·  2 min read
Updated on September 18, 2024

A North Korea-affiliated cyber-espionage group, UNC2970, has been observed deploying sophisticated phishing lures to infiltrate entities in the energy and aerospace industries. The group is leveraging job-themed spear-phishing emails to distribute a new backdoor dubbed MISTPEN.

Mandiant, a Google-owned threat intelligence firm, tracks UNC2970’s activities, which overlap with the notorious Lazarus Group (also known as TEMP.Hermit or Diamond Sleet). This hacking group has a long history of conducting cyber-espionage campaigns that target government, defense, telecommunications, and financial institutions globally to serve North Korean interests.

Operation Dream Job Campaign

UNC2970's recent attacks, part of the Operation Dream Job campaign, focus on targeting senior-level employees in multiple countries, including the U.S., U.K., Germany, and Singapore. The attackers pose as recruiters from prominent companies, sharing malicious ZIP archives disguised as job descriptions. These archives contain a weaponized version of Sumatra PDF, which deploys the BURNBOOK launcher to deliver the MISTPEN backdoor.

MISTPEN and BURNBOOK Malware

The BURNBOOK launcher is responsible for executing a trojanized version of a Notepad++ plugin, which acts as the MISTPEN backdoor. MISTPEN, a lightweight implant written in C, communicates with command-and-control (C2) servers over HTTP and downloads Portable Executable (PE) files from remote servers for further exploitation. The malware uses compromised WordPress websites for C2 communication, indicating an ongoing effort to refine its capabilities.

Mandiant's analysis reveals that UNC2970 has iteratively improved their malware, adding new features and mechanisms to evade detection. These enhancements underscore the evolving nature of the threat posed by North Korea-linked cyber actors.

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067