Threat report • April 21, 2022

The ink-stained trail of GOLDBACKDOOR

By Silas Cutler, Principal Reverse Engineer

Over the past 10 years, the Democratic People’s Republic of Korea (DPRK) has adopted cyber operations as a key means of supporting the regime. While significant attention has been paid to the purported use of these operations as a means of funding DPRK’s military programs, the targeting of researchers, dissidents, and journalists likely remains a key area for supporting the country’s intelligence operations.

Journalists are high-value targets for hostile governments. They often are aggregators of stories from many individuals – sometimes including those with sensitive access. Compromising a journalist can provide access to highly-sensitive information and enable additional attacks against their sources.

On 18 March 2022, NK News shared multiple malicious artifacts with the Stairwell threat research team from a spear-phishing campaign targeting journalists who specialize in the DPRK. These messages were sent from the personal email of a former director of South Korea’s National Intelligence Service (NIS). One of these artifacts was a new malware sample we have named GOLDBACKDOOR, based on an embedded development artifact. 

Stairwell assesses with medium-high confidence that GOLDBACKDOOR is the successor of, or used in parallel with, the malware BLUELIGHT, attributed to APT37 / Ricochet Chollima. This assessment is based on technical overlaps between the two malware families and the impersonation of NK News, a South Korean news site focused on the DPRK.  

NK News has published an article detailing the incident and this report will outline the technical process in which GOLDBACKDOOR is deployed on infected systems.  

Read the full report

Silas Cutler


Resident Hacker

You can contact @silascutler on Twitter about this and other research blogs. Silas has over a decade of research on cyber operations from Russia, China, and the People’s Republic of Korea (DPRK). You can read more of his work on some of these threats on the Stairwell blog, including GOLDBACKDOOR and WhisperGate.