The ink-stained trail of GOLDBACKDOOR

Over the past 10 years, the Democratic People’s Republic of Korea (DPRK) has adopted cyber operations as a key means of supporting the regime. While significant attention has been paid to the purported use of these operations as a means of funding DPRK’s military programs, the targeting of researchers, dissidents, and journalists likely remains a key area for supporting the country’s intelligence operations.

Journalists are high-value targets for hostile governments. They often are aggregators of stories from many individuals – sometimes including those with sensitive access. Compromising a journalist can provide access to highly-sensitive information and enable additional attacks against their sources.

On 18 March 2022, NK News shared multiple malicious artifacts with the Stairwell threat research team from a spear-phishing campaign targeting journalists who specialize in the DPRK. These messages were sent from the personal email of a former director of South Korea’s National Intelligence Service (NIS). One of these artifacts was a new malware sample we have named GOLDBACKDOOR, based on an embedded development artifact.

Stairwell assesses with medium-high confidence that GOLDBACKDOOR is the successor of, or used in parallel with, the malware BLUELIGHT, attributed to APT37 / Ricochet Chollima. This assessment is based on technical overlaps between the two malware families and the impersonation of NK News, a South Korean news site focused on the DPRK.

NK News has published an article detailing the incident and this report will outline the technical process in which GOLDBACKDOOR is deployed on infected systems.


Stairwell in 30 seconds
Stairwell in 30 seconds
Stairwell in 30 seconds
See the power of the Stairwell platform in 30 seconds.