The Ultimate Guide To Cybersecurity In The Real World. - Register Here
The Ultimate Guide To Cybersecurity In The Real World. - Register Here
Schedule a Consultation
Hoplon InfoSec Logo
  • Products
  • Services

Hoplon Infosec · Threat Intelligence

UNC2970 Hackers are Targeting Job Seekers with Weaponized PDF Files

ByHoplon Infosec
Published18 Sep, 2024
UNC2970 Hackers are Targeting Job Seekers with Weaponized PDF Files
Hoplon Infosec18 Sep, 2024

In an alarming development in the realm of cyber threats, the UNC2970 Hackers are Targeting Job Seekers, employing sophisticated phishing tactics and weaponized PDF files to deliver malicious payloads. As this group, suspected to be linked to North Korean cyber espionage, continues its targeted attacks on U.S. critical infrastructure sectors, it’s essential to understand the intricacies of their methods and the implications for job seekers and organizations alike. 

Who is UNC2970? 

UNC2970 is a cyber espionage group believed to have ties to North Korea. In June 2024, cybersecurity analysts at Google Mandiant uncovered the group’s activities, which are aimed at infiltrating critical infrastructure sectors, including aerospace, energy, and nuclear industries. Their tactics have evolved, showcasing an alarming sophistication that raises significant concerns for individuals seeking employment in these fields. 

The Tactics of UNC2970: Sophisticated Phishing Attacks 

One of the hallmark strategies employed by UNC2970 is their use of sophisticated phishing emails. Posing as recruiters, they craft tailored job descriptions for senior-level positions to lure potential victims. These emails often appear legitimate, which heightens the risk of unsuspecting individuals downloading malicious files. 

Weaponized PDF Readers: The Infection Chain 

At the heart of UNC2970’s attacks lies the use of weaponized PDF readers. Specifically, they utilize a trojanized version of “SumatraPDF” (v3.4.3 or earlier). The infection process is both cunning and technical: 

  1. Initial Contact: Victims receive an email containing a password-protected ZIP archive. 
  1. Contents of the Archive: Inside the ZIP, there are two critical components: 
  • An encrypted PDF file. 
  • A modified version of the SumatraPDF application. 

When the victim attempts to open the PDF, it triggers a series of malicious actions. 

The Malicious Payload: BURNBOOK and MISTPEN 

BURNBOOK: The Enabler 

Once the trojanized PDF reader is executed, it launches the “BURNBOOK” process. This malicious component utilizes a specialized library (libmupdf.dll) to decrypt the embedded PDF file. The decryption employs the ChaCha20 cipher, utilizing a 32-byte key and a 12-byte nonce, ensuring that the malicious payload remains concealed until execution. 

MISTPEN: The Backdoor 

The next stage involves the loading of the “MISTPEN” backdoor, which is implemented as a modified Notepad++ plugin (binhex.dll). This backdoor can perform a variety of malicious actions, including: 

  • Downloading and executing Portable Executable (PE) files. 
  • Communicating over HTTPS with Microsoft endpoints, such as login.microsoftonline.com and graph.microsoft.com. 

Command Functionality of MISTPEN 

MISTPEN offers a range of commands that enable the attackers to manipulate the infected system: 

  • ‘d’: Load and execute PE payloads. 
  • ‘e’: Terminate the backdoor process. 
  • ‘f’: Enter sleep mode to evade detection. 
  • ‘g’: Update its configuration. 

Persistence and Evasion Techniques 

For persistence, MISTPEN creates a scheduled task named “Sumatra Launcher” in the user’s application data directory, employing DLL search-order hijacking. This technique allows the malware to maintain a foothold in the infected system, ensuring it can execute its malicious payload even after a reboot. 

Moreover, the backdoor’s configuration settings are stored in a file named “setup.bin,” which enables the attackers to maintain control over the compromised system and execute their commands as needed. 

DLL Search Order Hijacking: A Key Evasion Technique 

One of the most concerning aspects of the UNC2970 malware campaign is its use of DLL search-order hijacking. This technique involves manipulating the search order for DLL files in Windows, allowing malicious DLLs to be executed instead of legitimate ones. By embedding malicious code into commonly used applications like SumatraPDF, the hackers can bypass many security measures that might otherwise flag the attack. 

Targeting Critical Infrastructure: The Implications 

The implications of these attacks extend far beyond individual job seekers. By targeting multinational companies across various sectors, UNC2970 poses a significant threat to critical infrastructure. The aerospace, energy, and nuclear sectors are vital for national security, and any compromise in these areas could have far-reaching consequences. 

Best Practices for Job Seekers

Given the risks associated with these sophisticated phishing attacks, job seekers must adopt a proactive approach to safeguard their personal information and digital security: 

  1. Be Skeptical of Unsolicited Emails: Always verify the legitimacy of emails, especially those that contain attachments or links. 
  1. Avoid Downloading Unknown Files: Refrain from downloading files from unknown sources. Even if the email appears to be from a legitimate recruiter, it’s best to err on the side of caution. 
  1. Utilize Antivirus Software: Ensure that you have up-to-date antivirus and anti-malware software installed on your devices. 
  1. Educate Yourself on Phishing Tactics: Familiarize yourself with common phishing tactics to better recognize suspicious emails. 

Conclusion 

The emergence of UNC2970 and their sophisticated tactics underscores the necessity for heightened vigilance among job seekers and organizations alike. As cyber threats continue to evolve, understanding the mechanisms behind these attacks is crucial for implementing effective defenses. 

By staying informed and adopting best practices, individuals can better protect themselves from becoming victims of such malicious campaigns. 

Frequently Asked Questions (FAQs) 

What is UNC2970? 

UNC2970 is a suspected North Korean cyber espionage group known for targeting critical infrastructure sectors using sophisticated phishing tactics. 

How do UNC2970 hackers deliver malware? 

They employ weaponized PDF files disguised as legitimate applications, often delivered through phishing emails posing as job offers. 

How do UNC2970 hackers deliver malware? 

They employ weaponized PDF files disguised as legitimate applications, often delivered through phishing emails posing as job offers. 

What is BURNBOOK? 

BURNBOOK is a malicious library that decrypts embedded PDF files and facilitates the execution of further malicious payloads on infected systems. 

What is MISTPEN? 

MISTPEN is a backdoor created by UNC2970 that allows hackers to execute commands, download files, and maintain persistence on compromised systems. 

How can job seekers protect themselves? 

Job seekers should verify the legitimacy of emails, avoid downloading unknown files, use antivirus software, and educate themselves about phishing tactics. 

What sectors are primarily targeted by UNC2970? 

The group mainly targets critical infrastructure sectors, including aerospace, energy, and nuclear industries. 

By staying informed and vigilant, individuals can enhance their cybersecurity posture and reduce the risk of falling victim to such sophisticated attacks. 

​​References 

​​Marco Galli, D. I. (2024, September 18). An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader. Retrieved from Google Cloud: https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader 

​Senapathi, V. (2024, September 18). UNC2970 Hackers Targeting Job Seekers with Weaponized PDF Files. Retrieved from Cyber Security News: https://cybersecuritynews.com/hackers-targeting-job-seekers/ 

​

Was this useful?

React, leave a note, or share it forward.

Leave a note

Share this article

Share this :

Free · Weekly · No noise

Get the threats that matter, before they reach you.

One short email a week with the breaches, zero-days, and fixes worth your attention — written in plain English, no fear-mongering.

Hoplon InfoSec Logo

Address : 1415 West 22nd Street, Tower Floor, Oak Brook, IL 60523

Phone : +1 (773) 904-3136

Email : info@hoploninfosec.com

Services

  • Penetration Testing
  • Cyber Security Assessment
  • AI Development
  • Incident Readiness & Response Recovery

Products

  • IBM Flash Storage Solutions
  • Mobile Security
  • Endpoint Security
  • Deep and Dark Web Monitoring

Sign Up For Newsletter

Get the latest updates on new products and upcoming news

Copyright © Hoplon InfoSec, LLC and its group of companies.
About usContact usTerms & ConditionsCookie PolicyPrivacy Policy
03Latest posts

Keep reading.

Deepfake Scams Explained: AI Voice & Video Fraud Guide
08 Jul, 2026

Deepfake Scams Explained: AI Voice & Video Fraud Guide

Deepfake scams use AI to clone voices and faces for fraud. See how these AI voice and video scams work, real case examples, and how to protect yourself and your business.

Read More
RedWing MaaS: Android Banking Malware on Telegram
08 Jul, 2026

RedWing MaaS: Android Banking Malware on Telegram

RedWing MaaS rents Android banking malware on Telegram. Learn how it steals credentials, OTPs, and controls devices, and how to stay protected.

Read More
Codex macOS Vulnerability Exposes API Keys, Source Code
07 Jul, 2026

Codex macOS Vulnerability Exposes API Keys, Source Code

OpenAI Codex macOS vulnerability CVE-2026-14898 lets attackers exploit Markdown image rendering and prompt injection to steal sensitive data.

Read More
Air Gap Attack: How TrojPix Steals Data From Offline PCs
07 Jul, 2026

Air Gap Attack: How TrojPix Steals Data From Offline PCs

Air gap attack research shows TrojPix can leak data from offline PCs using video cables. Learn how it works and how to stop it before it starts.

Read More
QuimaRAT Malware: New Java RAT Hits Windows, Linux, Mac
06 Jul, 2026

QuimaRAT Malware: New Java RAT Hits Windows, Linux, Mac

QuimaRAT malware is a Java based RAT hitting Windows, Linux, and macOS through a paid subscription service. See how it infects, hides, and spreads.

Read More
AI Security and Ransomware Attacks Explained This Week
06 Jul, 2026

AI Security and Ransomware Attacks Explained This Week

AI security and ransomware attacks dominate this week's cyber news, from FortiGate credential theft to a SharePoint flaw and a Scattered Spider arrest.

Read More