An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP archive containing an encrypted PDF and modified PDF viewer. BURNBOOK decrypts and executes MISTPEN, which can download and run PE files. TEARPAGE, embedded in BURNBOOK, loads MISTPEN through DLL hijacking. The malware evolved to include network checks and new features. UNC2970 has targeted victims in multiple countries, focusing on senior-level employees in critical sectors.
OPENCTI LABELS :
backdoor,phishing,burnbook
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader