Fine, fine, I’ll be nice. While you were sleeping, Google security notified of a long term (allegedly DPRK) SE campaign targeting infosec researchers on Twitter, ingratiating themselves into the community with minor research and blogs, then sending them malicious links and code.
The list of accounts is in the blog and 3 or 4 accounts were very active, messaged and drew in a ton of researchers, and successfully got some to execute malicious code in the name of exploit research. My thread is full of stories and screenshots. They hit a ton of people.
There are still a lot of unsubstantiated rumors and humble brags floating around about what else they did, so I would stick to the blog for now.
You need to check if you (or your team on work machines) interacted with any of these people, potentially followed malicious links, or amplified their social media posts.
Here is a particularly poignant and well documented one, as he discovers in real time what happened...
https://t.co/uibzAnNNUn
Anyway this is all novel not so much for the established sock accounts and Twitter SE (which *ahem* some researchers have been dealing with for ages 🤷🏻♀️🍸) but more because of the tactics of tricking exploit researchers into running malicious code, and burning a Chome 0day.
Good luck, all. VM all the things, and assume every inbound DM is gonna be a dickpic!
(This is also a very funny 5am joke because one of the fake people they used was named James Willy. Thank you, I have been here all night.)
