New North Korean Backdoor ‘Niki’ Targets Aerospace and Defense Sectors

Niki backdoor
Image: CyberArmor

Cybersecurity firm CyberArmor has unveiled a new wave of cyberattacks attributed to North Korean state-sponsored hackers, revealing a sophisticated campaign targeting the aerospace and defense sectors. The attacks utilize a previously undocumented backdoor, dubbed “Niki” by researchers, showcasing the evolving tactics of these persistent threat actors.

Image: CyberArmor

The ‘Niki’ backdoor is part of a broader attack campaign that began in late May 2024. North Korean threat actors have been intensifying their efforts to infiltrate and compromise high-value targets, particularly within the aerospace and defense industries. This campaign leverages sophisticated obfuscation techniques and multiple stages to deliver the backdoor, making it a formidable tool in the attackers’ arsenal.

Once executed, the malware deploys a series of droppers and obfuscation techniques to evade detection, ultimately delivering the Niki backdoor. This backdoor, written in different programming languages (including Go), grants attackers extensive control over compromised systems, enabling them to:

  • Exfiltrate sensitive data
  • Execute arbitrary commands
  • Download additional payloads
  • Take screenshots
  • Manipulate files and timestamps

CyberArmor’s analysis highlights the increasing sophistication of North Korean cyber operations. The use of multiple programming languages, advanced obfuscation methods, and the rapid iteration of new backdoor variants demonstrate a determined and adaptive adversary.

While definitive attribution remains challenging, researchers found several indicators linking the Niki campaign to the Kimsuky group (APT43), a notorious North Korean cyber espionage unit known for its focus on intelligence gathering and disruptive attacks.

The discovery of the ‘Niki’ backdoor underscores the persistent and evolving threat posed by North Korean cyber actors. By leveraging sophisticated techniques and targeting high-value sectors, these attackers continue to pose a significant risk to global cybersecurity. Organizations must remain vigilant, employ advanced detection tools, and educate their workforce to mitigate the impact of such threats.

For a detailed analysis and additional detection strategies, refer to the full report by CyberArmor.