New malware families are being leveraged by North Korean state-sponsored cyberespionage operation UNC2970, which was previously mapped to UNC577, also known as Temp.Hermit, in spear-phishing attacks against media and technology firms across the U.S. and Europe since June, The Hacker News reports. Security researchers were the key targets of the attacks, which involve the use of LinkedIn as a means to impersonate recruiters and facilitate initial communication with potential victims, followed by phishing payload delivery via a job description sent over WhatsApp, according to a Mandiant report. Trojanized VNC versions, also known as LIDSHIFT, are being used to house the next-stage LIDSHOT payload with shellcode download and execution capabilities, while the PLANKWALK backdoor is being leveraged to establish persistence and help enable the distribution of other tools, including the TOUCHSHIFT malware dropper, TOUCHMOVE loader, TOUCHKEY keylogger, HOOKSHOT tunneling tool, TOUCHSHOT screenshot capturing tool, and the SIDESHOW backdoor. Attackers have also used the LIGHTSHIFT memory-only dropper to distribute the LIGHTSHOW malware. "The identified malware tools highlight continued malware development and deployment of new tools by UNC2970. Although the group has previously targeted defense, media, and technology industries, the targeting of security researchers suggests a shift in strategy or an expansion of its operations," said Mandiant.