Google Bans North Korean Hackers Exploiting Chrome Zero-Day Bug

Google has banned North Korean hacker groups targeting Chrome’s zero-day vulnerability. This urgent issue highlights threats to key sectors, including media, cryptocurrency, and tech industries, and reinforces the need for proactive cybersecurity measures.

Last Updated: 2026-04-10

North Korean Hackers Took Advantage of a Chrome zero-day Vulnerability Before the Patch Was Released

In early 2024, Google identified and banned two North Korean hacker groups that were leveraging a zero day vulnerability in Chrome, intensifying global focus on cybersecurity. Despite a fix released by Google in February, attackers deployed the exploit before patching was complete, exposing critical weaknesses across multiple industries. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) quickly followed up, requiring all government agencies to patch this vulnerability immediately to mitigate further risk. In 2025 and 2026, the same North Korean threat actors continue to evolve their tactics, making this analysis directly relevant to organizations today.

Overview of North Korean Hacker Activity

North Korea's cyber activities sponsored by the state have been on the radar for years, often targeting high value sectors and critical infrastructure. In addition to the Chrome zero day exploit, these hacker groups linked to notorious North Korean cyber operations like Lazarus have also utilized SWIFT system attacks against international financial institutions. Known for the 2014 Sony Pictures hack, Lazarus and affiliated groups have evolved their methods, employing sophisticated, multistage attacks to penetrate global technology, cryptocurrency, and media sectors. In 2025 and 2026, these groups remain among the most active and some of the most capable threat actors tracked by Western intelligence agencies.

What is a Zero Day Vulnerability?

A zero day vulnerability refers to a security flaw in software or hardware that is unknown to the party responsible for fixing it, typically the developers or manufacturers. Because they are not aware of the vulnerability, no patch or fix exists, leaving the system exposed to potential attacks from malicious actors. These vulnerabilities are highly sought after by cybercriminals who exploit them before developers become aware and can address the issue.

Read our guide to get more details on what a zero day exploit is.

Dream Job Phishing Campaigns

One of the notable methods employed in these attacks is the Dream Job campaign. This tactic preys on professionals, particularly in the United States, by luring them with fake job offers from prestigious companies. Using emails and websites masquerading as those of reputable organizations like Disney, Oracle, and Google, the attackers targeted employees in several high risk sectors including:

Media
Cryptocurrency
Technology
Domain name registrars
Web hosting providers
Software vendors

These fake job offers aimed to compromise organizational security by gaining initial access through unsuspecting employees. The hackers' fake domains, like disneycareers[.]net and find-dreamjob[.]com, present links that appear credible but are carefully designed traps meant to harvest sensitive data or deploy malicious code.

This type of attack is a form of spear phishing that exploits job seekers' trust. Organizations should train employees to verify unexpected job related contact through official channels before clicking any links.

A Common Exploitation Toolkit

The hackers' toolkit is as complex as it is effective, crafted to evade detection by security teams. Google Threat Analysis Group (TAG) researcher Adam Weidemann highlighted the overlapping techniques used by these groups, indicating a shared exploit toolkit across campaigns. This toolkit includes:

Fingerprinting Techniques: Attackers used heavily obfuscated JavaScript code to analyze and collect data on the targeted system. This included exploitation scenarios, user agents, and granted permissions.
Exploit Kit with Hidden iFrames: Exploits were embedded within both the attackers' and compromised sites, making use of hidden iFrames that redirected targets.
Session Specific Keys: Attackers encrypted each stage of the exploit, making it difficult for security teams to track or reproduce the attacks.
Multistage Malware: Upon executing the exploit, the attack would request an additional payload to escape the sandbox, escalating the attack if successful.

This robust toolkit not only improved the hackers' chances of a successful breach but also frustrated security efforts to track and contain the threat.

Fake Domains Employed by North Korean Hackers

The following list of fake domains was used in phishing campaigns targeting industries like cryptocurrency, finance, and media. Each of these domains presents a credible facade but is, in fact, a trap controlled by threat actors designed to gather credentials and infiltrate organizational systems:

disneycareers[.]net
find-dreamjob[.]com
indeedus[.]org
varietyjob[.]com
ziprecruiters[.]org
blockchainnews[.]vip
chainnews-star[.]com
financialtimes365[.]com
fireblocks[.]vip

These domains were carefully chosen to imitate popular employment, media, and financial sites, and could easily be mistaken for legitimate websites by employees seeking new job opportunities.

Hackers' Security Measures to Avoid Detection

These North Korean hacker groups are known for their meticulous approach to evading detection. To protect the integrity of their exploit kit, the attackers implemented the following safeguards:

Time Specific iFrame Serving: The attackers only served the exploit frame during certain time windows, likely chosen to align with when they anticipated the target would visit the page.
Unique Links and IDs in Email Campaigns: To make detection even more difficult, each phishing email included unique links and identifiers, ensuring each attack attempt remained distinct.
Encrypted Exploitation Stages: Each stage of the attack was encrypted with session specific keys, meaning that if one phase failed, no additional stages would be served to prevent tracing and reverse engineering of the code.

These tactics reveal a sophisticated understanding of common cybersecurity defenses, enabling these attackers to maintain their persistence in targeted environments despite ongoing detection and prevention efforts.

Why Are Zero Day Vulnerabilities So Dangerous?

A zero day vulnerability like the one exploited in Chrome represents a critical cybersecurity gap. These vulnerabilities are termed zero day because they are unknown to the software provider or vendor until after they have been exploited, giving security teams zero days to prepare before an attack. Zero day exploits are especially valuable to hackers as they offer a way into systems without resistance, enabling them to carry out damaging activities such as data theft, malware installation, or system hijacking.

Defending Against North Korean Cyber Threats in 2026

Organizations in critical sectors must take a proactive approach to defend against sophisticated phishing and zero day attacks. Training and awareness initiatives like those provided by Keepnet's Security Awareness Training can significantly mitigate the risk posed by these attacks. Businesses can also implement phishing simulations to assess employees' ability to recognize these threats in real time.

Because North Korean groups frequently use social engineering conducted over voice calls alongside email phishing, organizations should also test employees' resilience to vishing (voice phishing) attacks. And when phishing emails do reach employees, fast triage matters: Keepnet's Phishing Incident Responder enables security teams to analyze reported emails up to 168x faster, dramatically reducing exposure time.

Additional Steps Organizations Should Take

Conduct Regular Security Updates: Patch management is crucial, especially for widely used applications like Chrome. Stay vigilant for updates, especially following a zero day alert.
Implement Email Security Solutions: Tools that detect and filter phishing emails are essential to prevent malicious links and attachments from reaching end users. Keepnet's Email Threat Simulator tests whether your email gateway blocks real threats before they reach employees.
Limit Access Privileges: Adopt the principle of least privilege to ensure that even if an attacker gains access, they encounter limited system permissions.
Monitor for Fake Domains: Register similar domains and use tools to monitor for suspicious new domains resembling your own to prevent spoofing attacks.
Build a Human Risk Management Program: Technical defenses alone cannot stop attacks that exploit human trust. Read our guide on human risk management strategies to build a resilient security culture.

Organizations across industries need to treat cybersecurity as an essential and continuous practice. A comprehensive human risk management platform like Keepnet offers a holistic approach to cybersecurity, helping teams track, educate, and protect their workforce against evolving threats.

Editor's Note: This article was updated on April 10, 2026.

Schedule your 30-minute demo now

You'll learn how to:

Identify and simulate phishing threats to enhance employee awareness against evolving cyber threats.

Customize exploit simulations to test your organization's defenses against specific attacks.

Assess and improve your team's response to phishing attacks, boosting your cybersecurity posture.

Frequently Asked Questions

What Chrome zero day vulnerability did North Korean hackers exploit?

In early 2024, two North Korean hacker groups exploited CVE-2024-0519, a critical type confusion vulnerability in Chrome's V8 JavaScript engine. This zero day allowed attackers to execute arbitrary code in the renderer process. Google patched the vulnerability in February 2024, but not before the attackers had deployed it against targets in the technology, media, and cryptocurrency sectors. CISA subsequently issued an emergency directive requiring all US federal agencies to apply the patch immediately.

Which North Korean hacker groups were involved?

Google's Threat Analysis Group (TAG) attributed the attacks to two groups: one linked to Operation Dream Job (also tracked as UNC2970) targeting job seekers across the US, and another focused on cryptocurrency and financial targets. Both groups are assessed to be operating under the direction of the North Korean government and share overlapping toolkits with the broader Lazarus Group cluster, which has been active since at least 2009 and remains one of the most prolific threat actors sponsored by nation states tracked in 2025 and 2026.

What is the Dream Job phishing campaign?

Dream Job is a longstanding North Korean social engineering campaign that impersonates prestigious employers such as Disney, Google, and Oracle to lure professionals into opening malicious documents or clicking weaponized links. The campaign targets employees in technology, cryptocurrency, defense, and media sectors. It is a highly targeted form of spear phishing that exploits job seekers' trust in trusted brand names.

Why are zero day vulnerabilities particularly dangerous?

Zero day vulnerabilities are security flaws that are unknown to the vendor at the time of exploitation. Because no patch exists, defenders have no warning and no immediate technical fix. This gives attackers a significant advantage, particularly when the vulnerable software is as widely deployed as Chrome. Zero days are highly valuable on criminal and nation state markets, sometimes selling for millions of dollars. Even after a patch is released, organizations that delay updates remain vulnerable for days or weeks.

Which industries are most targeted by North Korean hackers in 2026?

North Korean threat actors in 2025 and 2026 continue to heavily target the cryptocurrency and blockchain sector, defense contractors, software developers, media companies, financial institutions, and IT service providers. Cryptocurrency theft remains a primary revenue source for the North Korean government, with billions of dollars stolen through hacks of exchanges, DeFi protocols, and crypto wallets over the past five years. Organizations in these sectors face a disproportionately high risk of targeted attacks.

How can organizations protect against zero day exploits delivered through the browser?

The most effective defense is a combination of rapid patching, browser isolation, and endpoint detection. Organizations should enable automatic browser updates, subscribe to vendor security advisories, and apply emergency patches within 24 hours of release. Browser isolation technology prevents exploits delivered via the web from reaching the underlying operating system. Endpoint detection and response (EDR) tools can detect anomalous behavior triggered by exploit payloads. Keepnet's Email Threat Simulator can also verify whether your email gateway is blocking the phishing emails that deliver these exploits.

What is a multistage malware attack and how does it work?

A multistage malware attack breaks the infection process into multiple steps, each dependent on the successful completion of the previous one. In the North Korean Chrome exploit, the initial stage used obfuscated JavaScript to fingerprint the target system. If conditions were met, a second stage requested a payload to escape the browser sandbox. A third stage then established persistence on the host. This approach frustrates security analysis because researchers cannot fully reconstruct the attack if any stage is missing.

How does phishing enable zero day exploits like this one?

Phishing is the primary delivery mechanism for zero day browser exploits. Attackers send targeted emails containing links to websites controlled by attackers hosting the exploit. When the victim visits the page in a vulnerable browser, the exploit executes automatically without any further user interaction (a technique known as a drive by download). This is why email security and employee security awareness training are essential complements to browser patching. If employees do not click the link, the exploit never runs.

What should an organization do immediately after a zero day is disclosed?

Immediately after a zero day is publicly disclosed, organizations should apply the vendor patch as an emergency update, not wait for the next scheduled maintenance window. Security teams should search endpoint logs for indicators of compromise (IOCs) associated with known exploit campaigns. Restrict or disable the affected software temporarily if patching is not immediately possible. Notify employees of the risk and remind them to be especially cautious of unsolicited links. Use Keepnet's Phishing Incident Responder to accelerate triage of any suspicious emails reported during this window.

How does Keepnet help organizations defend against phishing campaigns by nation state actors in 2026?

Keepnet's Extended Human Risk Management Platform provides multiple layers of defense against the social engineering techniques used by North Korean and other nation state actors. It delivers realistic phishing simulations that mirror Dream Job and other nation state campaign styles, vishing simulations for attacks delivered over voice calls, adaptive security awareness training triggered by risky behavior, and automated phishing incident response to contain threats quickly. Together, these tools ensure that even when a zero day is deployed against your organization, the phishing email that delivers it is recognized and reported before damage occurs.