Chrome Zero-Day from North Korea

North Korean hackers have been exploiting a zero-day in Chrome.

The flaw, tracked as CVE-2022-0609, was exploited by two separate North Korean hacking groups. Both groups deployed the same exploit kit on websites that either belonged to legitimate organizations and were hacked or were set up for the express purpose of serving attack code on unsuspecting visitors. One group was dubbed Operation Dream Job, and it targeted more than 250 people working for 10 different companies. The other group, known as AppleJeus, targeted 85 users.


The attackers made use of an exploit kit that contained multiple stages and components in order to exploit targeted users. The attackers placed links to the exploit kit within hidden iframes, which they embedded on both websites they owned as well as some websites they compromised.

The kit initially serves some heavily obfuscated javascript used to fingerprint the target system. This script collected all available client information such as the user-agent, resolution, etc. and then sent it back to the exploitation server. If a set of unknown requirements were met, the client would be served a Chrome RCE exploit and some additional javascript. If the RCE was successful, the javascript would request the next stage referenced within the script as “SBX”, a common acronym for Sandbox Escape. We unfortunately were unable to recover any of the stages that followed the initial RCE.

Careful to protect their exploits, the attackers deployed multiple safeguards to make it difficult for security teams to recover any of the stages. These safeguards included:

  • Only serving the iframe at specific times, presumably when they knew an intended target would be visiting the site.
  • On some email campaigns the targets received links with unique IDs. This was potentially used to enforce a one-time-click policy for each link and allow the exploit kit to only be served once.
  • The exploit kit would AES encrypt each stage, including the clients’ responses with a session-specific key.
  • Additional stages were not served if the previous stage failed.

Although we recovered a Chrome RCE, we also found evidence where the attackers specifically checked for visitors using Safari on MacOS or Firefox (on any OS), and directed them to specific links on known exploitation servers. We did not recover any responses from those URLs.

If you’re a Chrome user, patch your system now.

Posted on March 31, 2022 at 6:13 AM29 Comments


Ted March 31, 2022 7:58 AM

The selective exploit dispatch seems pretty sophisticated.

Google’s TAG said the earliest evidence they have of Chrome’s RCE vulnerability being used was Jan 4, 2022. It was patched on Feb 14, 2022. Good work Google TAG.

But are other browsers vulnerable to these malicious or compromised URLs?

The choice of targets is interesting: News media and IT companies for Operation Dream Job; and cryptocurrency and Fintech organizations for AppleJeus.

Updating now. Who knows how this exploit kit could morph or get into other hands.

John March 31, 2022 8:02 AM


I wonder how successful North Korea would be if they put half this effort into doing things that made them real money and made their residents happy?


Denton Scratch March 31, 2022 9:54 AM


Doing stuff to make things and keep your people happy isn’t going to do much good, if your country is sanctioned up to the eyeballs. Complying with the demands of countries that impose the sanctions doesn’t do much good either – once sanctions are imposed, they tend to never go away (ask Iran).

Russia is now sanctioned up to the eyeballs; I can’t see those sanctions going away, even if Russia were to withdraw from Ukraine. So surprise, surprise: Russia isn’t withdrawing.

If you’re going to charge around imposing sanctions on countries in the hope of changing their behaviour, then you have to establish a record of lifting sanctions when behaviour changes. But in practice, sanctions aren’t intended to change behaviour; they’re retaliatory and punitive.

Clive Robinson March 31, 2022 10:09 AM


Let me see,

“The kit initially serves some heavily obfuscated javascript…”


“… the client would be served a Chrome RCE exploit and some additional javascript

Anyone else spot the common thread?

I’ve been saying for years “turn javascript off” because it is a major health hazard… And no in browser blockers are a bad idea, just kill it and kill it dead.

But also “WAKE UP People” so is any other code that a server pushes onto a client to be executed.

Oh and HTML etc and all that nonsense where the remote server has priority over the user wishes… It’s the vety definition of being “owned”.

Honestly why do you think Alphabet and Co and other Silicon Valley Mega-Corps effectively control the W3C and popular Browser Developers…

Yup it’s so they can more easily “own you” and “data rape you”. They are enabling all those “social crimes” and “crimes against the person” we detest the most…

The fact that other more acceptable crooks like Governments use the same tools as the Mega-Corps… Is because the Mega-Corps make it easy for them to do so…

People have two choices,

1, Wake-up.
2, Sleep-walk further into the trap.

Which would you prefere to be? It realy is your choice still, but probably not for much longer.

Clive Robinson March 31, 2022 10:26 AM

@ Denton Scratch, ALL,

But in practice, sanctions aren’t intended to change behaviour; they’re retaliatory and punitive.

Actually they are more than “retalitory” they are actually “First Strike” weapons of Economic warfare, and just as destructive as their nuclear counterparts.

Some nations try to hid this by pretending it is “preemptive action” it’s almost invariably not.

A common feature of such economic weapons is that they have a third party restraint in them. That is the sanctioning nation tells all other nations “do as we say or you will get the same” it’s the old US “Bomb them back to the stone ages” policy played in a different way.

The aim is two fold,

1, Total Destruction of a much weaker opponent.
2, A proof of the consequences of “Might is Right and has no morals” that will cause other nations to do as they are told when they are told.

One result is that the standard of living in these sanctioning nations is up above five times that of most other nations…

As once observed,

“Cheap fuel comes at a very high price.”

But it’s not just fuel, it’s lifestyle and much more.

Winter March 31, 2022 11:14 AM

“One result is that the standard of living in these sanctioning nations is up above five times that of most other nations…”

That is also a consequence of the fact that a poor country is in a very bad position to level sanctions against a rich country. It did happen when OPEC did it in the seventies. It did not seem to be very attractive as it did not happen again.

But I agree, sanctions are good for keeping your enemy small. The sanctions against Russia will not stop the war in Ukraine, but they will make it much more difficult for Russia to try this again.

As for the morals of sanctions. Everyone is free to chose their business partners. That too holds for nations. And there is nor obligation to give people the money to pay for destroying you.

Q March 31, 2022 11:22 AM

Turn off JS. There, I just solved 99.99+% of all exploits for everyone.

It should be a privilege for a site to be able to run JS, not an expectation, or a requirement.

Currious March 31, 2022 12:05 PM

I have turned off JS and quite a few webstes I visit are somewhat broken.

Is there a resource that can help explain better what/how javascript works?

It would seem like it could be beneficial to sandbox JS to a browser, but as I don’t really know how it works, I’m left to spitballing ideas.

Some websites I wouldn’t mind turning on for brief access, but I’d rather keep useless features off and not relegate safety to having to remember if things are off or on.

Winter March 31, 2022 12:29 PM

“Doing stuff to make things and keep your people happy isn’t going to do much good, if your country is sanctioned up to the eyeballs. ”

North Korea never ended the Korean war. They still attack South Korean ships and islands. They still threathen to invade South Korea. Why should we provide them with the means to attack South Korea?

As for “a better life for the people”, you might want to read up on how much the well being of the people are in the focus of their government. Spoiler, if you want to get a feeling how hell could be organized, talk to a former North Korean.

JonKnowsNothing March 31, 2022 12:38 PM

@Clive, @Winter, @Denton Scratch, @All

re: Sanctions Siege

About the only time sanctions work is when the Sanction Promoter has no need for the item(s) selected against the Sanction Target.

If you put in a siege-blockade for Champagne, the only ones affected are the ones who drink Champagne. The benefit of running the blockade is the same as the long term activities along the English, Irish, French, or any coastline where embargoed items can get ashore. (1)

The part about sanctions working, really means, the price goes up to those who have need of the item; it’s the Charge Me More Economic Policy. The majority of Sanction Promoters intend to To Charge THEM More Economic Policy but it backfires spectacularly.

For the most part, the Sanction Target gets along OKish after the initial thump when people adjust to the new economic limitations. The Sanction Promoter gets windfall profits from the restricted supply provided they sell the same goods.

Windfall Profits Short List:
* Bread and Fuel are going to be in short supply. Water maybe an issue soon as purification and sewage systems deteriorate with the dumping of raw sewage into the rivers, lakes and oceans. Chemical contamination of all sorts can be expected and long term.


1) Veuve Clicquot, Napoleonic Wars, naval blockades, Czar Alexander I and Grand Duke Michael Pavlovich of Russia ( Czar Alexander I’s brother)

… Je déguste les étoiles…

Ted March 31, 2022 2:32 PM

@Clive, Q, Currious, All

It almost seems unreasonable to disable JavaScript. I’m reading that over 95% of websites use it.

Q March 31, 2022 3:37 PM

95% of sites might use JS, but not 95% of sites require JS. And your 95% won’t be the same as someone else’s 95%. Everyone has different usage metrics.

My personal metric is 0% of sites I use need JS. Because my usage is like that. If a site requires JS, then I stop going there. In all cases there are alternatives that will give what me what I want without such an onerous requirement.

If we all just allow sites to rape our browsers and steal our cycles then they will come to expect it as a right, and require it as a condition. Many sites have already gone there. I find that to be an arrogant stance towards the visitors. They prop themselves up to be important enough to demand everyone else’s compliance to their JS whims.

So I reiterate, turn off JS. The more people that do that, the more the sites will feel the loss and hopefully decide to change things and treat their visitors with respect.

vas pup March 31, 2022 4:57 PM

No surprise.
N Korea really cherish folks proficient in STEM, math in particular since elementary school. NK understand that brain power is national resource and guarantee security. Good example to follow.

lurker March 31, 2022 6:00 PM

@Curriuos, “It would seem like it could be beneficial to sandbox JS to a browser…”

Those of us who were around when js appeared on the web said ouch. And when the inevitable badness was demonstrated, browser makers started to sand-box js. But then jumping out of sand-boxes became a competitive sport amongst the bad guys. And here we are: there will always be some people who will try to break stuff…

Clive Robinson March 31, 2022 6:05 PM

@ Winter,

North Korea never ended the Korean war. They still attack South Korean ships and islands. They still threathen to invade South Korea. Why should we provide them with the means to attack South Korea?

You might want to check your history.

First of the US were the agressor, and when the commander in the field started to suffer major losses, demanded to use nuclear weapons against the North. Thankfully US Pokiticians were a little wiser back then.

As for the North being an agressor, you might want to check about why the war never ended just got held in a ceasefire. Also about the disputed territory that US and South Korea fire into in their little war games.

When you analyse it you find that supprisingky counter to what the MSM claim it is North Korea that generally behaves as “the rational actor” not the US and quite often South Korea, and more recently because of US Behaviour in South Korea and adjacent areas, China now involves it’s self against South Korea.

The primary driver of much of the past seventy years of nonsense in the Korean Peninsula is without doubt the US State Dept and US houses.

I’m by no means saying North Korea is blaimless, but they generally only respond after very significant provication almost always involving the US in some way, especially when it comes to breaking agreaments that North Korea has fully complied with.

In fact it’s not difficult to reason out that North Korea has nuclear devices and delivery systems not because the particularly want them, but because US foreign policy has driven them down that path. Simply because the North do not want the US re-invading them. The North clearly know that they can not win another war against the US without significant support from both Russia and China, that they are unlikely to get these days. So they have developed a “Keep off the Grass” system.

The US has actually encoraged a number of nations to go nuclear in various ways. In the case of both India and Pakistan by in effect pulling out seats at the top table. Further the fact it was Iraq and not Iran that got invaded, is another US encoragnent to get nuclear, because you get left alone after you have sufficient nuclear capability.

The latest example is the Ukraine, it was an unwilling nuclear state, and gave up having a nuclear deterent because the US and UK guarenteed it’s security against Russia but they have both reneged on the deal, so the Ukraine was first partially invaded by Russia and it’s very existance is now in doubt. If it had retained it’s nuclear status I suggest Russia would not be doing what it currently is. Which is apparently a point not lost on Turkey… OK the nukes may not be their’s but I doubt they are now going to give them back to the US, because they know darn well what Putin and Co are most likely to do if they were that daft.

North Korea has simply made a stratigic decision, that the US want to in the US’s own words “Bomb them back to the stone ages”… So they first developed the delivery capability and then the actual weapons capability (we believe).

The North send delivery systens off in tests from time to time, almost always as a response to actions by others. Effectively as a reminder, not to the world’s Governments or Militaries but the likes of the citizens of various nations, who in turn end up applying preasure to the US State Dept, Executive and thus military.

North Korea understand that if they actually launched a nuclear device, it would very likely not reach a US target, and that they would not survive the retaliation. But that is not the point, they know that those citizens in other nations can in effect apply “sanctions” against the US. So a stalemate remains in existance.

If people want peace in the Korean Peninsular it would be fairly easy to achive,

1, Get the super powers out.
2, Get the war hawks out of the south.

Then build “trade bridge heads” in the DMZ and just wait, the rest will follow for two main reasons,

1, The North has resources the south does not and needs.
2, The South has technology the North dies not but needs.

If left alone they would with high probability sort things out between the two of them to a point where going back would be unacceptable to both sides. Which for other nations such as the China, Japan, Russia and the US and even Europe would be a scary prospect, not because of a Korean military potential but economic potential.

Nobby March 31, 2022 6:06 PM

“I’ve been saying for years “turn javascript off” because it is a major health hazard…”

Being security researcher, you are obviously biased. Common people don’t use any treat model, instead, they use risk management. Suppose that having javascript on allows them, due to improved productivity, to have $10 extra for every $1k, and also, there is a 1 to million chance to lose $1M because of being hacked. Thus, their expected gain is +$9.
And as long as this gain to loss ration remains, they are acting rationally.

Nobby March 31, 2022 6:21 PM

@Currious, Ted

As a reasonable compromise:
use PrivacyRedirect addon to redirect your browser to non-javascript versions of youtube, instagram, twitter, google translate.
on other sites, use uMatrix addon to restrict javascript to 1-st party scripts only; many sites would still be broken, most of them could be made functioning via tweaking uMatrix options, which requires some understanding though, nothing comes free.

Clive Robinson March 31, 2022 6:42 PM

@ Nobby,

Being security researcher, you are obviously biased.

I have a broader view point, which leads me to certain conclusions.

For instance your risk model is going to fail and fail badly, it’s simply a case of “statistical probability”.

That is in the short term that one in a million is just one in a million, but at some point it’s going to happen, the longer you wait the more certain it is to happen, just as with “one spin Russian Roulette”. Thus that $9 advantage disapears fairly quickly and that million comes ripping through.

But it’s actually worse than that. The short term thinking sees any spending on mitigation as “sunk costs of no return”, thus prevention does not get funded. In fact the money usually gets spent on increasing risk, such as by mortgaging every thing up and moving the money out into other risky activities as they have higher short term profit potential. At some point one of those debts will go bad and the whole house of cards will colapse leaving a massive wake of othereise easily avoidable disaster.

It’s why bubbles tend to go with a bang not a hiss.

lurker March 31, 2022 6:46 PM

@Clive, “You might want to check your history.”

My history says Korea was an independent kingdom until it was colonised by Japan in 1894. This colonisation lasted until 1945 when it was relieved by Russia from the north and US from the south. The two armies met near the middle and promptly ignored the fact that Korea itself had not been a beligerent. They divided it like they had done with Germany and thus created the distress that has lasted 77 years. It doesn’t look like either a German style reunification, or US-Russian rapprochement and apology are likely any time soon.

lurker March 31, 2022 7:01 PM

@Clive, “You might want to check your history.”

More which I feared may have fallen under the knife:
In 1952 N.Korea could see a) if a plebiscite were held in both N & S it would overwhelmingly favour unification, and b) there would be no initiative from the US to unify. So the N took the initiative at military style unification. Interference from external parties on both sides is a matter of record.

I agree with you that the fly in the ointment ever since has been the US, propping up its puppets in the S, and failing to understand or acknowledge the history and culture of the people they had effectively recolonised.

JonKnowsNothing March 31, 2022 7:33 PM

@Ted, @Clive, Q, Currious, All

re: It almost seems unreasonable to disable JavaScript. I’m reading that over 95% of websites use it.

The old story of lemmings….

Lemmings are actually quite intelligent and do not run off cliffs anymore than buffaloes (American Bison) do. Something to do with being herded into a stampede and then funneled into a Buffalo Jump.

A more current version is the round up of “unwanted or non-native mammals and carnivores” that are herded into a kill plain by helicopters and drones. Once in the kill plain – well, the killing takes place.

If the species has too many human advocates they are funneled into long chutes and then into a holding pen. The pen has several round-about turn style gates. The majority are selected for the government permanent corrals and go through one set of round-abouts; the few allowed to return to the wild go through another.

JavaScript is a gate to neocon-libertarian technical corrals.

Search Terms

Buffalo jump

suicidal lemmings staged in the Walt Disney documentary White Wilderness in 1958.

Ted March 31, 2022 9:42 PM


Thanks so much for your additional thoughts on JavaScript.

On on side note, those safeguards to conceal the exploit were pretty impressive, yes? For Google’s TAG not to initially be able to gather more info about its stages and parameters is kind of wild. It looks like the CVE was also Chrome’s first zero day of 2022.

Winter April 1, 2022 1:23 AM

“You might want to check your history.”

That is never wrong. However, I do not think going back 70 years exonerates the shelling of Yeonpyeong Island in 2010, or sinking South Korean ships.

North Korea sees fit to kidnap or kill Japanese and South Korean citizens, shell South Korea etc, we feel free to stop trading with them. Also, if NK constantly declare their intention to invade and conquer South Korea by force, I see no point helping them achieving that aim by selling them the stuff they need to do that, or sending them the money to buy that stuff.

Clive Robinson April 1, 2022 4:44 AM

@ Winter,

As I said, North Korean actions as far as we can tell even through Western MSM reporting are “responsive” to US backed provocations by South Korea, Japan and others in disputed teretorial waters. That is by US,definitions of US militeristic behaviour “self defense” not “offensive”.

The “Bombardment of Yeonpyeong” happened when South Korea with US backing were holding “war games” and fired towards North Korea and into territory North Korea has a justifiable and very long standing claim to sovereignty over… In short under International law an initiating act of war, or breach of the US signed ceasefire agreement, that Noeth Korea responded to.

As for “kidnapping claims” there are two sides to most of those stories as well. If you deliberately sail vessels into known disputed waters to be privocotive, and get closer and closer untill you finally get a response, what do you call it?

Ask the US Coast Guard what they do? How abour the US Navy in other Nations Waters using machine guns on aproaching vessels?

Legally under International treaties and other agrements North Korea is following the “defend it or loose it” principle, the UN under Security Council leadership has dumped on the world, likewise the 3-12 mile change in territorial water claims. It’s the same “Force majeure” property rights of “might is right” that turns up with IP and trade names etc. That is if NK does not actually take “defensive measures” to protect it’s interests it loses title to it’s claims… Look up the 21year ruling and what has happened with places like Turkish Northern Cyprus and all the nonsense that still creates.

But ask yourself how many people have the US, UK and other nations kidnapped and murdered and illegaly imprisoned with Guantanamo being just the tip of the tip of the iceberg… What about Australia, Canada, China, France, Israel… and very many many more Nations? Have you stoped trading with them? Have we stopped selling them weapons? Of course not, have a look at those Middle East Nations and how they use their “US Petro Dollars” on “defending” themselves well into neighbouring territories…

I’m sorry but your position is concordent with the hypocritical “we are the good guys” argument that the US, UK and many others use to hood wink their populations with in some cases illegal, Orwellian style, propoganda to cover up their own failings.

It’s not an argument anyone can win with any kind of dignity…

After all the North Koreans could argue “Do unto others…”

As others have pointed out the Korean’s were an invaded nation by the Japanese, and the atrocities they committed are absolutly shocking. So rather than liberate Korea, it was used by Russia and America as “the spoils of war” when the Russian initiated “proxie war”. When it started going wrong Russia dumped it into China’s lap… And because China helped North Korea stop the US Millitary Genocide of North Koreans fighting for what they thought was independence, the US through State Dept Policy have maintained their “Bomb them back to the stone ages policy” with regards Korea. US “War Hawks” have aggitated and worse by continuing to break the ceasefire aggrement the US voluntarily signed up to, has ever since tried to restart a war the US can not possibly win.

It’s the US not forgetting what it sees as a 70 year old stain on it’s name, the same as it does with the 50 year old stain of Vietnam, and why it “pick, pick, picks at China”. Which has caused so many problems in not just the South China Seas but the nations on the West Pacific.

It’s exactly the same nonsense that is the cause behind Putin and his invasion and attempted genocide / social cleansing of the Ukraine.

It’s time both the US and Russia stopped reboiling the Shakespeare’s Henry V St Crispin’s speech[1] and feeling that they are,

“… now a-bed, and shall think themselves accursed, they were not here, and hold their manhood cheap whiles any speaks that fought with us upon Saint Crispin’s Day.”

There can be no honour in trying to continue prosecuting what was a wrong a life time ago, just because you believe the propaganda that impossibly tries to justify it.

What is past is past, rearguing it is a boat anchor on all, and people should move forward and not be starting “blood fueds” that can only end in ruination and at best pyric victory, in dust and ashes that may be radioactive for centuries to come.

As you should know, the way out of this is remove the Hawks and their dark triad behaviours, and let the Doves build towards a free self determind future. It won’t be easy, and it might not be what we want, but we know it is possible.

[1] The 1944 film version of the speech that yes gets shown still in the US and other places…

Clive Robinson April 1, 2022 6:34 AM

@ Winter,

This is NK killing SK civilians as retaliation of SK firing into disputed open water. NK might act rationally, but they are still killing rationally.

Injuries and fatalities happened on both sides, it’s why it both escalated then stopped just short of full on hostilities.

There were no innocent shots being firing from the South they knew exactly what they were doing and who they were firing at and why. They just assumed incorrectly the North would as normal not return fire, only they did, and that’s when the panic in the South started…

You keep throwing garbage over into your neighbours garden, eventually they are going to throw something at you, and you might be lucky if it’s only garbage, it could be a lot lot worse and both legal and hurt.

lurker April 1, 2022 12:20 PM

@Winter, “Also, if NK constantly declare their intention to invade and conquer South Korea by force…”

NK has constantly since 1948 declared their intention to reunite the country of Korea which was arbitrarily divided in 1945 by the US and Russia. The UN veto provision prevented reunification, and allowed the de facto division to continue.

Kim Il Sung (N) had a record of anti-Japanese geurilla activity. Singman Rhee (S) had a record as a failed and incompetent administrator. This manifested in several peasant uprisings in the S 1946-49, which were suppressed by US troops. There was strong public support in the S for unification up until the 1980s.

According to the Panmunjom Declaration of June 2000 the two countries have agreed to work towards a peaceful reunification of Korea in the future.

Winter April 1, 2022 12:55 PM

“NK has constantly since 1948 declared their intention to reunite the country of Korea which was arbitrarily divided in 1945 by the US and Russia.”

People living now are not bounded by what happened 70 years ago. Past wrongs are not mended by new wrongs today.

Germans, Russians, Japanese, and Chinese have done truly unimaginable horrible things 80 years ago. Some of these people have tried to mend their ways better than others. Some have not even tried.

We have to judge those living today by what they do today, not by what their fathers or grandfather’s did 70 years ago.

Wrt the Korea’s, the USA, China, and Russia are all scheming to the detriment of the Koreans. But of all the people involved, the North Korean leaders are the worst of the worst.

JonKnowsNothing April 1, 2022 3:09 PM


re: We have to judge those living today by what they do today, not by what their fathers or grandfather’s did 70 years ago.

There are a whole lot of folks who would not agree with that statement. Globally a large number, spread across many lands and oceans.

It can be done by laws of limiting compensation or restitution which are man-made laws subject to vagaries of time and economics.

It cannot be done culturally. If something happened ancestrally and any survivors or witnesses or near-witnesses carry the information forward, the “injury” is still present, in present-time.

Atrocities, Conquest, Discovery are the stones up which our ancestors built the modern world. Nothing has been forgotten and forgiving does not mean what happened was OK and Pals will be Pals.

‘Resentment is like drinking poison and then hoping it will kill your enemies.’

Nelson Mandela

Reconciliation does not mean forgetting or trying to bury the pain of conflict, but that reconciliation means working together to correct the legacy of past

Nelson Mandela

It might be a good thing to check in with Spain, and see how they are doing with the Spanish Civil War. And then take a peek at the Alhambra Decree in 1492 and for the following 100years.

England is still having difficulty with The Troubles, hundreds of years after Elizabeth I of England sent Walter Raleigh to sort it all out.

The Gullah People of the USA are just one group among many who won’t be forgetting. They continue to struggle against inequity.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.