The Hackers Microsoft says it started tracking the campaign by this North Korean-linked group in mid-2020. The hackers started by building a reputation in the security research community through Twitter by retweeting and posting high-quality security content and other material related to exploit research. The hackers controlled other social media accounts and used these to amplify the other posts, Microsoft says. After building their reputation, the hackers started approaching potential targets on Twitter and LinkedIn, according to Microsoft. "The conversations were often seemingly innocuous, asking security questions or talking about exploit techniques," the company says. Attack Techniques Once the hackers contacted researchers about working on a project, they shared Microsoft's Visual Studio integrated development environment tool. That tool included source code for exploiting a vulnerability, as well as an additional Dynamic Link Library file that would be executed through Visual Studio build events. The DLL would then communicate with the command-and-control server controlled by the hacking group, according to the Microsoft report. The hackers then began gathering information about the targeted victim.