2025-02-22 14:11:58 Pacfic
North Korean Hackers Exploit PowerShell Trick - 9d
North Korean hackers, specifically the Kimsuky APT group (also known as Emerald Sleet), have been observed employing a new tactic to compromise targets. The group is tricking individuals into running PowerShell as an administrator, then instructing them to paste and execute malicious code they provide. The threat actor masquerades as a South Korean government official, building rapport before sending a spear-phishing email with a PDF attachment containing instructions to open PowerShell as an administrator and paste a specific code snippet.
If the target executes the code, it downloads and installs a browser-based remote desktop tool along with a certificate and PIN. The code then sends a web request to register the victim device, granting the threat actor access for data exfiltration. Microsoft Threat Intelligence has observed this tactic in limited attacks since January 2025, describing it as a departure from the threat actor's usual tradecraft.
ImgSrc: blogger.googleusercontent.com
References:
- gbhackers.com - Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA). - 9d
- Security Affairs - North Korea-linked APT Emerald Sleet is using a new tactic - 9d
- The Hacker News - The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets. - 9d
- GBHackers Security | #1 Globally Trusted Cyber Security News Platform - Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA). - 9d
- @BleepingComputer - North Korean state actor 'Kimsuky' (aka 'Emerald Sleet' or 'Velvet Chollima') has been observed using a new tactic inspired from the now widespread ClickFix campaigns. - 9d
- @screaminggoat - Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an adminis - 9d
- www.bleepingcomputer.com - Reports on Emerald Sleet's activity exploiting PowerShell. - 9d
- www.microsoft.com - The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation - 9d
- SCM feed for Threat Management - PowerShell exploited in new Kimsuky intrusions - 7d
- Talkback Resources - Kimsuky, a North Korean nation-state threat actor, is conducting an ongoing cyber attack campaign named DEEP#DRIVE targeting South Korean business, government, and cryptocurrency sectors using tailore - 7d
- The Hacker News - North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks - 7d
- MSSP feed for Latest - Ongoing Kimsuky Attack Campaign Exploits PowerShell, Dropbox - 6d
- Security Affairs - Analyzing DEEP#DRIVE: North Korean - 5d
Classification:
- HashTags: Kimsuky PowerShell CyberEspionage
- Company: Microsoft
- Target: Multiple targets, especially those in international affairs and media.
- Attacker: Kimsuky
- Type: Espionage
- Severity: Major