2025-02-23 04:10:11 Pacfic
Kimsuky Targets South Korea with PowerShell and Dropbox - 8d
Kimsuky, a North Korean advanced persistent threat operation also known as APT43, is actively targeting South Korean entities within the business, government, and cryptocurrency sectors. The hacking group employs a sophisticated attack campaign, named DEEP#DRIVE, that starts with spear-phishing emails designed to establish trust by spoofing a South Korean government official. These emails contain malicious PDF documents and links redirecting victims to websites hosting PowerShell code, ultimately leading to code execution on the targeted systems.
This campaign leverages tailored phishing lures written in Korean and disguised as legitimate documents, such as work logs, insurance documents, and crypto-related files. The attack chain heavily relies on PowerShell scripts for payload delivery, reconnaissance, and execution. Dropbox is utilized for payload distribution and data exfiltration, using OAuth token-based authentication for Dropbox API interactions, which allows for seamless exfiltration of data while bypassing traditional IP or domain blocklists. This makes the threat actors difficult to detect.
ImgSrc: s3.talkback.sh
References:
- Talkback Resources - North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks - 8d
- The Hacker News - North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks - 8d
- SCM feed for Threat Management - PowerShell exploited in new Kimsuky intrusions - 8d
- MSSP feed for Latest - PowerShell Exploited in New Kimsuky Intrusions - 7d
- MSSP feed for Latest - The Hacker News report on Kimsuky's ongoing attacks using PowerShell and Dropbox. - 6d
Classification:
- HashTags: Kimsuky APT43 NorthKorea
- Company:
- Target: South Korean organizations
- Attacker: Kimsuky (APT43)
- Product:
- Feature:
- Type: Hack
- Severity: Medium