FlagThis

The North Korea-linked APT group Kimsuky, also known as Emerald Sleet, is using a new tactic to compromise its traditional espionage targets. The group is tricking targets into running PowerShell as an administrator and executing malicious code. They build rapport with targets before sending a spear-phishing email with an attached PDF. The registration link has instructions to open PowerShell as an administrator and paste code provided by Emerald Sleet. If the target runs the code as an administrator, the code downloads and installs a browser-based remote desktop tool. This allows the threat actor to access the device and carry out data exfiltration.

Kimsuky, a North Korean state-sponsored hacking group, conducted a targeted attack campaign (“DEEP#DRIVE”) against South Korean entities in the business, government, and cryptocurrency sectors. The campaign involved spear-phishing emails with malicious PDF documents and PowerShell code execution. This highlights the persistent threat from state-sponsored actors targeting specific sectors.