Microsoft says it observed this tactic in limited-scope attacks starting January 2025, targeting individuals that work in international affairs organizations, NGOs, government agencies, and media companies across North America, South America, Europe, and East Asia. North Korean state actor ‘Kimsuky’ (aka ‘Emerald Sleet’ or ‘Velvet Chollima’) has been observed using a new tactic inspired from the now widespread ClickFix campaigns. When executed, the code installs a browser-based remote desktop tool, downloads a certificate using a hardcoded PIN, and registers the victim’s device with a remote server, giving the attacker direct access for data exfiltration. “While we have only observed the use of this tactic in limited attacks since January 2025, this shift is indicative of a new approach to compromising their traditional espionage targets,” warns Microsoft. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. According to the information from Microsoft's Threat Intelligence team, the attacker masquerades as a South Korean government official and gradually builds a connection with the victim. However, targets that want to read the document are directed to a fake device registration link that instructs them to run PowerShell as an administrator and paste attacker-provided code. Microsoft notified customers targeted by this activity, and urges others to take note of the new tactic and treat all unsolicited communications with extreme caution.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 12 Feb 2025 19:39:16 +0000