A North Korea-linked hacking group, Kimsuky, has adopted a new tactic in cyberattacks, using PowerShell to hijack devices.
This technique is a departure from their usual methods and leverages social engineering to trick victims into running malicious PowerShell commands.
How the Attack Works:
The attacker masquerades as a South Korean government official and builds rapport with the target. Then, they send a spear-phishing email containing a malicious PDF attachment.
Inside the document, the victim is urged to click a URL that directs them to a list of steps to register their Windows system.
This registration link asks the victim to run PowerShell as an administrator and paste a malicious code snippet into the terminal.
Impact of the Exploit:
If executed, the code downloads a browser-based remote desktop tool and a certificate file with a hardcoded PIN from a remote server.
This allows the attacker to register the victim’s device, gaining access to it for data exfiltration.
This spear-phishing method enables the hackers to bypass security protections, relying on the victim to infect their own system.
This tactic aligns with the growing trend of attacks where the target unknowingly aids in compromising their own device, making it harder to detect and prevent.
Microsoft has reported these attacks starting in January 2025, although similar strategies have been used by other threat actors, including those behind the Contagious Interview campaign.
This incident underscores the evolving tactics of cybercriminals and highlights the need for greater vigilance, particularly when receiving suspicious emails.