{ "id": "5e6b1c7b-de7d-4c4e-adc8-ec0d2b1cf71d", "created_at": "2026-04-06T00:15:16.103622Z", "updated_at": "2026-04-10T13:12:58.357884Z", "deleted_at": null, "sha1_hash": "322d87a37a9bba60a406e1440cc009690b9eea36", "title": "North Korean Hackers Exploit Facebook Messenger in Targeted Malware Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 220550, "plain_text": "North Korean Hackers Exploit Facebook Messenger in Targeted\r\nMalware Campaign\r\nBy The Hacker News\r\nPublished: 2024-05-16 · Archived: 2026-04-05 23:04:01 UTC\r\nThe North Korea-linked Kimsuky hacking group has been attributed to a new social engineering attack that\r\nemploys fictitious Facebook accounts to targets via Messenger and ultimately delivers malware.\r\n\"The threat actor created a Facebook account with a fake identity disguised as a public official working in the\r\nNorth Korean human rights field,\" South Korean cybersecurity company Genians said in a report published last\r\nweek.\r\nThe multi-stage attack campaign, which impersonates a legitimate individual, is designed to target activists in the\r\nNorth Korean human rights and anti-North Korea sectors, it noted.\r\nThe approach is a departure from the typical email-based spear-phishing strategy in that it leverages the social\r\nmedia platform to approach targets through Facebook Messenger and trick them into opening seemingly private\r\ndocuments written by the persona.\r\nhttps://thehackernews.com/2024/05/north-korean-hackers-exploit-facebook.html\r\nPage 1 of 3\n\nThe decoy documents, hosted on OneDrive, is a Microsoft Common Console document that masquerades as an\r\nessay or content related to a trilateral summit between Japan, South Korea, and the U.S. -- \"My_Essay(prof).msc\"\r\nor \"NZZ_Interview_Kohei Yamamoto.msc\" -- with the latter uploaded to the VirusTotal platform on April 5, 2024,\r\nfrom Japan.\r\nThis raises the possibility that the campaign may be oriented toward targeting specific people in Japan and South\r\nKorea.\r\nThe use of MSC files to pull off the attack is a sign that Kimsuky is utilizing uncommon document types to fly\r\nunder the radar. In a further attempt to increase the likelihood of success of the infection, the document\r\nis disguised as an innocuous Word file using the word processor's icon.\r\nShould a victim launch the MSC file and consent to opening it using Microsoft Management Console (MMC),\r\nthey are displayed a console screen containing a Word document that, when launched, activates the attack\r\nsequence.\r\nThis involves running a command to establish a connection with an adversary-controlled server\r\n(\"brandwizer.co[.]in\") to display a document hosted on Google Drive (\"Essay on Resolution of Korean Forced\r\nLabor Claims.docx\"), while additional instructions are executed in the background to set up persistence as well as\r\ncollect battery and process information.\r\nThe gathered information is then exfiltrated to the command-and-control (C2) server, which is also capable of\r\nharvesting IP addresses, User-Agent strings, and timestamp information from the HTTP requests, and delivering\r\nrelevant payloads as necessary.\r\nGenians said that some of the tactics, techniques, and procedures (TTPs) adopted in the campaign overlap with\r\nprior Kimsuky activity disseminating malware such as ReconShark, which was detailed by SentinelOne in May\r\n2023.\r\n\"In the first quarter of this year, spear-phishing attacks were the most common method of APT attacks reported in\r\nSouth Korea,\" the company noted. \"Although not commonly reported, covert attacks via social media are also\r\noccurring.\"\r\n\"Due to their one-on-one, personalized nature, they are not easily detected by security monitoring and are rarely\r\nreported externally, even if the victim is aware of them. Therefore, it is very important to detect these personalized\r\nthreats at an early stage.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nhttps://thehackernews.com/2024/05/north-korean-hackers-exploit-facebook.html\r\nPage 2 of 3\n\nSource: https://thehackernews.com/2024/05/north-korean-hackers-exploit-facebook.html\r\nhttps://thehackernews.com/2024/05/north-korean-hackers-exploit-facebook.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://thehackernews.com/2024/05/north-korean-hackers-exploit-facebook.html" ], "report_names": [ "north-korean-hackers-exploit-facebook.html" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434516, "ts_updated_at": 1775826778, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/322d87a37a9bba60a406e1440cc009690b9eea36.pdf", "text": "https://archive.orkl.eu/322d87a37a9bba60a406e1440cc009690b9eea36.txt", "img": "https://archive.orkl.eu/322d87a37a9bba60a406e1440cc009690b9eea36.jpg" } }