{ "id": "cd075465-eb20-439b-8f17-1724f35a9640", "created_at": "2026-04-06T00:09:43.876295Z", "updated_at": "2026-04-10T13:12:01.806119Z", "deleted_at": null, "sha1_hash": "3b51dd0d519a7d20d673a466c79a291d8abda18d", "title": "How we’re protecting users from government-backed attacks from North Korea", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50166, "plain_text": "How we’re protecting users from government-backed attacks from\r\nNorth Korea\r\nBy Adam Weidemann\r\nPublished: 2023-04-05 · Archived: 2026-04-05 17:15:38 UTC\r\nNew Threat Analysis Group reporting underscores the evolution of ARCHIPELAGO - as well as Google’s work to\r\nstop government-backed attackers\r\nAs part of Threat Analysis Group (TAG)’s mission to counter serious threats to Google and our users, TAG has\r\nbeen tracking government-backed hacking activity tied to North Korea for over a decade. Today, as a follow up to\r\nMandiant’s report on APT43, we are sharing TAG's observations on this actor and what Google is doing to protect\r\nusers from this group and other government-backed attackers. Because TAG’s visibility into this actor is distinct\r\nfrom Mandiant’s, TAG uses the name ARCHIPELAGO to track a subset of APT43 activity.\r\nTAG began tracking ARCHIPELAGO in 2012 and has observed the group target individuals with expertise in\r\nNorth Korea policy issues such as sanctions, human rights and non-proliferation issues. These targets include\r\nGoogle and non-Google accounts belonging to government and military personnel, think tanks, policy makers,\r\nacademics, and researchers in South Korea, the US and elsewhere.\r\nTo safeguard users at-risk, TAG uses our research on serious threat actors like ARCHIPELAGO to improve the\r\nsafety and security of Google’s products. TAG adds newly discovered malicious websites and domains to Safe\r\nBrowsing to protect users from further exploitation. We also send all targeted Gmail and Workspace users\r\ngovernment-backed attacker alerts notifying them of the activity. We encourage potential targets to enroll in\r\nGoogle's Advanced Protection Program, enable Enhanced Safe Browsing for Chrome and ensure that all devices\r\nare updated.\r\nARCHIPELAGO phishing: persistent and targeted\r\nARCHIPELAGO often sends phishing emails where they pose as a representative of a media outlet or think tank\r\nand ask North Korea experts to participate in a media interview or request for information (RFI). The emails\r\nprompt recipients to click a link to view the interview questions or RFI. When the recipient clicks, the link\r\nredirects to a phishing site that masquerades as a login prompt. The phishing page records keystrokes entered into\r\nthe login form and sends them to an attacker-controlled URL. After the recipient enters their password, the\r\nphishing page redirects to a benign document with contextually appropriate interview questions, or an RFI that\r\nwould make sense to the recipient based on the content of the original phishing email.\r\nDrive-themed phishing landing page ARCHIPELAGO used in combination with “interview request” phishing\r\nemails.\r\nARCHIPELAGO invests time and effort to build rapport with targets, often corresponding with them by email\r\nover several days or weeks before finally sending a malicious link or file. In one case, the group posed as a\r\nhttps://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/\r\nPage 1 of 4\n\njournalist for a South Korean news agency and sent benign emails with an interview request to North Korea\r\nexperts. When recipients replied expressing interest in an interview, ARCHIPELAGO continued the\r\ncorrespondence over several emails before finally sending a OneDrive link to a password-protected file that\r\ncontained malware.\r\nARCHIPELAGO has also sent links that lead to “browser-in-the-browser” phishing pages. The phishing pages\r\npresent users with a fake browser window rendered inside the actual browser window. The fake browser window\r\ndisplays a URL and a login prompt designed to trick users into thinking they are entering their password into a\r\nlegitimate login page.\r\nARCHIPELAGO “browser-in-the-browser” phishing page\r\nShifting phishing tactics\r\nARCHIPELAGO has shifted their phishing tactics over time. For several years, they sent typical phishing\r\nmessages that posed as Google Account security alerts. Over time this technique became less successful and\r\nARCHIPELAGO has evolved and experimented with new phishing that might be more difficult for users and\r\ncommon security controls to catch.\r\nExample from 2015 of an ARCHIPELAGO phishing email\r\nOne example of ARCHIPELAGO’s shifting phishing techniques is a campaign in late 2022 where they sent links\r\nto a benign PDF file hosted in OneDrive. The PDF claimed to be a message from the State Department Federal\r\nCredit Union notifying customers they detected malicious logins from their Google Account and that the customer\r\nshould click the link in the PDF to verify activity from their Gmail account. If clicked, the link directed recipients\r\nto a phishing page. ARCHIPELAGO created unique PDFs for each recipient so that when the recipient clicked,\r\nthe phishing page was pre-populated with the recipient’s email address.\r\nARCHIPELAGO used legitimate cloud storage services to host benign PDFs with phishing links inside\r\nBy placing the phishing link inside a benign PDF hosted on a legitimate cloud hosting service, ARCHIPELAGO\r\nwas likely trying to evade detection by AV services that do not scan links inside files.\r\nMalware operations\r\nFor several years, ARCHIPELAGO focused on conducting traditional credential phishing campaigns. More\r\nrecently, TAG has observed ARCHIPELAGO incorporate malware into more of their operations, including efforts\r\nto evade detection and develop novel malware techniques. To protect their malware from AV scanning,\r\nARCHIPELAGO commonly password-protects their malware and shares the password with recipients in a\r\nphishing email.\r\nARCHIPELAGO phishing email with a password-protected attachment. The password for decrypting the\r\nattachment is included in the body of the phishing email.\r\nEncoding malware payloads and commands in Drive file names\r\nhttps://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/\r\nPage 2 of 4\n\nARCHIPELAGO has experimented with their malware over time, including using novel malware delivery\r\ntechniques. In 2020, they began testing a then-new technique with files they hosted on Google Drive.\r\nARCHIPELAGO encoded malicious payloads in the filenames of files hosted on Drive, while the files themselves\r\ncontained zero bytes of content. They also used Drive file names for C2, placing encoded commands in file\r\nnames. Security researchers at Huntress and IssueMakersLab publicly reported on this technique.\r\nGoogle took action to disrupt ARCHIPELAGO’s use of Drive file names to encode malware payloads and\r\ncommands. The group has since discontinued their use of this technique on Drive.\r\nMalware packaged in ISO files\r\nARCHIPELAGO has also attempted to deliver malware via Drive using ISO files, a file format that has gained\r\npopularity among threat actors ranging from government-backed attackers to financially motivated groups. In one\r\ncase TAG recently examined, ARCHIPELAGO sent a phishing email with a Drive link to an ISO file,\r\nInterview_with_Voice_of_America.iso. The ISO file contained a ZIP, which, in turn, contained a password-protected document. When decrypted, the document installed VBS-based malware related to BabyShark.\r\nMalicious Chrome Extensions\r\nARCHIPELAGO has also used malicious Chrome extensions in combination with phishing and malware. The\r\nearliest versions of these extensions, reported as STOLEN PENCIL in 2018, included functionality to steal\r\nusernames, passwords and browser cookies. They were delivered via phishing emails with a link that directed\r\nrecipients to a lure document that prompted users to install the malicious Chrome extension. Google has since\r\nintroduced several changes to the Chrome extension ecosystem, including enhanced transparency through the\r\nChrome Web Store and Manifest V3, that effectively disrupt threat actors from distributing malicious extensions\r\nlike STOLEN PENCIL via the Chrome Web Store. In 2018, Chrome also made improvements to the extension\r\nreview process by making extensions that request powerful permissions subject to additional compliance review\r\nwhile also conducting ongoing monitoring of extensions that use remotely hosted code.\r\nMore recently, ARCHIPELAGO has attempted work-arounds to install a new malicious Chrome extension known\r\npublicly as SHARPEXT. If successfully installed on a user system, SHARPEXT can parse emails from active\r\nGmail or AOL Mail tabs and exfiltrate them to an attacker-controlled system. As a result of improved security in\r\nthe Chrome extension ecosystem, ARCHIPELAGO must now complete several additional steps to install the\r\nextension, including first successfully installing malware on the user system and then overwriting the Chrome\r\nPreferences and Secure Preferences files to allow the extension to run.\r\nProtecting against advanced threats\r\nTAG, in partnership with Mandiant and other security teams across Google, is committed to our mission of\r\nunderstanding and countering advanced threats. We apply our research to ensure Google’s products are secure and\r\nour users are safe. For individuals at high risk of this activity and other serious threats, Google provides advanced\r\nsecurity resources, including Enhanced Safe Browsing and the Advanced Protection Program. When these tools\r\nare used in combination with Google’s Security Checkup, they provide the fastest and strongest level of protection\r\nagainst serious threats.\r\nhttps://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/\r\nPage 3 of 4\n\nSource: https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/\r\nhttps://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/" ], "report_names": [ "how-were-protecting-users-from-government-backed-attacks-from-north-korea" ], "threat_actors": [ { "id": "a02bb810-5dd2-46c1-a609-b44d984d96d0", "created_at": "2022-10-25T15:50:23.505735Z", "updated_at": "2026-04-10T02:00:05.398328Z", "deleted_at": null, "main_name": "Stolen Pencil", "aliases": [ "Stolen Pencil" ], "source_name": "MITRE:Stolen Pencil", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "c306e698-3b48-46d7-b571-3dfa0c828379", "created_at": "2023-05-16T02:02:09.957677Z", "updated_at": "2026-04-10T02:00:03.364345Z", "deleted_at": null, "main_name": "APT43", "aliases": [], "source_name": "MISPGALAXY:APT43", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434183, "ts_updated_at": 1775826721, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3b51dd0d519a7d20d673a466c79a291d8abda18d.pdf", "text": "https://archive.orkl.eu/3b51dd0d519a7d20d673a466c79a291d8abda18d.txt", "img": "https://archive.orkl.eu/3b51dd0d519a7d20d673a466c79a291d8abda18d.jpg" } }