{ "id": "f836bf69-e6d5-4228-88b1-225cb67f44c1", "created_at": "2026-04-06T01:30:16.915734Z", "updated_at": "2026-04-10T03:37:41.193319Z", "deleted_at": null, "sha1_hash": "cf6d782a9ed23d0624252d04a5cabe070f3b16bb", "title": "DPRK hackers dupe targets into typing PowerShell commands as admin", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2100060, "plain_text": "DPRK hackers dupe targets into typing PowerShell commands as admin\r\nBy Bill Toulas\r\nPublished: 2025-02-12 · Archived: 2026-04-06 00:33:24 UTC\r\nNorth Korean state actor ‘Kimsuky’ (aka ‘Emerald Sleet’ or ‘Velvet Chollima’) has been observed using a new tactic\r\ninspired from the now widespread ClickFix campaigns.\r\nClickFix is a social engineering tactic that has gained traction in the cybercrime community, especially for distributing\r\ninfostealer malware.\r\nIt involves deceptive error messages or prompts that direct victims to execute malicious code themselves, often via\r\nPowerShell commands. These actions typically lead to malware infections.\r\nhttps://www.bleepingcomputer.com/news/security/dprk-hackers-dupe-targets-into-typing-powershell-commands-as-admin/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/dprk-hackers-dupe-targets-into-typing-powershell-commands-as-admin/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nAccording to the information from Microsoft's Threat Intelligence team, the attacker masquerades as a South Korean\r\ngovernment official and gradually builds a connection with the victim.\r\nOnce a certain level of trust is established, the attacker sends a spear-phishing email with a PDF attachment. However,\r\ntargets that want to read the document are directed to a fake device registration link that instructs them to run PowerShell as\r\nan administrator and paste attacker-provided code.\r\nInstructions for performing the device registration\r\nSource: Microsoft\r\nWhen executed, the code installs a browser-based remote desktop tool, downloads a certificate using a hardcoded PIN, and\r\nregisters the victim’s device with a remote server, giving the attacker direct access for data exfiltration.\r\nMicrosoft says it observed this tactic in limited-scope attacks starting January 2025, targeting individuals that work in\r\ninternational affairs organizations, NGOs, government agencies, and media companies across North America, South\r\nAmerica, Europe, and East Asia.\r\nMicrosoft notified customers targeted by this activity, and urges others to take note of the new tactic and treat all unsolicited\r\ncommunications with extreme caution.\r\n“While we have only observed the use of this tactic in limited attacks since January 2025, this shift is indicative of a new\r\napproach to compromising their traditional espionage targets,” warns Microsoft.\r\nThe adoption of ClickFix tactics by nation-state actors like Kimsuky is a testament to the attack’s effectiveness in actual\r\noperations.\r\nUsers should show caution when encountering requests to execute on their computers code they copy online, especially\r\nwhen doing so with administrator privileges.\r\nhttps://www.bleepingcomputer.com/news/security/dprk-hackers-dupe-targets-into-typing-powershell-commands-as-admin/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/dprk-hackers-dupe-targets-into-typing-powershell-commands-as-admin/\r\nhttps://www.bleepingcomputer.com/news/security/dprk-hackers-dupe-targets-into-typing-powershell-commands-as-admin/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/dprk-hackers-dupe-targets-into-typing-powershell-commands-as-admin/" ], "report_names": [ "dprk-hackers-dupe-targets-into-typing-powershell-commands-as-admin" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439016, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cf6d782a9ed23d0624252d04a5cabe070f3b16bb.pdf", "text": "https://archive.orkl.eu/cf6d782a9ed23d0624252d04a5cabe070f3b16bb.txt", "img": "https://archive.orkl.eu/cf6d782a9ed23d0624252d04a5cabe070f3b16bb.jpg" } }