North Korean Hackers Attack Using PowerShell

Executive Summary

Kimsuky Group, a North Korean linked threat actor, used a new tactic using PowerShell to execute Cyberattack. Kimsuky has a history of employing a number of techniques to infiltrate systems and exfiltrate data from the U.S and South Korea. The best way to defend against this particular attack would be to restrict or disable PowerShell usage. The common best practice of not clicking on any links from an unknown source will aid in the mitigation.

Background

According to Microsoft Threat Intelligence the group is using a different form of social engineering. The hackers will impersonate trusted individuals or entities and convince the users to run harmful commands. The executed commands will give them remote access to the targeted computer or computers [1].

The Kimsuky Group is an advanced persistent threat (APT) group that is known for cyber-espionage and intelligence gathering operations. The group has a couple of names such as Emerald Sleet and Velvet Chillima in addition to Kimsuky. They are believed to operate under the Reconnaissance General Bureau (RGB) which is North Korea’s intelligence agency. The usual targets are the U.S., Europe, and South Korea [2].

Kimsuky is known for using ClickFix to commit attacks. ClickFix is a social engineering tactic that has gained more and more traction amongst the cybercrime community. The strategy is especially popular for distributing  malware that is designed to steal information. The method uses prompts or error messages to direct unknowing victims to execute malicious code using PowerShell commands by clicking malicious links. Microsoft’s Threat Intelligence team observed Kimsuky using this tactic in January 2025. The hackers are targeting companies across North/South America, East Asia and Europe.

Impact

The attack allowed Kimsuky to gain unauthorized access to targeted systems, causing data theft, espionage ,and possible disruption of critical operations [4]. The hackers are able to bypass traditional security measures by executing malicious scripts in the memory which evaded antivirus and endpoint detection. Detection is more difficult because of the living-off-the-land technique of using legitimate windows tools  installed on the targeted system. These attacks are a serious threat to government agencies, private organizations, and military organizations. The hacks could also lead to intelligence leaks and financial losses.  

Mitigation

Implementing proactive cybersecurity measures such as restricting PowerShell usage and implementing strong access controls and enhancing endpoint security can significantly reduce the risk posed by Kimsuky [3]. Strengthening user awareness and training will also aid in the mitigation process. These actions will solve most issues related to the tactic used by the hackers.The mitigation works because it limits the use of PowerShell which  reduces the risk of having a user run a command within the command line platform.

Relevance

The Kimsuky PowerShell attack is highly relevant in the world of cybersecurity. Geopolitical tensions could be raised because of various activities by threat actors. There are definitely real world impacts from economic and national security risks to cyber espionage and intellectual theft. 

References

[1] Lakshmanan, R (2025, February 12). North Korean hackers exploit PowerShell trick to hijack devices in new cyberattack. The Hacker News. https://thehackernews.com/2025/02/north-korean-hackers-exploit-powershell.html

[2] Özeren, S. (2024, December 27). Exposing the steps of the Kimsuky APT Group. Picus Security. https://www.picussecurity.com/resource/blog/exposing-the-steps-of-the-kimsuky-apt-group?utm_source=chatgpt.com

[3] Park, S. (2024, June 27). Kimsuky deploys TRANSLATEXT Chrome Extension |ThreatLabz. Zscaler. https://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia?utm_source

[4] Toulas, B. (2025, February 12). DPRK hackers dupe targets into typing PowerShell commands as admin. BleepingComputer. https://www.bleepingcomputer.com/news/security/dprk-hackers-dupe-targets-into-typing-powershell-commands-as-admin/?utm_source=chatgpt.com