North Korean Hackers Exploit PowerShell Trick to Hijack Devices in New Cyberattack

thehackernews.com · Ravie Lakshmanan · 1 year ago · research
quality 9/10 · excellent
0 net
Tags
cyberattack malware powershell
Entities
CVE-2025-55182 CVE-2026-34040 CVE-2026-35616 CVE-2026-5281
North Korean Hackers Exploit PowerShell Trick to Hijack Devices in New Cyberattack  Contact/Tip Us  Reach out to get featured—contact us to send your exclusive story idea, research, hacks, or ask us a question or leave a comment/feedback! Follow Us On Social Media       RSS Feeds  Email Alerts North Korean Hackers Exploit PowerShell Trick to Hijack Devices in New Cyberattack  Ravie Lakshmanan  Feb 12, 2025 IT Security / Cybercrime The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets into running PowerShell as an administrator and then instructing them to paste and run malicious code provided by them. "To execute this tactic, the threat actor masquerades as a South Korean government official and over time builds rapport with a target before sending a spear-phishing email with an [sic] PDF attachment," the Microsoft Threat Intelligence team said in a series of posts shared on X. To read the purported PDF document, victims are persuaded to click a URL containing a list of steps to register their Windows system. The registration link urges them to launch PowerShell as an administrator and copy/paste the displayed code snippet into the terminal, and execute it. Should the victim follow through, the malicious code downloads and installs a browser-based remote desktop tool, along with a certificate file with a hardcoded PIN from a remote server. "The code then sends a web request to a remote server to register the victim device using the downloaded certificate and PIN. This allows the threat actor to access the device and carry out data exfiltration," Microsoft said. The tech giant said it observed the use of this approach in limited attacks since January 2025, describing it as a departure from the threat actor's usual tradecraft. It's worth noting that the Kimsuky is not the only North Korean hacking crew to adopt the compromise strategy. In December 2024, it was revealed that threat actors linked to the Contagious Interview campaign are tricking users into copying and executing a malicious command on their Apple macOS systems via the Terminal app so as to address a supposed problem with accessing the camera and microphone through the web browser. Such attacks, along with those that have embraced the so-called ClickFix method, have taken off in a big way in recent months, in part driven by the fact that they rely on the targets to infect their own machines, thereby bypassing security protections. Arizona woman pleads guilty to running laptop farm for N. Korean IT workers The development comes as the U.S. Department of Justice (DoJ) said a 48-year-old woman from the state of Arizona pleaded guilty for her role in the fraudulent IT worker scheme that allowed North Korean threat actors to obtain remote jobs in more than 300 U.S. companies by posing as U.S. citizens and residents. The activity generated over $17.1 million in illicit revenue for Christina Marie Chapman and for North Korea in violation of international sanctions between October 2020 and October 2023, the department said. "Chapman, an American citizen, conspired with overseas IT workers from October 2020 to October 2023 to steal the identities of U.S. nationals and used those identities to apply for remote IT jobs and, in furtherance of the scheme, transmitted false documents to the Department of Homeland Security," the DoJ said . "Chapman and her coconspirators obtained jobs at hundreds of U.S. companies, including Fortune 500 corporations, often through temporary staffing companies or other contracting organizations." The defendant, who was arrested in May 2024, has also been accused of running a laptop farm by hosting multiple laptops at her residence to give the impression that the North Korean workers were working from within the country, when, in reality, they were based in China and Russia and remotely connected to the companies' internal systems. "As a result of the conduct of Chapman and her conspirators, more than 300 U.S. companies were impacted, more than 70 identities of U.S. person were compromised, on more than 100 occasions false information was conveyed to DHS, and more than 70 U.S. individuals had false tax liabilities created in their name," the DoJ added. The increased law enforcement scrutiny has led to an escalation of the IT worker scheme, with reports emerging of data exfiltration and extortion. "After being discovered on company networks, North Korean IT workers have extorted victims by holding stolen proprietary data and code hostage until the companies meet ransom demands," the U.S. Federal Bureau of Investigation (FBI) said in an advisory last month. "In some instances, North Korean IT workers have publicly released victim companies' proprietary code." Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  Cybercrime , cybersecurity , FBI , hacking , IT security , North Korea , Phishing , Remote Work , social engineering , Threat Intelligence Trending News Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Block the Prompt, Not the Work: The End of "Doctor No" BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats Cybersecurity Webinars Findings + Fixes from 600+ Leaders How to Measure, Prioritize, and Close Identity Gaps in 2026 New 2026 Ponemon research reveals where mature identity programs still fall short and what leading organizations are doing to close the gap. Register RIdentity Framework for AI Agents How to Deploy an Identity Layer for AI Agents in Production AI agents need identity, but most teams are still figuring out how to implement it. This session cuts through the noise with a practical, production-ready framework. Register Latest News Cybersecurity Resources Zscaler ThreatLabz 2026 VPN Risk Report with Cybersecurity Insiders. AI collapsed human response window and turned remote access into fastest path to breach. See What AI Really Means for Cyber Defenders This SANS-expert keynote will change how you view AI security. Earn a Master's in Cybersecurity Risk Management Lead the future of cybersecurity risk management with an online Master’s from Georgetown. ​ Expert Insights Articles Videos Why AI Does Not Need to be Innovative to be Dangerous  April 06, 2026 Read ➝ AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach  April 06, 2026 Read ➝ Which Code Vulnerabilities Actually Get Fixed? New Code Security Data from 50,000+ Repos  March 30, 2026 Read ➝ The Real Problem Isn't That AI Can't Write Secure Code - It's That It's Expanding Attack Surface  March 30, 2026 Read ➝ Get Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders – all for free. Email
← Back to stories