Microsoft’s Threat Intelligence team has uncovered a new deceptive tactic employed by North Korean threat actor Kimsuky. The group poses as South Korean government officials to establish trust with targets before launching their attack through spear-phishing emails containing PDF attachments.

The attack method involves convincing victims to run PowerShell as administrator and execute malicious code, which installs a browser-based remote desktop tool and certificate file. This enables attackers to access the compromised device and extract data. Microsoft has observed these attacks since January 2025, marking a shift from Kimsuky’s traditional methods.

In a related development, an Arizona woman, Christina Marie Chapman, has pleaded guilty to facilitating North Korean IT workers in obtaining remote jobs at over 300 U.S. companies. Between 2020 and 2023, the scheme generated $17.1 million in illegal revenue by:

– Stealing identities of U.S. nationals
– Submitting false documents to homeland security
– Operating a laptop farm to simulate U.S.-based workers
– Enabling North Korean operatives in China and Russia to access U.S. company systems

The FBI reports that discovered North Korean IT workers have escalated to data theft and extortion, demanding ransoms for stolen proprietary data and code. Some victims have experienced public releases of their proprietary code after discovery.

The scheme has impacted:
– Over 300 U.S. companies, including Fortune 500 corporations
– More than 70 compromised U.S. identities
– Created false tax liabilities for 70+ individuals
– Resulted in over 100 instances of false information submitted to DHS