A sophisticated cyber espionage campaign, dubbed DEEP#DRIVE, has been discovered targeting South Korean business, government, and cryptocurrency sectors. Security researchers at Securonix have attributed the attacks to Kimsuky, a North Korean state-sponsored hacking group also known as APT43, Black Banshee, and several other aliases.

The attackers employ carefully crafted phishing emails containing Korean-language documents in various formats (.HWP, .XLSX, and .PPTX), disguised as work logs, insurance documents, and cryptocurrency-related files. The attack methodology involves a multi-stage process heavily reliant on PowerShell scripts.

Key Technical Components:
– Initial payload delivery via ZIP files containing malicious .LNK files
– Persistence establishment through scheduled tasks named “ChromeUpdateTaskMachine”
– Utilization of Dropbox for payload distribution and data exfiltration
– OAuth token-based authentication for stealthy data transfer
– Multiple PowerShell scripts for system reconnaissance and payload execution

The campaign, believed to be active since September of the previous year, demonstrates sophisticated evasion techniques. The attackers employ dynamic and short-lived infrastructure, rapidly removing key links after initial attack stages to complicate analysis and maintain operational security.

While the final stage of the attack remains unknown, the campaign showcases advanced techniques in obfuscation, stealthy execution, and dynamic file processing, highlighting the threat actor’s sophisticated approach to evading detection and hindering incident response efforts.