Summary: The North Korea-affiliated hacking group Kimsuky has been identified as executing spear-phishing attacks using a malware named forceCopy, which targets web browser configuration files for credential theft. Their attacks involve deceptive emails that contain malicious Windows shortcuts leading to secondary payload downloads, including trojans and proxy malware. This marks a shift in Kimsuky’s tactics away from bespoke backdoors to utilizing established tools like RDP Wrapper for compromised systems.
Affected: South Korean organizations, web browsers
Keypoints :
- Kimsuky employs spear-phishing tactics, delivering malware via disguised emails.
- The attacks deploy forceCopy malware to steal data from web browser installations.
- The group’s tactics have evolved to use RDP Wrapper and proxy malware for persistent external communication.
- Kimsuky is linked to North Korea’s intelligence agency, the Reconnaissance General Bureau.
Source: https://thehackernews.com/2025/02/north-korean-apt-kimsuky-uses-lnk-files.html