North Korean advanced persistent threat operation Kimsuky has launched attacks facilitating self-inflicted compromise by luring targets into executing PowerShell as an administrator and subsequently running the given malicious code, reports Security Affairs.
After establishing trust with targets through the spoofing of a South Korean government official, Kimsuky — also known as APT43, ARCHIPELAGO, Black Banshee, Velvet Chollima, and Thallium — proceeded to distribute spear-phishing emails with a PDF document and a link redirecting to a website with PowerShell and code execution instructions, according to the Microsoft Threat Intelligence team. Execution of PowerShell as admin triggers remote desktop protocol deployment and web request delivery to a server before allowing device compromise and data theft.
"While we have only observed the use of this tactic in limited attacks since January 2025, this shift is indicative of a new approach to compromising their traditional espionage targets," said Microsoft Threat Intelligence in a post on X, formerly Twitter.
