North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
Feb 13, 2025
United States
A nation-state threat actor with ties to North Korea has been linked to an ongoing campaign targeting South Korean business, government, and cryptocurrency sectors. The attack campaign, dubbed DEEP#DRIVE by Securonix, has been attributed to a hacking group known as Kimsuky , which is also tracked under the names APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima. "Leveraging tailored phishing lures written in Korean and disguised as legitimate documents, the attackers successfully infiltrated targeted environments," security researchers Den Iuzvyk and Tim Peck said in a report shared with The Hacker News, describing the activity as a "sophisticated and multi-stage operation." The decoy documents, sent via phishing emails as .HWP, .XLSX, and .PPTX files, are disguised as work logs, insurance documents and crypto-related files to trick recipients into opening them, thereby triggering the infection process. The attack...