North Korean APT Kimsuky Uses forceCopy Malware to Steal Browser-Stored Credentials

Feb 06, 2025Ravie LakshmananThreat Intelligence / Malware

The North Korea-linked nation-state hacking group known as Kimsuky has been observed conducting spear-phishing attacks to deliver an information stealer malware named forceCopy, according to new findings from the AhnLab Security Intelligence Center (ASEC).

The attacks commence with phishing emails containing a Windows shortcut (LNK) file that’s disguised as a Microsoft Office or PDF document.

Opening this attachment triggers the execution of PowerShell or mshta.exe, a legitimate Microsoft binary designed to run HTML Application (HTA) files, that are responsible for downloading and running next-stage payloads from an external source.

The South Korean cybersecurity company said the attacks culminated in the deployment of a known trojan dubbed PEBBLEDASH and a custom version of an open-source Remote Desktop utility named RDP Wrapper.

Also delivered as part of the attacks is a proxy malware that allows the threat actors to establish persistent communications with an external network via RDP.

Furthermore, Kimsuky has been observed using a PowerShell-based keylogger to record keystrokes and a new stealer malware codenamed forceCopy that’s used to copy files stored in web browser-related directories.

“All of the paths where the malware is installed are web browser installation paths,” ASEC said. “It is assumed that the threat actor is attempting to bypass restrictions in a specific environment and steal the configuration files of the web browsers where credentials are stored.”

The use of tools RDP Wrapper and proxies to commandeer infected hosts points to tactical shift for Kimsuky, which has historically leveraged bespoke backdoors for this purpose.

The threat actor, also referred to as APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima, is assessed to be affiliated with the Reconnaissance General Bureau (RGB), North Korea’s primary foreign intelligence service.

Active since at least 2012, Kimusky has a track record of orchestrating tailored social engineering attacks that are capable of bypassing email security protections. In December 2024, cybersecurity company Genians revealed that the hacking crew has been sending phishing messages that originate from Russian services to conduct credential theft.

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!