Rapid7 warns of a new cyberattack tactic by a North Korean gang

North Korea’s Kimsuky cybercrime gang, also known as Black Banshee, Thallium, APT 43, and Velvet Chollima, has launched a new campaign using fresh tactics, according to Rapid7.


Rapid7, an infosec tools vendor, has revealed that North Korea‘s cybercrime gang Kimsuky is using new tactics for their cyberattacks. They added that Kimsuky has a history of collecting information from government agencies and other related organisations, aiming to gather intelligence for the regime in Pyongyang. Their favourite tactic is spear phishing, but it yet remains to be seen what their tactic is in the latest cyberattack. 

According to a Rapid7 blog post, the attacks include poisoned Microsoft Compiled HTML Help (CHM), ISO, VHD, ZIP and RAR files. Rapid7 identified poisoned CHM files, which include text, images, and hyperlinks, and explained that those files could execute JavaScript, which later installs malicious scripts that harvest information from victims’ machines. This information includes running processes and recent Word files, ultimately granting unauthorised access to sensitive data.

Raj Samani, the chief scientist at Rapid7, said that they believe the target of this campaign is South Korea but also expressed fear that Kimsuky is expanding its attacks outside Asia. He emphasised that the German national federal infosec agency listed the North Korean cybercrime gang as active within the country.

Why does it matter?

Rapid7 revelation of new tactic deployed by North Korean cybercrime gang Kimsuky highlights the urgent need for stricter cybersecurity measures. With the gang’s history of targeting government agencies and related organisations, concerns are raised about the security of sensitive data and the consequences that can emerge from breaching it. Rapid7’s identification of Kimsuky’s expanded targets, including South Korea and possibly Germany, emphasises the global reach of cyber threats and the imperative for international cooperation in addressing cyberespionage and security breaches.