Kimsuky deploys TRANSLATEXT to target South Korean academia
Contents
Zscaler Blog
Get the latest Zscaler blog updates in your inboxSubscribe
Introduction
In March 2024, Zscaler ThreatLabz observed new activity from Kimsuky (aka APT43, Emerald Sleet, and Velvet Chollima), an advanced persistent threat actor backed by the North Korean government. This group, first observed in 2013, is notorious for cyber espionage, and financially motivated cyber attacks, primarily targeting South Korean entities, including think tanks, government institutions, and the academic sector. They employ various tactics, techniques, and procedures (TTPs) in their targeted campaigns and one of their distribution methods is malicious Google Chrome extensions. In July 2022, it was reported that Kimsuky used malicious Chrome extensions to target users in the U.S., Europe, and South Korea. While actively monitoring this group, we discovered an instance where Kimsuky used a new Google Chrome extension, which we named “
TRANSLATEXT”, for cyber espionage.
TRANSLATEXT is specifically leveraged to steal email addresses, usernames, passwords, cookies, and captures browser screenshots.
Key …
Get the latest Zscaler blog updates in your inboxSubscribe
Introduction
In March 2024, Zscaler ThreatLabz observed new activity from Kimsuky (aka APT43, Emerald Sleet, and Velvet Chollima), an advanced persistent threat actor backed by the North Korean government. This group, first observed in 2013, is notorious for cyber espionage, and financially motivated cyber attacks, primarily targeting South Korean entities, including think tanks, government institutions, and the academic sector. They employ various tactics, techniques, and procedures (TTPs) in their targeted campaigns and one of their distribution methods is malicious Google Chrome extensions. In July 2022, it was reported that Kimsuky used malicious Chrome extensions to target users in the U.S., Europe, and South Korea. While actively monitoring this group, we discovered an instance where Kimsuky used a new Google Chrome extension, which we named “
TRANSLATEXT”, for cyber espionage.
TRANSLATEXT is specifically leveraged to steal email addresses, usernames, passwords, cookies, and captures browser screenshots.
Key …
IoC
38e27983c757374d9bae36a2e2520e8e
bba3b15bad6b5a80ab9fa9a49b643658
http://ney.r-e.kr/mar/tys.php
http://ney.r-e.kr/mar/tys.txt
http://sdfa.liveblog365.com/ares/babyhades.txt
http://sdfa.liveblog365.com/ares/hades.txt
http://viaweb.co.kr
https://onewithshare.blogspot.com/2023/04/10.html
https://raw.githubusercontent.com/HelperDav/Web/main/update.xml
https://webman.w3school.cloudns.nz
https://webman.w3school.cloudns.nz/config.php
bba3b15bad6b5a80ab9fa9a49b643658
http://ney.r-e.kr/mar/tys.php
http://ney.r-e.kr/mar/tys.txt
http://sdfa.liveblog365.com/ares/babyhades.txt
http://sdfa.liveblog365.com/ares/hades.txt
http://viaweb.co.kr
https://onewithshare.blogspot.com/2023/04/10.html
https://raw.githubusercontent.com/HelperDav/Web/main/update.xml
https://webman.w3school.cloudns.nz
https://webman.w3school.cloudns.nz/config.php