230320_韓獨_합동_사이버_보안_권고국문.pdf (2 MB)

South Korea’s NIS and Germany’s BfV warned that Kimsuky, also known as Thallium or Velvet Chollima, abused Google browser and app-store services to target Korean Peninsula and North Korea specialists. The advisory describes spear-phishing that led victims to install a malicious Chromium extension, which activated during Gmail sessions and used DevTools API functionality to steal email while bypassing some user security settings. It also describes attackers using previously stolen Google credentials and Google Play’s web-to-phone synchronization workflow to push internally tested malicious Android apps to linked smartphones without victim interaction. The source lists infrastructure and artifacts including siekis[.]com, navernnail[.]com, lowerp.onlinewebshop[.]net, 23.106.122[.]16, the %APPDATA%\AF folder, and FastSpy/Kimsuky Android samples.