Kimsuky deploys TRANSLATEXT to target South Korean academia

2024-06-27 Zscaler

https://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia

Thumbnail for Kimsuky deploys TRANSLATEXT to target South Korean academia

Zscaler observed Kimsuky using a malicious Chrome extension named TRANSLATEXT for espionage against South Korean academia, especially researchers focused on North Korean political affairs. The campaign involved an archive lure translated as a review of a monograph on Korean military history, containing HWP decoys and a Windows executable that retrieved PowerShell from actor-controlled infrastructure. A related PowerShell script checked Chrome’s ExtensionInstallForcelist registry policy, suggesting the actor forced installation of the extension through earlier-stage tooling. TRANSLATEXT masqueraded as Google Translate, was briefly hosted in an attacker-controlled GitHub repository as GoogleTranslate.crx, and included JavaScript to bypass Gmail, Naver, and Kakao security prompts, steal email addresses, passwords, cookies, and capture browser screenshots. The short-lived GitHub upload and deletion window indicates an attempt to limit exposure while targeting selected victims.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN o-r.kr 2023-05-24 2026-06-01
DOMAIN r-e.kr 2023-03-23 2026-06-01
DOMAIN p-e.kr 2021-12-21 2026-06-01
HASH 38e27983c757374d9bae36a2e2520e8e 2024-06-27 2024-06-27
HASH bba3b15bad6b5a80ab9fa9a49b643658 2024-06-27 2024-06-27
URL https://webman.w3school.cloudns… 2024-06-27 2024-06-27
URL http://sdfa.liveblog365.com/are… 2024-06-27 2024-06-27
URL http://viaweb.co.kr 2024-06-27 2024-06-27
URL https://webman.w3school.cloudns… 2024-06-27 2024-06-27
URL http://ney.r-e.kr/mar/tys.php 2024-06-27 2024-06-27
URL http://sdfa.liveblog365.com/are… 2024-06-27 2024-06-27
URL http://ney.r-e.kr/mar/tys.txt 2024-06-27 2024-06-27
DOMAIN ney.r-e.kr 2024-06-27 2024-06-27
DOMAIN webman.w3school.cloudns.nz 2024-06-27 2024-06-27
DOMAIN sdfa.liveblog365.com 2024-06-27 2024-06-27
DOMAIN viaweb.co.kr 2024-06-27 2024-06-27

Related Actors

Related Reports

2024-07-19 • 75% Match
#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584
Shares tags: Kimsuky, T1041, T1113 • Published within a month
2024-09-12 • 56% Match
#Kimsuky #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1005 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1083 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1583.006 #T1518.001 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1552.001 #T1585.001 #T1105 #T1219 #T1055 #T1553.002 #T1562.001 #T1027.002 #T1133 #T1190 #T1098 #T1016 #T1074.001 #T1588.002 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1593.002 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1589.003 #T1594 #T1218.010 #T1557 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1021.001 #T1560.001 #T1176 #T1136.001 #T1543.003 #T1012 #T1534 #T1560.003 #T1007 #T1564.003 #T1114.003 #T1114.002 #T1564.002 #T1040 #T1546.001 #T1505.003
Shares tags: Kimsuky, T1041, T1071.001
« Back