Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor. To execute this tactic, the threat actor masquerades as a South Korean government official and over time builds rapport with a target before sending a spear-phishing email with an PDF attachment. While we have only observed the use of this tactic in limited attacks since January 2025, this shift is indicative of a new approach to compromising their traditional espionage targets. To read the PDF file attached to the email, the target is lured to click a URL with instructions to register their device.