In March 2024, Zscaler ThreatLabz identified renewed cyber activities linked to Kimsuky, a sophisticated threat actor backed by the North Korean government. Known for its extensive history in cyber espionage and financial motives, Kimsuky deployed a new tool named “TRANSLATEXT,” a malicious Google Chrome extension aimed at stealing sensitive data. This extension was strategically uploaded to Kimsuky’s GitHub repository, where it targeted South Korean entities involved in political research on North Korean affairs, using deceptive tactics such as posing as benign academic research documents.
TRANSLATEXT operated by circumventing security measures of popular email services like Gmail, as well as local South Korean platforms Kakao and Naver. It was designed to extract critical information including email credentials, usernames, passwords, cookies, and browser screenshots. The deployment strategy involved embedding the malicious extension within deceptive archive files, which, upon execution, triggered PowerShell scripts to facilitate data exfiltration and the installation of additional malware components on victims’ systems.
Despite Kimsuky’s swift removal of TRANSLATEXT and associated files from their GitHub repository within a day of upload, the incident highlights the group’s advanced capabilities and ongoing threat to cybersecurity. This episode underscores the persistent challenge posed by state-sponsored cyber actors who exploit digital platforms for espionage and financial gain, particularly in sensitive geopolitical contexts such as North Korean political research. The use of GitHub as a distribution channel and the rapid cleanup efforts reflect Kimsuky’s tactics to evade detection and continue their operations covertly.
Reference:
