North Korean hackers are using a Chrome flaw to breach their targets' email accounts.
Kimsuky is believed to be the threat actor behind the campaign.
Kimsuky, also tracked as Thallium and Velvet Chollima, is a North Korean threat group that uses spear phishing to conduct cyber espionage.
- The group has previously targeted:
- diplomats,
- politicians,
- journalists,
- government agencies,
- university professors, etc.
- The group previously targeted individuals and organizations in South Korea, while now it is also targeting entities in the U.S. and Europe.
- The group's attack sequence begins with a phishing email that leads the victim to install a browser extension.
- The extension can be downloaded in Chrome, Microsoft Edge, and Brave.
- The extension is named AF and can only be seen in the extensions list if the user specifically searches for the extension using a command in the browser's address bar.
- Once the victim visits Gmail through the infected browser, the extension steals the victim's email content and credentials.
