The North Korea-linked Kimsuky hacking group is behind a new social engineering attack using fake Facebook accounts on Messenger to deliver malware.
A report by South Korean cybersecurity company Genians last week revealed that the attack involves a fictitious Facebook account posing as a public official in the North Korean human rights field targeting activists in related sectors.
Unlike traditional email-based phishing, this campaign uses Facebook Messenger to trick targets into opening files uploaded on OneDrive, masquerading as legitimate content related to North Korea and the trilateral summit between Japan, South Korea, and the U.S.
The use of Microsoft Management Console documents aims to evade detection, with the malicious document disguised as a harmless Word file icon. Once opened, the document connects to an adversary-controlled server and gathers information before exfiltrating to the command-and-control server.
This tactic aligns with previous Kimsuky activity, showcasing the group’s evolving methods to distribute malware and evade detection.
Genians warned about the rise of social media-based covert attacks, emphasizing the importance of early detection to mitigate personalized threats effectively.
