ClickCease Alert: Kimsuky Hacking Group Targets Human Rights Activists

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Alert: Kimsuky Hacking Group Targets Human Rights Activists

Wajahat Raja

May 31, 2024 - TuxCare expert team

As per recent reports a new social engineering attack attributed to the North Korea-linked Kimsuky hacking group is targeting human rights activists using fake Facebook accounts. This tactic, involving fictitious identities, marks a significant shift from their typical email-based spear-phishing strategies. According to a report by South Korean cybersecurity firm Genians, the attackers pose as public officials in the North Korean human rights sector to deceive their targets via Facebook Messenger.


A Sophisticated Multi-Stage Attack

Kimsuky Hacking Group aims specifically at North Korean human rights activism and anti-North Korea activities. Unlike conventional methods, this approach leverages social media to build trust and deliver Kimsuky malware. The attackers create fake Facebook profiles, pretending to be legitimate individuals, to initiate contact and lure the targets into opening malicious documents.

Leveraging Social Media for Deception

The attack’s novelty lies in its use of Facebook Messenger rather than email to deliver the payload. The
North Korean hackers send messages containing links to seemingly innocuous documents hosted on OneDrive. These documents, named “My_Essay(prof).msc” or “NZZ_Interview_Kohei Yamamoto.msc,” appear to be essays or interview content related to a trilateral summit between Japan, South Korea, and the U.S. One such document was uploaded to the VirusTotal platform on April 5, 2024, from Japan, suggesting a focus on targets in Japan and South Korea.

Uncommon Document Types to Evade Detection

Kimsuky’s use of MSC files, a less common document type, helps the group evade detection. These files are disguised with Word processor icons to trick victims into opening them. When a victim launches the MSC file and agrees to open it with Microsoft Management Console (MMC), they see a console screen displaying a Word document. This document activates a sequence that establishes a connection with an attacker-controlled server,[.]in.


The Attack Sequence Of Kimsuky Hacking Group

Reports claim that upon opening the document, the victim unknowingly runs a command that connects to the adversary’s server. This server displays another document hosted on Google Drive, titled “Essay on Resolution of Korean Forced Labor Claims.docx.” Meanwhile, in the background, additional commands are executed to ensure persistence and gather information such as battery and process data from the victim’s device.

The collected information is then sent to the command-and-control (C2) server. This server can also collect IP addresses, User-Agent strings, and timestamp information from HTTP requests, delivering further malicious payloads as needed. The tactics, techniques, and procedures (TTPs) observed in this espionage campaign overlap with previous Kimsuky activities, including the distribution of malware like ReconShark, as detailed by SentinelOne in May 2023.

The Increasing Threat of Social Media-Based Targeted Cyber Attacks

Genians highlights that in the first quarter of this year,
social engineering (spear phishing) was the most common method of advanced persistent threat (APT) attacks reported in South Korea. However, covert attacks via social media, though less frequently reported, are also on the rise. These personalized attacks are difficult to detect with traditional security monitoring tools and often go unreported, even when victims are aware of them.

Given their personalized nature, these social media-based targeted attacks pose a significant challenge for cybersecurity. Early detection of such threats is crucial to mitigate their impact. As attackers continue to refine their methods, organizations, and individuals must stay vigilant and adopt robust security measures to protect themselves against these evolving threats.


The Kimsuky hacking group’s latest campaign underscores the growing sophistication of
cyber attack tactics. By exploiting social media platforms like Facebook, these attackers can reach their targets in more personalized and deceptive ways, causing network security breaches. Awareness and early detection are key to defending against such threats and ensuring the security of individuals and organizations working in sensitive sectors.

The sources for this piece include articles in The Hacker News and Security Affairs.

Alert: Kimsuky Hacking Group Targets Human Rights Activists
Article Name
Alert: Kimsuky Hacking Group Targets Human Rights Activists
Discover how the Kimsuky Hacking Group is using social engineering on Facebook to target human rights activists with malware.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter