The North Korea-linked hacking group Kimsuky has recently been found deploying a newly identified information-stealing malware called forceCopy. This malware is distributed via spear-phishing attacks, utilizing deceptive Windows shortcut (LNK) files that disguise themselves as Microsoft Office or PDF documents. Upon interaction, unsuspecting victims trigger a chain reaction that executes malicious commands, leading to significant data breaches and system compromise.
Threat Overview
| Aspect | Details |
|---|---|
| Threat Name | forceCopy Malware |
| Threat Actor | Kimsuky (APT43, Black Banshee, Emerald Sleet) |
| Initial Infection Method | Spear-phishing emails with disguised Windows shortcut (LNK) files |
| Execution Method | Uses PowerShell and mshta.exe to deploy additional malware |
| Main Payloads | forceCopy (file stealer), PowerShell keylogger, PEBBLEDASH Trojan, RDP Wrapper |
| Purpose | Credential theft, data exfiltration, remote system control |
| Targeted Platforms | Windows |
| Recent Expansion | Russian-based phishing campaigns for credential theft |
Download SpyHunter Now & Scan Your Computer For Free!
Remove this and any other malicious threats to your system by scanning your computer with SpyHunter now! It’s FREE!
Exploiting Legitimate Tools to Deliver Threatening Payloads
Kimsuky’s attack strategy relies on executing malicious commands through PowerShell and ‘mshta.exe,’ a legitimate Windows utility used for running HTML Application (HTA) files. These techniques allow attackers to download and execute secondary payloads discreetly, increasing the difficulty of detection and mitigation.
Deploying Trojans and Remote Desktop Tools
Once the infection takes hold, additional malware components are installed, including:
- PEBBLEDASH Trojan – A known malware used for system reconnaissance and data exfiltration.
- RDP Wrapper – An open-source tool modified by the attackers to establish persistent remote desktop access.
- Proxy malware – Ensures a stable connection between the infected device and the attacker’s command-and-control (C2) server.
A Keylogger and forceCopy: Targeting Stored Credentials
A critical aspect of the campaign is the use of a PowerShell-based keylogger to capture keystrokes. The newly identified forceCopy malware is particularly concerning as it specializes in extracting stored files from web browser directories. This allows attackers to access configuration files containing login credentials, potentially bypassing traditional security measures.
A Strategic Shift: Using RDP for Host Control
Previously, Kimsuky primarily utilized custom-built backdoors to control infected systems. However, their latest approach involves leveraging the RDP Wrapper and proxy malware to maintain persistence while reducing the likelihood of detection. By using widely available tools, they blend in with legitimate system activity, making it harder for security solutions to flag their presence.
APT43: A Long-Standing Cyber Espionage Threat
Kimsuky, also known as APT43, has been active since at least 2012 and operates under North Korea’s Reconnaissance General Bureau (RGB). The group specializes in executing sophisticated social engineering attacks, often bypassing email security defenses to compromise high-value targets.
Expanding Operations with Russian-Based Phishing Campaigns
Recent intelligence suggests that Kimsuky has begun leveraging Russian email services to distribute phishing emails. This change, first observed in December 2024, reflects the group’s adaptability in refining its social engineering tactics to maximize infection rates among government agencies, research institutions, and financial entities.
Comprehensive Removal Guide
Download SpyHunter Now & Scan Your Computer For Free!
Remove this and any other malicious threats to your system by scanning your computer with SpyHunter now! It's FREE!
If you suspect your system has been compromised by forceCopy malware, follow these steps to remove it:
Step 1: Disconnect from the Internet
- Immediately disconnect your computer from the internet to prevent further data transmission to the attackers’ C2 server.
Step 2: Boot into Safe Mode
- Restart your computer.
- Press F8 (or Shift + Restart for newer Windows versions) to access Advanced Startup Options.
- Select Safe Mode with Networking.
Step 3: Terminate Malicious Processes
- Open Task Manager (Ctrl + Shift + Esc).
- Look for suspicious processes (e.g.,
mshta.exe,powershell.exe) and end them.
Step 4: Remove Malicious Files
- Navigate to:
C:\Users\[Your Username]\AppData\Local\TempC:\Users\[Your Username]\AppData\Roaming
- Delete any unfamiliar
.exe,.lnk, or.htafiles.
Step 5: Check for Unwanted Registry Entries
- Open Registry Editor (Win + R → type
regedit→ Enter). - Navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Look for suspicious entries and delete them.
Step 6: Scan with an Anti-Malware Tool
- Run a full system scan using an advanced anti-malware tool such as SpyHunter to detect and remove hidden threats.
Step 7: Update Your Security Measures
- Change all stored passwords immediately after removing the malware.
- Enable two-factor authentication (2FA) for critical accounts.
Preventive Measures
To avoid future infections, implement the following security best practices:
Strengthen Email Security
- Avoid opening attachments from unknown senders.
- Enable email filtering to block phishing attempts.
- Verify suspicious emails with IT security personnel.
Disable Unnecessary System Features
- Turn off PowerShell scripting if not required.
- Block execution of
mshta.exeusing Group Policy.
Update and Patch Regularly
- Ensure Windows and installed software are up to date.
- Apply security patches for known vulnerabilities.
Use Advanced Security Software
- Deploy reputable anti-malware solutions like SpyHunter.
- Utilize endpoint detection and response (EDR) systems.
Implement Strong Network Security
- Configure a firewall to block unauthorized remote access.
- Use VPNs to encrypt data transmissions.
Educate Users on Cybersecurity Awareness
- Conduct regular training on phishing and malware threats.
- Promote a zero-trust approach in handling email attachments.
Conclusion
Kimsuky’s forceCopy malware represents a significant cyber espionage threat, leveraging sophisticated spear-phishing tactics and widely available tools to evade detection. By understanding the infection chain and implementing strong preventive measures, individuals and organizations can mitigate the risks posed by this advanced persistent threat. Prompt detection, removal, and ongoing vigilance remain the best defenses against such evolving cyber threats.
Download SpyHunter Now & Scan Your Computer For Free!
Remove this and any other malicious threats to your system by scanning your computer with SpyHunter now! It's FREE!
Free Scan Available