Kimsuky Deploys TRANSLATEXT Chrome Extension
Essential information
- Published
- 28/06/2024 07:46
- Modified
- 28/06/2024 07:58
- Tags
- 2024-06-28 chrome extension credential-theft cyber espionage malware north korea
- Related entities
- 10 observables, 1 intrusion sets (apt), 7 techniques (mitre), 1 malware, 1 others
Description
In March 2024, the cybersecurity firm Zscaler observed a new activity from Kimsuky, a North Korean state-sponsored hacker group. They employed a malicious Google Chrome extension named 'TRANSLATEXT' specifically crafted to steal email addresses, usernames, passwords, cookies, and capture browser screenshots. The primary targets appear to be academic researchers in South Korea specializing in geopolitical issues related to the Korean peninsula. The extension bypassed security measures of prominent email providers and exfiltrated stolen data via a GitHub repository controlled by the threat actors.