A new wave of targeted cyberattacks attributed to the North Korean-aligned Velvet Chollima advanced persistent threat (APT) group has been observed since January 2025.
According to Microsoft’s Threat Intelligence and corroborated by reports from Bleeping Computer, this campaign has primarily targeted South Korean government officials, but its reach extends to NGOs, government agencies, and media companies across North America, South America, Europe, and East Asia.
The attackers have adopted increasingly sophisticated social engineering tactics, leveraging spear-phishing emails and deceptive web pages to compromise their victims.
Spear-Phishing with Malicious PDFs
The attack chain commences with highly tailored spear-phishing emails, often purporting to originate from South Korean government officials.
These emails are crafted to build credibility and rapport with the target before delivering a malicious PDF attachment.
Rather than containing visible malicious content, the PDF embeds a hyperlink that surreptitiously redirects recipients to a fake CAPTCHA verification page once clicked.
This subtle method bypasses traditional content scanning tools, reducing the likelihood of detection and increasing the chance of user interaction.
One of the defining features of this campaign is the utilization of the so-called “ClickFix” technique a recent social engineering tactic designed to exploit user trust and trick targets into unwittingly executing attacker-supplied code.
On landing on the fake CAPTCHA page, victims are greeted with a seemingly legitimate verification interface.
Upon interacting with the “I’m not a robot” checkbox, a convincing prompt instructs them to run a specific PowerShell command as an administrator.
The malicious command is conveniently copied to the clipboard, streamlining the process and lowering the barrier for exploitation.
According to the Report, this technique weaponizes the user’s own actions against them, bypassing many security controls that would normally prevent unauthorized code execution.
By framing the activity as a necessary step to access a document or complete device registration, the attackers capitalize on urgency and confusion, key elements in successful social engineering.
Reverse Shell Payloads Enable Full Remote Access
Should the victim comply, the PowerShell command connects the compromised system to the attacker’s command and control (C2) infrastructure, creating a reverse shell.
This direct pipeline enables the attacker to execute arbitrary commands, exfiltrate sensitive information, and drop additional malware onto the target machine.
Furthermore, the script establishes persistence by modifying Windows registry keys, ensuring its continued execution even after system reboots.
This approach grants the attackers a foothold on high-value networks, facilitating lateral movement and potential escalation across interconnected systems a significant risk for organizations operating in sensitive political, media, and governmental spheres.
The Velvet Chollima campaign underscores the evolving sophistication of state-sponsored cyber espionage operations and highlights the growing use of advanced social engineering tactics such as ClickFix.
These attacks represent a formidable challenge to conventional security postures, as they circumvent technical controls by manipulating human behavior.
Security professionals are advised to prioritize user awareness campaigns about these emerging threats, enforce strict controls on script execution, and monitor for suspicious outbound connections.
As threat actors continue to refine their tactics, a blend of technical vigilance and continuous education remains essential to defend against such multifaceted intrusion attempts.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
