Security experts at Zscaler ThreatLabz have recently uncovered a new cyber attack campaign originating from the Kimsuky hacker group believed to be based in North Korea. This campaign involved the use of malware known as TRANSLATEXT, which masqueraded as a Google Translate Chrome browser extension. The primary targets of these attacks were reportedly academic researchers focused on the Korean Peninsula in South Korea. The TRANSLATEXT malware is especially concerning as it can steal a range of sensitive information, including email addresses, usernames, passwords, cookies, and even browser screenshots.
Despite the removal of the malware from the GitHub repository, experts have emphasized that this was a targeted campaign where the Kimsuky group displayed a deep understanding of its specific targets. The method by which the malware was distributed remains unclear, though researchers suspect that Kimsuky may have leveraged email to send fake extension download links.
Notably, this is not the first instance of Kimsuky employing deceptive Chrome extensions for their attacks. Previous incidents have involved the use of fake extensions to target government organizations and businesses. This development underscores the critical importance of exercising caution when downloading and installing extensions from potentially untrustworthy sources. It’s advisable for users to thoroughly scrutinize developer information and user reviews before installing any extension to mitigate the risk of falling victim to similar cyber attacks.