Kimsuky’s forceCopy Malware: A New Cyber Espionage Threat from North Korea

The North Korea-linked hacking group Kimsuky (also known as APT43, Black Banshee, and Emerald Sleet) has been identified as using a newly discovered information-stealing malware called forceCopy in recent spear-phishing campaigns. These attacks begin with phishing emails that contain malicious Windows shortcut (LNK) files, disguised to appear like legitimate Microsoft Office or PDF documents.

Once the file is opened, a chain reaction is triggered, ultimately leading to the deployment of remote access trojans (RATs), keyloggers, and other malware. Notably, Kimsuky is now leveraging legitimate Windows tools, such as mshta.exe and RDP Wrapper, to evade detection and maintain persistence. This shift in tactics demonstrates the group’s evolving approach to cyber espionage.

---

The forceCopy Malware at a Glance

Aspect	Details
Threat Name	forceCopy
Associated Group	Kimsuky (APT43, Black Banshee, Emerald Sleet)
Attack Vector	Spear-phishing emails with LNK files disguised as Microsoft Office/PDF documents
Primary Objective	Credential theft, surveillance, persistence via RDP
Methods Used	PowerShell, mshta.exe, keyloggers, modified RDP Wrapper, proxy malware
Affected Systems	Windows-based devices
Targets	High-value individuals and organizations, government entities, research institutions
Persistence Mechanism	Remote Desktop Protocol (RDP), proxy malware, keylogging
Similar Threats	PEBBLEDASH Trojan, other North Korean APT malware

---

How the Malware is Delivered

The infection process starts when a victim opens a malicious LNK file attached to a phishing email. This file imitates a Microsoft Office or PDF document but actually triggers PowerShell or mshta.exe execution in the background. The use of mshta.exe—a legitimate Windows utility for running HTML applications—helps attackers evade detection.

Upon execution, the malware downloads additional payloads from a remote server, allowing Kimsuky to install forceCopy and other harmful tools.

---

The Role of RDP in Kimsuky’s Attacks

Kimsuky’s recent attacks emphasize Remote Desktop Protocol (RDP) exploitation. The attackers deploy a modified version of RDP Wrapper, an open-source tool that enables multiple remote desktop sessions on Windows devices. This tactic allows attackers to gain long-term access to compromised machines while bypassing built-in security measures.

In addition to RDP Wrapper, Kimsuky uses proxy malware to keep a persistent connection between the victim’s device and their remote network. This method ensures that the attackers can continuously control infected machines without raising immediate suspicion.

---

Key Features of forceCopy: Credential Theft & Keylogging

One of the most concerning aspects of forceCopy is its ability to steal credentials by targeting stored browser files. By directly extracting sensitive configuration data, it can bypass security restrictions that typically prevent credential theft.

Additionally, Kimsuky deploys a PowerShell-based keylogger alongside forceCopy to capture keystrokes, making it easier for them to collect login information for email accounts, financial services, and corporate systems.

---

APT43: A Well-Known Threat in Cyber Espionage

Kimsuky (APT43) has been active since at least 2012 and is linked to North Korea’s Reconnaissance General Bureau (RGB)—the country’s primary foreign intelligence service. The group is notorious for sophisticated phishing campaigns, which they use to steal intelligence, financial data, and sensitive corporate information.

Expanding Operations with Russian-Based Phishing Campaigns

Recent reports indicate that Kimsuky has been using Russian email services to distribute phishing messages. By leveraging these foreign email providers, they avoid detection by Western security agencies while refining their social engineering tactics.

---

Removal Guide: How to Eliminate forceCopy Malware

If you suspect your system has been infected with forceCopy malware, follow this step-by-step removal guide:

Step 1: Disconnect from the Internet

Unplug your Ethernet cable or disable Wi-Fi to prevent the malware from communicating with the attacker’s server.

Step 2: Boot in Safe Mode

1. Restart your computer.
2. Press F8 (or Shift + Restart) before Windows loads.
3. Choose Safe Mode with Networking.

Step 3: Identify and Terminate Malicious Processes

1. Press Ctrl + Shift + Esc to open Task Manager.
2. Look for suspicious processes (e.g., mshta.exe, unknown PowerShell scripts).
3. Right-click and select End Task.

Step 4: Remove Malicious Startup Entries

1. Open Task Manager → Startup tab.
2. Disable any unknown or suspicious startup applications.

Step 5: Delete Malicious Files

1. Press Win + R, type %temp%, and delete all temporary files.
2. Navigate to:
   • C:\Users\YourUsername\AppData\Local\
   • C:\ProgramData\
   • Delete any unfamiliar files related to forceCopy.

Step 6: Scan Your System with an Anti-Malware Tool

Using a reputable anti-malware tool such as SpyHunter can help detect and remove forceCopy.

Step 7: Check for RDP Exploits

1. Open Windows Settings → Remote Desktop Settings.
2. Disable Remote Desktop Access if not required.

---

Preventive Measures: How to Protect Yourself

1. Be Wary of Phishing Emails
   • Avoid opening unexpected email attachments, even if they appear to be from a trusted source.
   • Always verify sender authenticity before clicking on links.
2. Disable Windows Script Execution: Run the following PowerShell command to block mshta.exe execution:
   • Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Script Host\Settings" -Name "Enabled" -Value 0
3. Use Multi-Factor Authentication (MFA): Enable MFA for email, banking, and corporate accounts to protect against credential theft.
4. Keep Your Software Updated: Regularly update Windows, browsers, and security tools to patch vulnerabilities.
5. Monitor RDP Activity
   • Disable RDP if unnecessary.
   • Use strong passwords and network-level authentication (NLA) for RDP access.

---

Conclusion

The forceCopy malware is the latest tool in Kimsuky’s expanding cyber espionage arsenal. By using sophisticated phishing techniques, exploiting legitimate Windows tools, and leveraging RDP for persistence, Kimsuky continues to pose a serious threat to businesses, government entities, and high-value targets worldwide.

Understanding the nature of these attacks, implementing strong cybersecurity measures, and regularly scanning your system for vulnerabilities can help protect against this evolving threat.