North Korean hackers steal Gmail emails from politicians and diplomats via infected Chrome extensions

He National Intelligence Service (NIS) of Republic of Korea and the Federal Office for Constitutional Protection (BfV) of Germany They have issued a notice about a North Korean hacker attack campaign that use infected Chrome extensions to steal emails from Gmail.

These hackers are known as Kimsuky, but they also have other names such as Thallium and Velvet Chollima. It is a group of Malicious North Korean actors using ‘phishing’ – masquerading as a legitimate source – to perform cyber espionage directed at diplomats, politicians, journalistsgovernment agencies or even university professors.

Now, the Intelligence Service of the Republic of Korea and the BfV of Germany have launched a joint notice to “raise awareness” of their activity, after identify a new campaign of attacks by Kimsuky which, Although it mainly targets Korean victims, it has also been detected in the United States and Europe.

In this case, the group uses a malicious Google Chrome extension that spreads through a fraudulent email sent to the potential victim. In it, you are encouraged to install this extension in Chrome, although in reality it can be installed in Chromium-based browsers, such as Microsoft Edge or Brave-.

Once installed, the extension, which appears under the name ‘AF’, is triggered when the user opens their Gmail account, without realizing it. It is at this moment when the ‘malware’ begins to intercept all message content, although the authorities have warned that it also has access to data stored in cloud services.

to steal the informationthe ‘AF’ extension uses the API Devtools, a web developer toolkit built into the Google Chrome browser. With this, malicious actors sent the stolen data to your relay server. Thus, they obtained all the data “secretly”, bypassing the email security settings.

From Korea and Germany they warn that these attacks are directed mainly at “experts” on the Korean peninsula and North Korea. However, they warn that “the target of attack can be extended to an unspecified number of people”.


On the other hand, they have also registered a Kimsuky campaign in which he uses a fraudulent app hosted on Google Play Storewhich has been known since October 2022 as ‘FastViewer’, ‘Fastfire’ or ‘Fastspy DEX’, as BleepingComputer recalls.

This other way of operating involves theft of credentials access to the Gmail account of the victims through fraudulent emails. Then, they take advantage of the synchronization function of the ‘smartphone’ with the application store to download and install the malicious ‘app’.

This ‘malware’ is actually a remote access trojan (RAT), and with it, cybercriminals can access the infected ‘smartphone’, the information it contains and take control to perform actions such as calling, sending SMS or activating the camera.

Author: JJ Beat

Leave a Reply

Your email address will not be published. Required fields are marked *