North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks

A North Korean threat actor, Kimsuky, is targeting South Korean businesses, government, and cryptocurrency sectors using phishing emails with Korean-language decoy documents. The attack chain relies heavily on PowerShell scripts for payload delivery, reconnaissance, and execution, utilizing Dropbox for payload distribution and data exfiltration. The campaign, active since September 2022, demonstrates sophisticated techniques to evade detection and complicate incident response.