Article

The Chollima advanced persistent threat group has launched a cyber-espionage campaign utilizing malicious Windows shortcut files (LNK) to deliver multi-stage malware targeting activists and analysts monitoring North Korea. The campaign featured weaponized LNK files embedded in compressed attachments or cloud-hosted links, allowing the emails to bypass security filters.

Opening an LNK file triggered a hidden command sequence that executed PowerShell scripts to download further malware components from disguised sources. The malware focused on information theft and system reconnaissance, harvesting system metadata, browser credentials, and documents, then sending this data to command-and-control servers.

The campaign leveraged trust networks by impersonating recognized experts, enhancing its effectiveness. Security firms noted similarities to previous Chollima operations, highlighting incremental evolution in their methods and ongoing refinement of their tactics.