North Korea-linked Geumseong121 APT group is sending spear-phishing emails to target people interested in North Korean refugees

Fifty malicious domains belonging to the group were seized by Microsoft in December

The researchers from South Korea-based cyber security firm ESTsecurity claim to have uncovered a new cyber espionage campaign, which they believe is being carried out by North Korea-backed APT group Geumeong121.

The researchers said they discovered the new spear-phishing operation based on the indicators of compromised data and the evidence collected by threat intelligence multi-channel sensors.

The researchers have named the campaign as "Operation Spy Cloud" after finding that it used Google Drive and PickCloud service to target potential victims.

According to researchers, Geumeong121 APT group is sending spear-phising emails to potential victims and trying to lure them into clicking malicious links. These links appear to provide valuable information about Korean refugees, but they actually download malware on the device when clicked by a potential target.

After the malware is downloaded and installed on the system, it connects to the attackers' command and control (C&C) server and Google Drive and starts sharing the device information to PickCloud.

The hackers also attempt to install more backdoors on the target device, if possible.

"The spear-phishing email used in the attack contains a malicious link, which tricks users to click to download the file attaching the malicious MS Word DOC document," the researchers warn.

"Based on the samples we collected, the campaign's decoy documents used the file formats DOC, XLS, and HWP, the Korean government standard word processor format, targeting the users in South Korea."

The researchers said the new campaign by Geumeong121 suggests that the group is trying to make a comeback following a setback in December when Microsoft seized nearly 50 malicious domains used by the group in spear-phishing campaigns.

At that time, the software giant announced that a US District Court had granted it permission to seize dozens of malicious domains belonging to Thallium (Geumeong121, APT37, and Reaper). The group had been using these web domains to target government officials, human rights organisations and activists, nuclear scientists, peace workers, and university staff members, in efforts to steal sensitive data from their systems.

Microsoft also launched a case against the APT37 in the US District Court for the Eastern District of Virginia in efforts to stop their operations.

Last year, ESTsecurity researchers said in a report that they had detected a hacking group, most possibly Geumeong121, sending phishing emails disguised as a report from Youido Institute, a political research institution run by the main opposition Liberty Korea Party (LKP) in South Korea.

ESTsecurity warned that opening the attached document titled "North Korea's political manoeuvre against our party and our countermeasures" can infect the systems and exfiltrate data from them.