North Korean APT uses browser extension to steal content from victims’ webmail accounts
Kimsuky, a North Korean APT actor, has been observed using a browser extension to steal content from victims’ webmail accounts.
The extension, which has been active since at least 2012, allows data theft from both Gmail and AOL webmail.
It has been used in targeted attacks on individuals in the foreign policy and nuclear sectors, among others.
SharpTongue has been deploying Sharpext against targets for well over a year, according to Volexity.
A dedicated folder containing the extension’s required files is created for the infected user.
The attackers can also dynamically update the extension’s code without having to reinstall it on the infected machine.