North Korean Hackers Refine Tactics in New "DEEP#DRIVE" Cyber Campaign

North Korea-linked threat actors are increasingly leveraging living-off-the-land (LotL) techniques and trusted cloud services to evade detection. A recent cyber campaign by the Kimsuky group, tracked as "DEEP#DRIVE" by cybersecurity firm Securonix, demonstrates the use of PowerShell scripts, Dropbox for data storage, and enhanced operational security (OpSec).

How the Attack Works

Kimsuky attackers used fake documents—such as work logs, insurance forms, and cryptocurrency-related files—to trick victims into downloading a zipped shortcut file. Once executed, this file:

✔ Gathers system configuration details
✔ Executes malicious PowerShell and .NET scripts
✔ Uploads stolen data to Dropbox folders
✔ Retrieves additional attack commands

Although the attackers showed some interest in quick financial gains, particularly from cryptocurrency users, their primary focus remained espionage, targeting South Korean government agencies and businesses, says Tim Peck, senior threat researcher at Securonix.

"We observed both espionage and financial motivation, but primarily espionage, aligning with Kimsuky's history of targeting South Korean institutions," Peck noted.

Kimsuky: A Prolific Threat Group

Kimsuky is not a single entity but rather a network of five overlapping sub-groups, according to threat intelligence firm Recorded Future. Each group has distinct targets, ranging from government agencies to cryptocurrency firms and private businesses.

By mid-2023, Kimsuky had become the most active North Korean hacking group, surpassing others like Lazarus and Andariel, according to Recorded Future’s "North Korea's Cyber Strategy" report. Their strategy focuses on high-volume phishing campaigns, especially against South Korean organizations.

???? Key Trends in Kimsuky Operations:
✔ Widespread phishing attacks targeting government and financial institutions
✔ Increased use of cloud services (e.g., Dropbox) for data exfiltration
✔ Adoption of OAuth-based authentication to evade URL filtering

Thousands of Potential Victims

The DEEP#DRIVE campaign appears to have been highly successful, with evidence suggesting more than 8,000 configuration files were uploaded to Dropbox. While some files were duplicates, the volume indicates widespread infiltration.

Peck noted that some usernames were linked to multiple IP addresses, which suggests the attackers may have achieved lateral movement within compromised networks—infecting multiple machines in the same organization.

Enhanced Operational Security

Kimsuky has also improved its OpSec practices to reduce exposure:

✔ OAuth-based authentication on Dropbox folders prevents URL-blocking by security tools
✔ Attack infrastructure is quickly dismantled after security firms begin investigations
✔ Traditional network-based defenses are less effective against their evolving techniques

"This level of operational awareness is not always seen in phishing-driven malware campaigns," said Peck.

How Organizations Can Defend Themselves

To mitigate the risks posed by DEEP#DRIVE and similar campaigns, companies should:

✅ Disable hidden file extensions to prevent disguised malware execution
✅ Block shortcut files (LNK) from running in user directories
✅ Enforce PowerShell execution policies to allow only signed scripts
✅ Bolster email security with phishing protection and regular employee training
✅ Conduct phishing simulations to test employee awareness

Most North Korean cyberattacks still begin with social engineering and phishing, noted Mitch Haszard, senior threat intelligence analyst at Recorded Future. Organizations in high-risk industries—such as cryptocurrency exchanges and government agencies—must stay vigilant and proactively strengthen their security posture.