Security Experts:

Connect with us

Hi, what are you looking for?



N Korean APT Uses Browser Extension to Steal Emails From Foreign Policy, Nuclear Targets

Over the past year, North Korean advanced persistent threat (APT) actor Kimsuky has been observed using a browser extension to steal content from victims’ webmail accounts, threat intelligence and incident response company Volexity reports.

Over the past year, North Korean advanced persistent threat (APT) actor Kimsuky has been observed using a browser extension to steal content from victims’ webmail accounts, threat intelligence and incident response company Volexity reports.

Active since at least 2012 and also tracked as Black Banshee, Thallium, SharpTongue, and Velvet Chollima, Kimsuky is known for the targeting of entities in South Korea, but also some located in Europe and the United States.

For over a year, Volexity has been seeing the adversary using a malicious browser extension for Google Chrome, Microsoft Edge, and Naver Whale – a Chrome-based browser used in South Korea – to steal data directly from the victims’ email account.

Dubbed Sharpext, the extension supports the theft of data from both Gmail and AOL webmail, is actively developed, and has been used in targeted attacks on various individuals, including ones in the foreign policy and nuclear sectors, Volexity says.

According to Volexity, “the attacker was able to successfully steal thousands of emails from multiple victims through the malware’s deployment.”

The extension is deployed manually on previously compromised systems, and requires for the attacker to replace the browser’s legitimate preferences files with modified ones.

“Deployment of Sharpext is highly customized, as the attacker must first gain access to the victim’s original browser Security Preferences file. This file is then modified and used to deploy the malicious extension. Volexity has observed SharpTongue deploying Sharpext against targets for well over a year; and, in each case, a dedicated folder for the infected user is created containing the required files for the extension,” Volexity notes.

A PowerShell script is used to kill the browser process to enable the exfiltration of the required files. After the extension has been deployed, another PowerShell enables DevTools to inspect the contents of the tab the user is accessing, and to exfiltrate data of interest.

Because the extension itself does not include obviously malicious code, it is likely to evade detection by antimalware solutions, Volexity notes. The extension also allows the attackers to dynamically update its code without having to re-install it on the infected machine.

Sharpext maintains lists of email addresses to ignore, previously stolen emails and attachments, and monitored tabs, to avoid exfiltrating the same data multiple times. It also monitors domains that the victim visits.

“By stealing email data in the context of a user’s already-logged-in session, the attack is hidden from the email provider, making detection very challenging. Similarly, the way in which the extension works means suspicious activity would not be logged in a user’s email ‘account activity’ status page, were they to review it,” Volexity notes.

Related: US Offers $10 Million for Information on North Korean Hackers

Related: U.S. Shares Information on North Korean Threat Actor ‘Kimsuky’

Related: North Korean Hackers Targeting IT Supply Chain: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.