This threat actor has been seen running similar campaigns in the past, but these recent campaigns drew attention from German government authorities due to targeting “experts on issues relating to the Korean Peninsula.” Government bodies publicly speaking out regarding phishing campaigns is a major step in raising awareness about such attacks, which decreases their effectiveness. This campaign is ongoing, with the malicious domains still appearing to be active.
To check for evidence of this attack, users can enter “(chrome|edge|brave)://extensions”, depending on the browser, and look for an extension named “AF.” If present, remove it, change passwords, and try to identify a phishing email that could be associated with this campaign.
https://www.bleepingcomputer.com/news/security/north-korean-hackers-using-chrome-extensions-to-steal-gmail-emails/
https://www.verfassungsschutz.de/SharedDocs/publikationen/EN/prevention/2023-03-20-joint-cyber-security-advisory-korean.html;jsessionid=5F54A73439C826897C132E375AB684F2.intranet252
