Excel Deception: North Korean Hackers Infiltrate Drug Firms with Spreadsheet Snares

It starts with a simple email - one that looks like any other update about production schedules or research plans. But for pharmaceutical companies, clicking the attached “spreadsheet” could spell disaster. Behind the familiar Excel icon lies a sophisticated cyber-espionage campaign, masterminded by North Korea’s notorious Kimsuky group, targeting the heart of the global drug industry.

The Anatomy of an Attack

The operation unfolds in classic social engineering fashion. Employees at pharmaceutical companies receive emails referencing legitimate-sounding topics - ERP specifications, production plans, or research documentation. Attached is a ZIP archive containing a file that appears to be an innocent Excel spreadsheet, but is in fact a Windows shortcut (LNK) file named to blend in with daily business.

When a victim double-clicks the file, they unknowingly trigger a hidden sequence: instead of opening Excel, the shortcut launches a heavily obfuscated PowerShell command. This script - often masquerading as a system process - downloads and decodes additional malware. To maintain the illusion, it even opens a decoy Excel workbook filled with plausible tables, distracting the user as the infection takes root.

The malware’s next move is to quietly collect sensitive system information and upload it to Dropbox, a cloud service repurposed as a covert communication channel. Follow-up payloads, including JavaScript and scheduled tasks, ensure the attackers maintain persistence inside the network. These components are tucked away in system folders, set to run regularly, further evading detection.

Kimsuky’s focus on pharmaceutical and research organizations is no accident. By stealing intellectual property, drug formulas, and internal research, the group serves North Korean strategic interests - and undermines the integrity of global healthcare innovation. Their use of business-themed lures, common file formats, and legitimate cloud services makes their attacks particularly difficult to spot and stop.

Defending the Front Lines of Pharma

Security experts urge pharmaceutical organizations to treat any unsolicited Excel or ERP-related attachments - especially those inside ZIP archives - as high-risk. Recommended defenses include blocking shortcut attachments at the email gateway, monitoring for unusual PowerShell activity from LNK files, and scrutinizing Dropbox traffic on endpoints. Displaying full file extensions and ongoing staff awareness training can further reduce the risk of falling for such deceptions.

Conclusion

In an industry where a single formula can be worth billions, North Korean hackers are betting on the element of surprise - and the power of a well-crafted spreadsheet. As cyber-espionage tactics evolve, so must the vigilance of those on the front lines, safeguarding not just proprietary data, but the future of global health itself.

WIKICROOK

• APT (Advanced Persistent Threat): An Advanced Persistent Threat (APT) is a long-term, targeted cyberattack by skilled groups, often state-backed, aiming to steal data or disrupt operations.
• LNK File: An LNK file is a Windows shortcut that links to a file or program. Attackers can exploit LNK files to run hidden commands or malware.
• PowerShell: PowerShell is a Windows scripting tool used for automation, but attackers often exploit it to perform malicious actions stealthily.
• Obfuscation: Obfuscation is the practice of disguising code or data to make it difficult for humans or security tools to understand, analyze, or detect.
• Spear: Spear phishing is a targeted cyberattack using personalized emails to trick specific individuals or organizations into revealing sensitive information.