Kimsuky and the TRANSLATEXT extension: when “Google Translate” is espionage tooling

Zscaler ThreatLabz observed activity in early March 2024 tied to Kimsuky, a North Korea–linked group long associated with espionage against South Korean government, academic, and related targets. The component they named TRANSLATEXT was a malicious Chrome extension posing as Google Translate, built to collect sensitive browser data as part of that intelligence-gathering style of operation.

Reporting described focus on South Korean academia, especially people working on North Korean affairs. That audience detail matters: this was not pitched as a mass consumer threat like a viral store listing—it fits targeted access patterns where the hard part is often getting the extension onto the right machine, not tricking millions of random users.

Infection path (as described)

The first step in the published chain was not “install from the Web Store” for everyone. It started with a ZIP archive themed around Korean military history, containing a Hangul Word Processor document and an executable. Running the executable led to PowerShell retrieved from an attacker server, exfiltration of victim metadata to a GitHub repo, and more PowerShell delivered via a Windows shortcut (LNK).

Researchers noted a GitHub account (created February 13, 2024) that briefly hosted the extension as GoogleTranslate.crx. Files appeared around March 7, 2024 and were removed the next day—consistent with short-lived hosting to limit exposure while targeting specific people.

What TRANSLATEXT did in the browser

Coverage attributed to Zscaler and researcher Seongsu Park described capabilities such as:

• Credential and session theft: emails, usernames, passwords, cookies.
• Screenshots of browser activity.
• Bypass-style behavior aimed at services like Google, Kakao, and Naver (interpretation: weakening or working around in-browser protections, not “breaking crypto” in a headline sense).
• Commanding via an external channel: fetching instructions from a Blogger / Blogspot URL, including tasks like screenshotting newly opened tabs and wiping cookies.

The through-line is familiar for browser-focused espionage: stay resident, blend in with a useful icon, and exfiltrate what matters for follow-on access.

Why this matters to everyday Chrome users

Most readers are not the named target set—but the mechanics still apply:

• Malicious extensions do not have to come from the Chrome Web Store. Sideloaded .crx / unpacked installs after a trojanized downloader are a standard path for APT-style campaigns.
• Typosquatting and lookalike “Translate” tools are a recurring theme; verify publisher, install source, and permissions.
• Enterprise and academic accounts remain high-value; spear-phishing + bespoke tooling is cheaper at scale than many assume.

What to do

• Do not install browser extensions from email attachments, random ZIPs, or “required for this document” flows.
• Prefer extensions only from the official store, from known publishers, with narrow permissions—and remove what you do not use.
• If your role handles sensitive research or policy, treat unexpected HWP/ZIP + exe as a red flag and use IT reporting channels.

Practical next step

Audit Extensions in Chrome: anything named like Translate that you do not remember installing from a trusted flow should be removed and, on work devices, reported. eSafe can help you see permissions and risk signals in one place.

Go deeper

Analyze an extension before you install → — permissions, publisher signals, and update history.

Report: The Hacker News.