S1201: TRANSLATEXT
TRANSLATEXT is malware that is believed to be used by Kimsuky.[1] TRANSLATEXT masqueraded as a Google Translate extension for Google Chrome, but is actually a collection of four malicious Javascript files that perform defense evasion, information collection and exfiltration.[1]
Analyst context for executives and security teams
TRANSLATEXT matters because it is described as Windows malware masquerading as a Google Translate Chrome extension while performing collection, evasion, command-and-control, and exfiltration behaviors. For leaders, the practical issue is not only malware on an endpoint; it is loss of trust in the browser as an identity and SaaS access point, with potential exposure of email, web sessions, screenshots, browser-stored credentials, and session cookies.
Executive priority
Prioritize this as a browser, identity, and endpoint governance problem. Executives should ask whether the organization can prove which browser extensions are allowed, whether suspicious extension activity is visible to the SOC, and whether incident responders can quickly invalidate web sessions and assess email or SaaS exposure. The relationship to Kimsuky is described by ATT&CK as believed use, so it should inform threat intelligence context without being treated as confirmed attribution in local incidents.
Technical view
ATT&CK provides no official detection text for TRANSLATEXT, so coverage should be validated through its related behaviors: Chrome/browser extension persistence, PowerShell execution, Registry query and modification, browser session hijacking, web cookie and browser credential access, screen capture, email collection, traffic signaling, web-protocol C2, dead-drop resolver use, bidirectional web-service communication, and exfiltration over C2. SOC and IR teams should confirm visibility on Windows endpoints where Chrome extensions can be installed and where browser identity artifacts may be accessed.
Likely telemetry
- Windows endpoint process telemetry, especially PowerShell execution and child processes from browser contexts
- Windows Registry query and modification events
- Chrome extension inventory, installation source, extension file changes, and policy state
- Browser file access telemetry for credential stores, cookies, session data, and extension directories
- Network telemetry for unusual HTTP/S or web-service communication from endpoints or browser processes
Detection direction
- Start with extension governance: identify unauthorized or locally installed Chrome extensions, especially those impersonating common productivity utilities such as translation tools.
- Tune detections for suspicious PowerShell use associated with browser, extension, or user-profile paths; account for administrative scripts to reduce false positives.
- Correlate Registry discovery/modification with browser extension installation, persistence, and suspicious network activity rather than alerting on Registry activity alone.
- Look for access to browser credential stores, cookies, and session artifacts followed by outbound web traffic or SaaS/email activity from the same user or host.
- Treat web-protocol C2 and legitimate web-service abuse as a blind spot: proxy allowlists and TLS encryption may hide command-and-control or dead-drop resolver behavior unless logs include destination, timing, process, and user context.
Mitigation priorities
- Enforce browser extension allowlisting or managed extension policy for Chrome on Windows endpoints.
- Reduce browser-stored credential and session risk through identity controls, session management, and rapid session revocation procedures after suspected compromise.
- Constrain and monitor PowerShell use according to administrative need, with logging sufficient for incident reconstruction.
- Harden endpoint controls around user-profile browser data, extension directories, and suspicious script execution.
- Maintain proxy, DNS, endpoint, and identity logging retention sufficient to investigate web-protocol C2, cookie/session theft, and exfiltration over existing channels.
Analyst notes and limits
The supplied ATT&CK object identifies TRANSLATEXT as malware believed to be used by Kimsuky and describes it as a malicious Chrome extension masquerading as Google Translate. The strongest defensive value is in validating controls around browser extension governance, browser credential/session protection, Windows endpoint telemetry, and web-based C2/exfiltration visibility.
Official ATT&CK detection guidance is not provided. Tactics are not specified on the malware object itself, so technical direction is inferred only from the supplied relationships to ATT&CK techniques. No claim is made that any environment is exposed or that activity is currently occurring.
TRANSLATEXT
TRANSLATEXT is malware that is believed to be used by Kimsuky.[1] TRANSLATEXT masqueraded as a Google Translate extension for Google Chrome, but is actually a collection of four malicious Javascript files that perform defense evasion, information collection and exfiltration.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | TRANSLATEXT has used HTTP to communicate with the C2 server.CitationZscaler Kimsuky TRANSLATEXT |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | TRANSLATEXT has stolen credentials stored in Chrome.CitationZscaler Kimsuky TRANSLATEXT |
| Enterprise | T1059.001 | PowerShell Sub-technique | TRANSLATEXT has used PowerShell to collect system information and to upload the collected data to a Github repository.CitationZscaler Kimsuky TRANSLATEXT |
| Enterprise | T1041 | Exfiltration Over C2 Channel | TRANSLATEXT has exfiltrated collected credentials to the C2 server.CitationZscaler Kimsuky TRANSLATEXT |
| Enterprise | T1112 | Modify Registry | TRANSLATEXT has modified the following registry key to install itself as the value, granting permission to install specified extensions: ` HKCU\Software\Policies\Google\Chrome\ExtensionInstallForcelist`.CitationZscaler Kimsuky TRANSLATEXT |
| Enterprise | T1185 | Browser Session Hijacking | TRANSLATEXT has the ability to use form-grabbing and event-listening to extract data from web data forms.CitationZscaler Kimsuky TRANSLATEXT |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | TRANSLATEXT has used a dead drop resolver to retrieve configurations and commands from a public blog site.CitationZscaler Kimsuky TRANSLATEXT |
| Enterprise | T1539 | Steal Web Session Cookie | TRANSLATEXT has exfiltrated updated cookies from Google, Naver, Kakao or Daum to the C2 server.CitationZscaler Kimsuky TRANSLATEXT |
| Enterprise | T1113 | Screen Capture | TRANSLATEXT has the ability to capture screenshots of new browser tabs, based on the presence of the `Capture` flag.CitationZscaler Kimsuky TRANSLATEXT |
| Enterprise | T1176.001 | Browser Extensions Sub-technique | TRANSLATEXT has the ability to capture credentials, cookies, browser screenshots, etc. and to exfiltrate data.CitationZscaler Kimsuky TRANSLATEXT |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | TRANSLATEXT has been named `GoogleTranslate.crx` to masquerade as a legitimate Chrome extension.CitationZscaler Kimsuky TRANSLATEXT |
| Enterprise | T1114 | Email Collection | TRANSLATEXT has exfiltrated collected email addresses to the C2 server.CitationZscaler Kimsuky TRANSLATEXT |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | TRANSLATEXT has used a Github repository for C2.CitationZscaler Kimsuky TRANSLATEXT |
| Enterprise | T1012 | Query Registry | TRANSLATEXT has queried the following registry key to check for installed Chrome extensions: ` HKCU\Software\Policies\Google\Chrome\ExtensionInstallForcelist `.CitationZscaler Kimsuky TRANSLATEXT |
| Enterprise | T1205 | Traffic Signaling | TRANSLATEXT has redirected clients to legitimate Gmail, Naver or Kakao pages if the clients connect with no parameters.CitationZscaler Kimsuky TRANSLATEXT |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 401ba48159dc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Zscaler Kimsuky TRANSLATEXT
Park, S. (2024, June 27). Kimsuky deploys TRANSLATEXT to target South Korean academia. Retrieved October 14, 2024.
Open source URL -
[2]
mitre-attack S1201Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.