Kimsuky APT Is Using Social Engineering and AppleSeed Malware to Spy on South Korea

The Genians Security Center (GSC) has published a detailed analysis of a new Advanced Persistent Threat (APT) campaign attributed to the North Korea–linked group Kimsuky. The operation, tied to the long-running AppleSeed malware family, demonstrates how the threat actor is evolving its infiltration methods to target defense, activist, and North Korea–related communities in South Korea.

According to the report, “GSC detected an APT campaign targeting users of Facebook, email, and Telegram in Korea between March and April 2025… the campaign was attributed to the Kimsuky group, a well-known North Korea-affiliated state-sponsored hacking organization.”

The attackers used a three-stage communication channel to establish trust and deliver malware:

• Facebook: Fake accounts, including one named “Transitional Justice Mission,” were used to send friend requests and messages. Victims were approached with themes such as volunteering for North Korean defector support. Malicious files were shared in password-protected EGG archives to bypass mobile platforms and evade detection.
• Email: Once rapport was built, attackers asked for personal email addresses to deliver follow-up payloads. GSC notes, “the malicious files used in the attacks were structurally identical, and the shared theme of ‘volunteer support for North Korean defectors’ was consistently used to deceive the recipients.”
• Telegram: With access to victims’ mobile numbers, attackers extended conversations onto encrypted messaging apps, further diversifying their channels.

This persistence highlights what GSC describes as “coordinated multi-channel attacks” that exploit personal relationships and defector-themed narratives.

The malware analyzed in this campaign revolved around the AppleSeed backdoor, disguised as a legitimate file titled “Defector Volunteer Support.jse”.

When executed, the .jse script:

• Drops a decoy PDF document to mask malicious behavior.
• Creates and runs a Base64-encoded DLL via regsvr32.exe.
• Establishes persistence with a scheduled registry entry (TripServiceUpdate) to reload on reboot.

GSC explained, “This malware is a remote access trojan (RAT) executed through a DLL loaded via regsvr32, which collects system information using RC4 and RSA encryption, receives and executes commands from the C2 server, and sends results back.”

The command-and-control (C2) infrastructure was tied to the domain woana.n-e[.]kr, used for continuous data exchange between compromised systems and operators.

Several unique techniques were noted:

• Korea-specific file formats: EGG archives (ALZip) were used to reduce detection by global AV tools and force victims to open files on PCs.
• Obfuscation: Scripts included randomized variable names and custom Base64 disguises.
• VMProtect packing: DLLs were packed to resist reverse engineering.
• PDF disguise: Stolen data was exfiltrated under the guise of .pdf files.

The attackers also ensured that malicious archives could not be easily opened on mobile devices, reflecting a Windows-centric targeting approach.

GSC warns, “users should always be wary of unexpected URLs or files, as these may contain threats. Maintaining a habit of vigilance is key to cybersecurity.”

Related Posts:

• Kimsuky’s AppleSeed Returns: North Korea-Linked APT Targets Korean Users via Social Media
• ClickFix Unmasked: How North Korea’s Kimsuky Group Turned PowerShell into a Weapon of Psychological Deception
• Beware: Kimsuky’s Stealthy AppleSeed & AlphaSeed Malware Strike Again
• North Korean APT37’s “ToyBox Story”: Stealthy Attacks Unveiled