Kimsuky APT Uses JavaScript Loader and Certutil to Achieve Minute-by-Minute Persistence via Windows Scheduled Task

The North Korean advanced persistent threat (APT) group Kimsuky has once again emerged with a new, JavaScript-driven espionage campaign, according to a recent analysis from Pulsedive Threat Research. The group, which has been active since 2012, continues to focus on government entities, think tanks, and policy experts in targeted intelligence operations.

This newly observed campaign demonstrates a multi-stage infection chain beginning with a JavaScript downloader and progressing through system reconnaissance, data exfiltration, and persistence mechanisms.

The initial file, titled Themes.js, serves as the entry point for the attack. The un-obfuscated script’s sole function is to download and execute content from an attacker-controlled domain.

“The first file observed within this intrusion chain is a JavaScript file called Themes.js. This file starts the intrusion chain by downloading an additional payload from the adversary-controlled infrastructure.”

The script issues a GET request to iuh234[.]medianewsonline[.]com/dwnkl.php, sending the compromised computer’s name (uid) and a hardcoded key (kx) as URI parameters. While the medianewsonline.com platform itself is legitimate, Kimsuky leverages user-generated subdomains on this service for malicious activity.

“While the medianewsonline website is not inherently malicious, threat actors can create subdomains on it that can be used for malicious activity.”

Once the connection is established, the JavaScript executes the server’s response, effectively triggering the second-stage payload.

The server responds with an additional JavaScript file containing five functions enclosed in a try-catch block. The code performs extensive host reconnaissance, including gathering system information, enumerating running processes, and listing user directory contents.

The collected data is archived into .cab (cabinet) files and encoded using the certutil living-off-the-land binary (LOLBIN), before being exfiltrated to the same adversary-controlled infrastructure via POST requests to /umprl.php?uid=. Each upload corresponds to different types of stolen data — system info, process lists, and file directory contents.

For every POST request, the command-and-control (C2) server returns another JavaScript file that executes two functions. One establishes persistence; the other deploys a decoy Word document.

The persistence function (MKSCHD) creates a scheduled task under the name Windows Theme Manager, which runs every minute using wscript.exe to execute the Themes.js file from the %APPDATA%\\Microsoft\\Windows\\Themes\\ directory.

“Once the file is written to disk, a scheduled task is created that runs every minute with the task name Windows Theme Manager, which calls wscript.exe to execute the file.”

Meanwhile, the second function (OPDOM) drops a base64-encoded file named E-CARD.docx into the %Public% directory, decodes it with certutil, and deletes the temporary file. When opened, the document appears empty — likely a lure document designed to distract victims while persistence mechanisms execute silently.

“Decoding the base64 data within the function reveals that it is a Word document. Running the Word document through a sandbox reveals an empty document.”

Kimsuky JavaScript Loader, Scheduled Task Persistence — Screenshot of the downloaded Word document | Image: Pulsedive Threat Research

Although the initial infection vector for Themes.js remains unclear, the methodology aligns with Kimsuky’s established espionage tradecraft — using script-based implants and legitimate web services for covert data exfiltration and persistence.

Pulsedive’s analysis emphasizes the group’s adaptability and technical precision, particularly its use of multi-stage JavaScript loaders and legitimate cloud-based infrastructure to evade detection.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply