The Python Pivot: Kimsuky’s New Multi-Stage LNK Maze for Stealthy Backdoors

The notorious Kimsuky threat group is refining its arsenal, shifting toward more complex, multi-stage execution chains to slip past modern defenses. A recent analysis from the AhnLab SEcurity intelligence Center (ASEC) has identified a significant structural change in how the group distributes and executes its malicious LNK (shortcut) files.

Historically, Kimsuky’s distribution methods were relatively straightforward, often relying on a simple “LNK to PowerShell to BAT” sequence. However, the group has recently pivoted to a much more intricate flow designed to frustrate automated analysis and manual inspection.

As the ASEC researchers explain, “Compared to the past, the overall execution flow has become more complex and multi-stage with the addition of intermediate scripts”.

The new attack chain begins with a malicious LNK file that triggers a sequence of intermediate stages, moving from PowerShell to VBScript before finally reaching the core payload. This structural change adds layers of obfuscation that mask the malware’s ultimate intent.

Key characteristics of this updated approach include:

• Decoy Documents: To lower the victim’s guard, the LNK file generates and displays a legitimate-looking decoy document—such as a “Data Backup and Recovery Procedure Establishment Guide”—while the infection runs in the background.
• Legitimate Cloud Abuse: The group is increasingly exploiting trusted services like Dropbox to host and distribute their malicious ZIP archives.
• Python-Based Downloaders: The final stage of the attack typically involves executing a Python-based backdoor or downloader, a tactic specifically chosen to “evade diagnostics”.

To ensure their hold on a compromised system remains permanent, the malware registers itself in the Windows Task Scheduler. This ensures that even if the initial process is terminated, the malicious Python script will be re-executed, providing the attackers with a persistent “backdoor” into the organization’s network.

By breaking their execution flow into multiple, separate stages and utilizing common scripting languages like Python, they make it harder for traditional antivirus tools to detect a single “malicious” signature.

The ASEC report concludes that “Malware distribution methods that exploit legitimate cloud services such as Dropbox and attempts to evade diagnostics using Python are also characteristic” of this new phase.

Security teams are encouraged to monitor for unusual LNK file activity and the execution of PowerShell or Python scripts from temporary directories, as these remain the primary indicators of a Kimsuky intrusion.