Kimsuky’s AppleSeed Returns: North Korea-Linked APT Targets Korean Users via Social Media

In its latest Advanced Persistent Threat (APT) campaign, Kimsuky, a North Korea-linked group, has returned with an evolved version of its long-running AppleSeed operation. According to the Genians Security Center (GSC), the operation targeted Korean Facebook users, email accounts, and Telegram contacts through coordinated multi-stage social engineering efforts.

The attack campaign from March to April 2025 used two Facebook accounts to initiate conversations with individuals involved in North Korean defector support. By posing as missionaries, church researchers, or alumni of military academies, attackers gained the victims’ trust.

“The actor introduced themselves as either a missionary or a church-affiliated researcher, skillfully approaching the target through Facebook Messenger,” GSC explains.

Attackers sent password-protected EGG-format archives embedded with a JScript file (탈북민지원봉사활동.jse, “Defector Volunteer Support.jse”)—a tactic designed to bypass mobile-based scanning and force execution on Windows PCs.

Once opened, the .jse script triggered a chain of file drops and stealthy installations:

• Decoy PDF created and opened to deceive the user.
• Base64-encoded malicious DLL decoded using PowerShell + certutil.
• DLL file (vmZMXSx.eNwm) executed via regsvr32.exe with silent flags.
• Persistence achieved by adding a Run registry entry under HKCU.

“This malware is a remote access trojan (RAT)… collects system information using RC4 and RSA encryption… and sends the results back,” GSC notes.

The payload is VMProtect-packed, obfuscated, and capable of evading reverse engineering by virtualizing malicious code logic.

The final-stage payload (tripservice.dll) collects a variety of host information, checks for admin privileges and UAC settings, then compresses and encrypts the data using RC4 and RSA hybrid encryption.

“The command registers the ‘TripServiceUpdate’ entry… to automatically execute the malicious DLL every time the system reboots.”

Data is staged into fake PDF files and exfiltrated to the domain woana.n-e[.]kr using HTTP multipart/form-data requests. The same C2 server also returns further encrypted commands.

The AppleSeed campaign reveals a highly adaptive, multi-platform infiltration model:

• Facebook – Initial contact and lure delivery.
• Email – Follow-up spear phishing with EGG archives.
• Telegram – Used once the target’s phone number was obtained.

“This case shows how attackers leverage multiple platforms… to carry out coordinated multi-channel attacks.”

Historical variants show similar strategies applied over LinkedIn and Bandizip decompression tactics—evidence of sustained evolution.

Based on script patterns, DLL similarities, and infrastructure reuse, Genians confidently attributes the campaign to Kimsuky, who previously used tools like BabyShark and GoldDragon.

By weaponizing familiar platforms like Messenger and Telegram, these attackers bypass traditional perimeter defenses. The use of customized Korean-language lures, obfuscated scripts, and encrypted payloads makes this campaign especially effective against socially oriented targets.

Related Posts:

• AppleSeed Malware: The Evolving Threat of the Kimsuky Group
• Beware: Kimsuky’s Stealthy AppleSeed & AlphaSeed Malware Strike Again
• North Korea-Linked Saja Network Infiltrates Tech Firms with Fake Developers
• North Korean APT Group Kimsuky Targets Japanese Organizations with Stealthy Malware Campaign
• Kimsuky APT: New TTPs Revealed in Rapid7 Cybersecurity Report