Kimsuky Delivers DocSwap Android Malware via QR Code Phishing Impersonating Delivery Services
The North Korean state-sponsored threat group Kimsuky has launched a sophisticated campaign distributing a new variant of the DocSwap Android malware. Attackers use phishing sites that impersonate legitimate delivery services, particularly Seoul-based CJ Logistics, to lure victims. The campaign leverages QR codes and notification pop-ups to trick users into installing a malicious APK, often named SecDelivery.apk, on their mobile devices. Victims are typically targeted through smishing messages or phishing emails containing links to these fake delivery tracking sites. When accessed from a desktop, the site displays a QR code, prompting users to scan it with their Android device, which then initiates the malware download. The malicious app decrypts an embedded encrypted APK and launches a service with remote access trojan (RAT) capabilities, requesting extensive permissions to access files, SMS, phone, and location data.
Security researchers have observed that the campaign employs advanced evasion techniques, such as device-type detection and server-side logic to serve different content based on the user's platform. The malware variant features improvements over previous DocSwap versions, including a new native decryption function and enhanced decoy behaviors. The infrastructure supporting the campaign is linked to a command and control server at 27.102.137[.]181, and the phishing lures are designed to bypass Android's default security warnings by impersonating official apps and security modules. This campaign highlights the evolving tactics of Kimsuky in targeting South Korean users and the growing threat of QR code-based phishing for mobile malware delivery.
Sources
Related Stories
Kimsuky APT Quishing Attacks Targeting Microsoft 365 and Google Workspace
The FBI, CISA, and NSA have issued warnings about a surge in spear-phishing campaigns conducted by the North Korean state-sponsored threat group Kimsuky (APT43), which leverage malicious QR codes—known as quishing—to target high-value individuals in government, academia, think tanks, and foreign policy organizations. These attacks embed QR codes in phishing emails, which, when scanned, redirect victims to credential harvesting sites or initiate malware downloads, often bypassing traditional email security controls and exploiting the relative insecurity of mobile devices. Kimsuky’s campaigns are characterized by highly personalized lures, extensive reconnaissance, and a focus on intelligence gathering, with observed targeting of Microsoft 365 and Google Workspace accounts. Quishing attacks are effective because QR codes can evade standard email security measures such as URL inspection and sandboxing, and they obscure the true destination from the user. Once a victim scans the QR code, attackers can collect device and identity attributes, present mobile-optimized phishing pages impersonating legitimate portals (such as Microsoft 365 or Okta), and steal credentials or session tokens—sometimes bypassing multi-factor authentication. The campaigns have been observed globally and represent a significant evolution in Kimsuky’s social engineering and credential theft operations, prompting urgent mitigation guidance from U.S. federal agencies and security researchers.
2 months ago
Phishing and Smishing Campaigns Delivering Malware via Fake Apps and Trusted-Looking Lures
Multiple reports describe **social-engineering campaigns** that use trusted-looking lures (meeting invites, public-safety alerts, and official-looking documents) to drive victims to install malware or disclose credentials. Microsoft researchers reported a wave of **fake Zoom/Teams/Adobe update sites** reached via meeting-invite and document lures; the downloaded executables were signed with a **compromised EV code-signing certificate** (issued to *TrustConnect Software PTY LTD*) and acted as droppers for **remote monitoring and management (RMM) tools**, enabling persistent access. Separately, ClearSky described a suspected **Russian espionage** phishing operation targeting Ukraine that delivers a ZIP containing a Ukrainian-language border-crossing “permit” document, installing a loader (**BadPaw**) and a backdoor (**MeowMeow**) with file manipulation capabilities and sandbox/VM evasion; attribution was assessed as high confidence to a Russian state-aligned actor and low confidence to **APT28**. Mobile-focused lures were also reported: CloudSEK detailed **SMS phishing** targeting Israeli civilians with a trojanized **Red Alert** rocket-warning app, using a multi-stage loader chain to deploy spyware with **banking trojan** capabilities and exfiltrate **SMS, contacts, and location** to attacker infrastructure—raising concerns about surveillance and erosion of trust in official alerting. Other items in the set are either broader research or consumer-oriented scam advisories: a Zimperium write-up on the Android **“Massiv”** IPTV-app disguise highlights overlay-based banking fraud techniques, while Kaspersky’s mobile threat landscape report provides 2025 ecosystem statistics; two OnlineThreatAlerts posts describe generic **smishing** patterns (Amazon “refund” and flood-warning texts) without tying to a specific, evidenced campaign or new technical findings.
1 weeks ago
Recent Malware Campaigns Targeting Windows Users via Social Engineering and Fake Installers
Multiple malware campaigns have recently targeted Windows users through a variety of social engineering tactics and deceptive file distribution methods. In Korea, attackers leveraged popular webhard file-sharing services to distribute the xRAT (QuasarRAT) remote access trojan disguised as adult games. Victims were enticed to download compressed files that appeared to be legitimate games, but actually contained sophisticated malware components designed to evade detection and establish persistence on compromised systems. Meanwhile, a separate campaign in Brazil saw the Astaroth banking trojan propagate via WhatsApp, where a worm-like component harvested contact lists and automatically sent malicious ZIP files to spread the infection further. This campaign combined Python-based propagation with traditional credential-stealing modules focused on financial fraud. Other notable campaigns included the use of fake WinRAR installers distributed through Chinese websites, which employed multi-stage payloads to select and deploy the most effective malware for each victim. Additionally, phishing attacks impersonating DocuSign lured users into downloading stealthy malware through access code-protected web pages, using obfuscated PowerShell commands and in-memory payload decryption to bypass security controls. These incidents highlight the increasing sophistication of malware delivery mechanisms, the use of trusted brands and platforms for social engineering, and the global reach of threat actors targeting Windows environments through both email and messaging applications.
2 months ago