개인정보 유출 의심 문의로 위장한 Kimsuky 스피어피싱 사례 분석

2026-06-09 ESTSecurity Analysis of a Kimsuky Spear-Phishing Case Disguised as an Inquiry About Suspected Personal Information Leakage

https://blog.alyac.co.kr/5761

Thumbnail for 개인정보 유출 의심 문의로 위장한 Kimsuky 스피어피싱 사례 분석

Kimsuky-linked spear phishing targeted a South Korean company's information-security staff by impersonating a customer asking about a suspected personal-data leak. The attacker built trust through multiple emails, then delivered malicious LNK files disguised as customer-status documents and resent the payload in a password-protected ZIP after an initial link was blocked. ESRC analyzed three samples that shared an LNK-based initial chain but split into two C2 frameworks: Dropbox API-based command exchange with RC4-decrypted PowerShell and scheduled-task persistence, and direct HTTPS C2 using a startup VBS plus a batch decoder loop. The campaign used Korean decoys, anti-analysis and self-deletion features in one sample, and infrastructure at toopel.shop for the Type B path.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN toopel.shop 2026-06-09 2026-06-09
URL https://toopel.shop/Pan/letgo.p… 2026-06-09 2026-06-09
HASH 8bb537a52d2db7013ea24f59a3ee66e… 2026-06-09 2026-06-09
HASH 1f3c29b23dcc530572ef73cdf8a2add… 2026-06-09 2026-06-09
HASH d6b31850e1db191a6f9056dd5c4b55dd 2026-06-09 2026-06-09
HASH 8828d46900610fc5889346e03bfa2d0… 2026-06-09 2026-06-09
HASH 4603fbc4f3a6c72aec61805759677e3… 2026-06-09 2026-06-09
HASH 2cc1a732d506b164f2d490a7a36f800… 2026-06-09 2026-06-09
HASH ef2d2c5d9a668e57a367491d5eeacb6… 2026-06-09 2026-06-09
HASH c919c0f3bf6768d471fb0bf5df3cc71… 2026-06-09 2026-06-09
HASH 62fc3359c19f792c3b9d24b1ac3dd9d… 2026-06-09 2026-06-09
HASH 7f9fe5839a2ffaa627685f673ee5d4b… 2026-06-09 2026-06-09

Related Actors

Related Reports

2026-04-17 • 63% Match
#Kimsuky #Phishing #T1102.002 #T1082 #T1140 #T1041 #T1113 #T1608.001 #T1071.001 #T1115 #T1083 #T1497 #T1056.001 #T1204.001 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1567 #T1057 #T1059.005 #T1583.006 #T1583.003 #T1204.004 #T1518.001 #T1568.001 #T1566.001 #T1547.001 #T1585.002 #T1056.003 #T1053.005 #T1539 #T1608.005 #T1598.003 #T1590.005 #T1583.001 #T1059.001 #T1036.005
Shares tags: Kimsuky, Phishing, T1140
« Back