개인정보 유출 의심 문의로 위장한 Kimsuky 스피어피싱 사례 분석
2026-06-09 • ESTSecurity • Analysis of a Kimsuky Spear-Phishing Case Disguised as an Inquiry About Suspected Personal Information Leakage •
Kimsuky-linked spear phishing targeted a South Korean company's information-security staff by impersonating a customer asking about a suspected personal-data leak. The attacker built trust through multiple emails, then delivered malicious LNK files disguised as customer-status documents and resent the payload in a password-protected ZIP after an initial link was blocked. ESRC analyzed three samples that shared an LNK-based initial chain but split into two C2 frameworks: Dropbox API-based command exchange with RC4-decrypted PowerShell and scheduled-task persistence, and direct HTTPS C2 using a startup VBS plus a batch decoder loop. The campaign used Korean decoys, anti-analysis and self-deletion features in one sample, and infrastructure at toopel.shop for the Type B path.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | toopel.shop | 2026-06-09 | 2026-06-09 |
| URL | https://toopel.shop/Pan/letgo.p… | 2026-06-09 | 2026-06-09 |
| HASH | 8bb537a52d2db7013ea24f59a3ee66e… | 2026-06-09 | 2026-06-09 |
| HASH | 1f3c29b23dcc530572ef73cdf8a2add… | 2026-06-09 | 2026-06-09 |
| HASH | d6b31850e1db191a6f9056dd5c4b55dd | 2026-06-09 | 2026-06-09 |
| HASH | 8828d46900610fc5889346e03bfa2d0… | 2026-06-09 | 2026-06-09 |
| HASH | 4603fbc4f3a6c72aec61805759677e3… | 2026-06-09 | 2026-06-09 |
| HASH | 2cc1a732d506b164f2d490a7a36f800… | 2026-06-09 | 2026-06-09 |
| HASH | ef2d2c5d9a668e57a367491d5eeacb6… | 2026-06-09 | 2026-06-09 |
| HASH | c919c0f3bf6768d471fb0bf5df3cc71… | 2026-06-09 | 2026-06-09 |
| HASH | 62fc3359c19f792c3b9d24b1ac3dd9d… | 2026-06-09 | 2026-06-09 |
| HASH | 7f9fe5839a2ffaa627685f673ee5d4b… | 2026-06-09 | 2026-06-09 |