1분기 DPRK Operation Kimsuky 분석

2026-05-15 Logpresso Q1 DPRK Operation Kimsuky Analysis

https://logpresso.com/ko/blog/2026-05-15-1Q-Kimsuky-report

Thumbnail for 1분기 DPRK Operation Kimsuky 분석

Logpresso analyzed four Kimsuky spear-phishing campaigns from early 2026 that used tailored lures against recruiters, business contacts, healthcare and insurance entities, cryptocurrency users and developers, defense-related personnel, and graduate-program stakeholders. The campaigns used LNK files disguised as PDFs or JSE files disguised as HWPX documents, then followed a common flow of lure display, payload drop, persistence, C2 communication, and remote control. Payloads included a PowerShell RAT, a PowerShell infostealer, VBE-to-PowerShell fileless execution, DLL-based reconnaissance, and VS Code tunnel abuse for remote access. The infrastructure mixed attacker-controlled servers with legitimate services such as GitHub raw content, Microsoft CDN delivery, GitHub OAuth, and VS Code tunnels to reduce the effectiveness of reputation-based blocking.

Indicators of Compromise

Type Value First Seen Last Seen
HASH a2269df8913ae0ebc6396cccb6a83a0… 2026-05-15 2026-05-15
HASH 845d9049cb45ae1daf089d22fb78819… 2026-05-15 2026-05-15
HASH aedd975e59ffe867bec9be9a33d438b… 2026-05-15 2026-05-15
HASH 169586b6eb36b17520ef5afd206da86… 2026-05-15 2026-05-15
HASH 21aeb6f9e509c26d909f10182589f8f… 2026-05-15 2026-05-15
HASH dbabe32a48e1aaeaaa761ec09c8bc59… 2026-05-15 2026-05-15
HASH 02d9468af1e2a4be19f3a31549b808e… 2026-05-15 2026-05-15
HASH a96a077d02d5fe3524e3416adc88f09… 2026-05-15 2026-05-15
HASH 7db1dfb77da7f4790df11e6b753e0a3… 2026-05-15 2026-05-15
HASH d0e84b6bf4d810da9e177a54c397033… 2026-05-15 2026-05-15
HASH e8879c41e383df2be62e3b5c6cb4c92… 2026-05-15 2026-05-15
HASH 60aa052dc1cad8a9f39983ffd6a21c9… 2026-05-15 2026-05-15
HASH 4af2b83387e6ab3f4ec461150e1c693… 2026-05-15 2026-05-15
HASH e2caedcaabbcf467a714b62bf94ec70… 2026-05-15 2026-05-15
HASH 17fe715f3819baa851126d52af8b70c… 2026-05-15 2026-05-15
URL https://raw.githubusercontent.c… 2026-05-15 2026-05-15
URL https://raw.githubusercontent.c… 2026-05-15 2026-05-15
URL https://nelark.icu/xftaswx/res/… 2026-05-15 2026-05-15
URL https://nelark.icu/xftaswx/res/… 2026-05-15 2026-05-15
URL https://nelark.icu/xftaswx/res/… 2026-05-15 2026-05-15
URL https://nelark.icu/xftaswx/res/… 2026-05-15 2026-05-15
URL https://nelark.icu/xftaswx/res/… 2026-05-15 2026-05-15
URL http://yespp.co.kr/ 2026-05-15 2026-05-15
URL http://103.67.196.25/view1.php?… 2026-05-15 2026-05-15
URL http://103.67.196.25/payload.dat 2026-05-15 2026-05-15
URL http://103.67.196.25/conf.dat 2026-05-15 2026-05-15
DOMAIN nelark.icu 2026-05-15 2026-05-15
HASH bb9e9c893b170b3774c150b1d0b93a73 2026-05-15 2026-05-15
HASH bead7a8c1c2c624c2b76917462b36ae… 2026-05-15 2026-05-15
HASH 4b0358c7e4afa54bc489a6199cca132… 2026-05-15 2026-05-15
HASH 831d7c614ba32aa5d70ff9b0f259ee1d 2026-05-15 2026-05-15
HASH 016cc33b8ff5dd4c7ef1f585ca782db… 2026-05-15 2026-05-15
HASH 450774df6785e6eeb6ea906490905888 2026-05-15 2026-05-15
HASH 0331a83b58231cb0cd3bfe319003ed1a 2026-05-15 2026-05-15
DOMAIN yespp.co.kr 2026-05-15 2026-05-15
HASH 23420100260cc80055fbf02f4464212… 2026-05-14 2026-05-15
HASH 8b10ac9520a1ef24cf2269ec9ee4554… 2026-05-14 2026-05-15
HASH 59eb093c10f11f612b8dadab258285a… 2026-05-14 2026-05-15
URL https://www.pyrotech.co.kr/comm… 2026-05-14 2026-05-15
DOMAIN www.pyrotech.co.kr 2026-05-14 2026-05-15
DOMAIN www.yespp.co.kr 2026-05-14 2026-05-15
IPv4 103.67.196.25 2026-04-07 2026-05-15
URL https://www.yespp.co.kr/common/… 2026-01-21 2026-05-15

Related Actors

Related Reports

2026-04-17 • 56% Match
#Kimsuky #Phishing #T1102.002 #T1082 #T1140 #T1041 #T1113 #T1608.001 #T1071.001 #T1115 #T1083 #T1497 #T1056.001 #T1204.001 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1567 #T1057 #T1059.005 #T1583.006 #T1583.003 #T1204.004 #T1518.001 #T1568.001 #T1566.001 #T1547.001 #T1585.002 #T1056.003 #T1053.005 #T1539 #T1608.005 #T1598.003 #T1590.005 #T1583.001 #T1059.001 #T1036.005
Shares tags: Kimsuky, Phishing • Published within a month
« Back