Inside Kimsuky’s CHM Tradecraft: Multi-Stage Execution and Selective Payload Delivery
2026-06-29 • Synaptic Security •
Kimsuky used a Korean-language CHM lure about North Korean food-crisis and right-to-food material to launch hidden PowerShell, decode a VBScript bootstrap, and retrieve staged payloads from DynV6-hosted infrastructure. The retrieved VBScript profiled the host with WMI, enumerated selected folders and running processes, uploaded a Base64 inventory as Info.txt, and installed a hidden hourly scheduled task named Edge Updater. A later loader requested a second VBScript stage that handed execution to PowerShell and contacted a final checkservice.php endpoint expected to define LogAction, but controlled replay returned an empty body, indicating selective final payload delivery. The report provides C2 domains, IPs, hashes, host artifacts, and behavioral detections for CHM-to-VBScript-to-PowerShell activity.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 152.32.138.15 | 2026-06-29 | 2026-06-29 |
| IPv4 | 176.111.220.168 | 2026-06-29 | 2026-06-29 |
| DOMAIN | aointerviews.com | 2026-06-29 | 2026-06-29 |
| HASH | 962e7a2a0b6ea9926f2198db06aa1d6… | 2026-06-29 | 2026-06-29 |
| HASH | 21781885f9d6ebc5f9e0f828aacbe3d… | 2026-06-29 | 2026-06-29 |
| URL | http://acnms.dmdoc.dynv6.net/sm… | 2026-06-29 | 2026-06-29 |
| URL | http://acnms.dmdoc.dynv6.net/sm… | 2026-06-29 | 2026-06-29 |
| URL | http://acnms.dmdoc.dynv6.net/sm… | 2026-06-29 | 2026-06-29 |
| IPv4 | 118.194.249.91 | 2026-06-29 | 2026-06-29 |
| DOMAIN | acnms.dmdoc.dynv6.net | 2026-06-29 | 2026-06-29 |
| HASH | 0efbd18c77479b458078521c18bdad8… | 2026-06-29 | 2026-06-29 |
| IPv4 | 51.79.185.184 | 2026-04-11 | 2026-06-29 |
| HASH | 26ba5b01f614a215b948a5700338575… | 2025-06-17 | 2026-06-29 |