Analysis of the Triple Combo Threat of the Kimsuky Group
Contents
◈ Executive Summary
- Deployed a covert infiltration strategy using a three-stage communication channel: Facebook, email, and Telegram
- Lured targets with seemingly credible content related to North Korean defector volunteer activities to initiate conversations and deliver malicious files
- Confirmed linkage to the state-sponsored hacking group 'Kimsuky,' which targets defense and North Korea-related activists
- Utilized Korea-specific compressed file formats and encoded malicious scripts, specifically designed to evade security detection patterns
- EDR-based threat hunting and triage can provide visibility
1. Overview
○ The Genians Security Center (GSC) detected an APT (Advanced Persistent Threat) campaign targeting users of Facebook, email, and Telegram in Korea between March and April 2025.
○ The threat actor explored reconnaissance and selected attack targets through two Facebook accounts.
○ According to a joint investigation conducted by Genians threat analysts, the campaign was attributed to the Kimsuky group, a well-known North Korea-affiliated state-sponsored hacking organization. The incident was identified as part of the 'AppleSeed' …
- Deployed a covert infiltration strategy using a three-stage communication channel: Facebook, email, and Telegram
- Lured targets with seemingly credible content related to North Korean defector volunteer activities to initiate conversations and deliver malicious files
- Confirmed linkage to the state-sponsored hacking group 'Kimsuky,' which targets defense and North Korea-related activists
- Utilized Korea-specific compressed file formats and encoded malicious scripts, specifically designed to evade security detection patterns
- EDR-based threat hunting and triage can provide visibility
1. Overview
○ The Genians Security Center (GSC) detected an APT (Advanced Persistent Threat) campaign targeting users of Facebook, email, and Telegram in Korea between March and April 2025.
○ The threat actor explored reconnaissance and selected attack targets through two Facebook accounts.
○ According to a joint investigation conducted by Genians threat analysts, the campaign was attributed to the Kimsuky group, a well-known North Korea-affiliated state-sponsored hacking organization. The incident was identified as part of the 'AppleSeed' …
IoC
http://onsungtong.n-e.kr
http://nocamoto.o-r.kr
http://download.uberlingen.com
http://dirwear.000webhostapp.com
http://hyper.cadorg.p-e.kr
http://peras1.n-e.kr
http://afcafe.kro.kr
http://update.screawear.ga
http://vamboo.n-e.kr
http://nomera.n-e.kr
http://nauji.n-e.kr
http://HKCU...\Run
http://woana.n-e.kr
http://jieun.dothome.co.kr
f14f332d4273de04ba77e38fd3dcff90
ca3926dc6c4b2a71832a03fba366cbcd
f4d59b1246e861a2a626cb56c55651f0
07015af18cf8561866bc5b07e6f70d9a
afadab22f770956712e9c47460911dad
30741e7e4cdd8ba9d3d074c42deac9b1
7a0c0a4c550a95809e93ab7e6bdcc290
2f6fe22be1ed2a6ba42689747c9e18a0
8346d90508b5d41d151b7098c7a3e868
7756b4230adfa16e18142d1dbe6934af
f960ce07c519d1e64a46c7f573eac39b
779f2f4839b9be4f0b8c96f117181334
b9c2111c753b09e4cc9d497f8fd314fc
b128c5db5d973be60f39862ba8bfb152
5a223c70b65c4d74fea98ba39bf5d127
46fd22acea614407bf11d92eb6736dc7
ec9dcef04c5c89d6107d23b0668cc1c1
568f7628e6b7bb7106a1a82aebfd348d
2a388f3428a6d44a66f5cb0b210379a0
537806c02659a12c5b21efa51b2322c1
bfb02dee62c38c3385df92b308499b31
1ae2e46aac55e7f92c72b56b387bc945
fb3c652e795f08cc2529ed33ec1dc114
fe8626e7c3f47a048c9f6c13c88a9463
http://nocamoto.o-r.kr
http://download.uberlingen.com
http://dirwear.000webhostapp.com
http://hyper.cadorg.p-e.kr
http://peras1.n-e.kr
http://afcafe.kro.kr
http://update.screawear.ga
http://vamboo.n-e.kr
http://nomera.n-e.kr
http://nauji.n-e.kr
http://HKCU...\Run
http://woana.n-e.kr
http://jieun.dothome.co.kr
f14f332d4273de04ba77e38fd3dcff90
ca3926dc6c4b2a71832a03fba366cbcd
f4d59b1246e861a2a626cb56c55651f0
07015af18cf8561866bc5b07e6f70d9a
afadab22f770956712e9c47460911dad
30741e7e4cdd8ba9d3d074c42deac9b1
7a0c0a4c550a95809e93ab7e6bdcc290
2f6fe22be1ed2a6ba42689747c9e18a0
8346d90508b5d41d151b7098c7a3e868
7756b4230adfa16e18142d1dbe6934af
f960ce07c519d1e64a46c7f573eac39b
779f2f4839b9be4f0b8c96f117181334
b9c2111c753b09e4cc9d497f8fd314fc
b128c5db5d973be60f39862ba8bfb152
5a223c70b65c4d74fea98ba39bf5d127
46fd22acea614407bf11d92eb6736dc7
ec9dcef04c5c89d6107d23b0668cc1c1
568f7628e6b7bb7106a1a82aebfd348d
2a388f3428a6d44a66f5cb0b210379a0
537806c02659a12c5b21efa51b2322c1
bfb02dee62c38c3385df92b308499b31
1ae2e46aac55e7f92c72b56b387bc945
fb3c652e795f08cc2529ed33ec1dc114
fe8626e7c3f47a048c9f6c13c88a9463