Kimsuky Distributing Malicious Mobile App via QR Code
Contents
Executive Summary
ENKI analyzed multiple recent âDOCSWAPâ distribution channels and several newly identified APK variants.
The malicious app decrypts an embedded encrypted APK and launches a malicious service that provides RAT capabilities.
The threat actor added a new native decryption function and diversified the decoy behavior.
We identified multiple indicators that attribute the activity to Kimsuky, including shared C&C infrastructure and Korean-language comments.
1. Overview
In September 2025, the ENKI WhiteHat Threat Research Team detected a malicious mobile application distributed via phishing websites. The threat actor leveraged QR codes and notification pop-ups to lure victims into installing and executing the malware on their mobile devices.
Our analysis confirms this sample as the latest iteration of "DOCSWAP," a malware strain originally named by S2W in March 2025. While this version retains the behavioral patterns of earlier variants, it implements a distinct internal APK decryption mechanism. Additionally, we uncovered multiple indicators connecting this activity to the DPRK-nexus threat actor, …
ENKI analyzed multiple recent âDOCSWAPâ distribution channels and several newly identified APK variants.
The malicious app decrypts an embedded encrypted APK and launches a malicious service that provides RAT capabilities.
The threat actor added a new native decryption function and diversified the decoy behavior.
We identified multiple indicators that attribute the activity to Kimsuky, including shared C&C infrastructure and Korean-language comments.
1. Overview
In September 2025, the ENKI WhiteHat Threat Research Team detected a malicious mobile application distributed via phishing websites. The threat actor leveraged QR codes and notification pop-ups to lure victims into installing and executing the malware on their mobile devices.
Our analysis confirms this sample as the latest iteration of "DOCSWAP," a malware strain originally named by S2W in March 2025. While this version retains the behavioral patterns of earlier variants, it implements a distinct internal APK decryption mechanism. Additionally, we uncovered multiple indicators connecting this activity to the DPRK-nexus threat actor, …
IoC
http://27.102.137.181/users2/[email protected]&m=uggcf%3N%2S%2Savq.anire.pbz%2Savqybtva.ybtva
http://27.102.137.106
http://27.102.137.181
http://27.102.137.106/tracking.php?id=[Email
https://27.102.137.181/store/SecDelivery.APK
https://27.102.137.181/store/delivery.html
http://27.102.137.214
http://27.102.138.163
https://delivery.cjlogistics.kro.kr/loing/tracking.php?id=dGVzdEBuYXZlci5jb20=
http://27.102.137.106/mobile.html
http://27.102.137.181:50005
https://27.102.137.181/store/tracking.php?id=[base64
http://27.102.137.93
http://27.102.138.181
http://27.102.137.180
27.102.138.163
27.102.137.181
27.102.137.106
27.102.138.181
27.102.137.180
27.102.137.93
27.102.137.214
[email protected]
2a7dab4c0f6507bc5fd826f9a336d50c
3a2a9f205c79ee45a84e3d862884fd72
03a117c6cb86859623720e75f839260a
2b99603cd8e69f82c064856d6ff63996
86da5e00a9c73c9cb0855805cbc38c4a
27ea7ef88724c51bbe3ad42853bbc204
858588b7c5331c948fb3e84d9b4ddbb7
c90ee7d3b1226f73044e7ae635493d31
506e136336ca9d7246caf8c9011fe97e
436287ad0ea3a9e94cd4574d54d0dec5
36677d732da69b7a81a46f9a06c36260
http://27.102.137.106
http://27.102.137.181
http://27.102.137.106/tracking.php?id=[Email
https://27.102.137.181/store/SecDelivery.APK
https://27.102.137.181/store/delivery.html
http://27.102.137.214
http://27.102.138.163
https://delivery.cjlogistics.kro.kr/loing/tracking.php?id=dGVzdEBuYXZlci5jb20=
http://27.102.137.106/mobile.html
http://27.102.137.181:50005
https://27.102.137.181/store/tracking.php?id=[base64
http://27.102.137.93
http://27.102.138.181
http://27.102.137.180
27.102.138.163
27.102.137.181
27.102.137.106
27.102.138.181
27.102.137.180
27.102.137.93
27.102.137.214
[email protected]
2a7dab4c0f6507bc5fd826f9a336d50c
3a2a9f205c79ee45a84e3d862884fd72
03a117c6cb86859623720e75f839260a
2b99603cd8e69f82c064856d6ff63996
86da5e00a9c73c9cb0855805cbc38c4a
27ea7ef88724c51bbe3ad42853bbc204
858588b7c5331c948fb3e84d9b4ddbb7
c90ee7d3b1226f73044e7ae635493d31
506e136336ca9d7246caf8c9011fe97e
436287ad0ea3a9e94cd4574d54d0dec5
36677d732da69b7a81a46f9a06c36260