개인정보 유출 의심 문의로 위장한 Kimsuky 스피어피싱 사례 분석
2026-06-09 • ESTSecurity • Analysis of a Kimsuky Spear-Phishing Case Disguised as an Inquiry About Suspected Personal Information Leakage •
Kimsuky-linked spear phishing targeted a South Korean company's information-security staff by impersonating a customer asking about a suspected personal-data leak. The attacker built trust through multiple emails, then delivered malicious LNK files disguised as customer-status documents and resent the payload in a password-protected ZIP after an initial link was blocked. ESRC analyzed three samples that shared an LNK-based initial chain but split into two C2 frameworks: Dropbox API-based command exchange with RC4-decrypted PowerShell and scheduled-task persistence, and direct HTTPS C2 using a startup VBS plus a batch decoder loop. The campaign used Korean decoys, anti-analysis and self-deletion features in one sample, and infrastructure at toopel.shop for the Type B path.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | toopel.shop | 2026-06-09 | 2026-06-09 |
| URL | https://toopel.shop/Pan/letgo.p… | 2026-06-09 | 2026-06-09 |
| HASH | ab5c0cc1f5d49e67b243d6145fd93cf8 | 2026-06-09 | 2026-06-09 |
| HASH | 6c35eb0e29de1d24824dd3a79436e1bc | 2026-06-09 | 2026-06-09 |
| HASH | d6b31850e1db191a6f9056dd5c4b55dd | 2026-06-09 | 2026-06-09 |
| HASH | c91c604148fe191c877b686b3888581b | 2026-06-09 | 2026-06-09 |
| HASH | 1ba542f1a2e152259b15906275b72e6b | 2026-06-09 | 2026-06-09 |
| HASH | 768c718a8a020ba59e7fb55bcb5ebf1f | 2026-06-09 | 2026-06-09 |
| HASH | 4c3fb7a00ede6a719450c63a1b6e7e1d | 2026-06-09 | 2026-06-09 |
| HASH | 9baed08df363098f0107315430a2fdbb | 2026-06-09 | 2026-06-09 |
| HASH | 4a0e6c5932cee062102e2d19e92c85a4 | 2026-06-09 | 2026-06-09 |
| HASH | c8ce5c23d4644aa089455c479e52dae3 | 2026-06-09 | 2026-06-09 |