북한발 위협 행위자 관련 LNK 기반 악성파일 분석 : LNK를 이용한 Konni과 Kimsuky 공격 매커니즘 분석

2025-05-19 Igloo Analysis of LNK-Based Malicious Files Related to North Korea-Origin Threat Actors: Konni and Kimsuky Attack Mechanisms Using LNK

https://www.igloopedia.com/1edf216a-760c-8003-bb0a-c065e469a3c2

Thumbnail for 북한발 위협 행위자 관련 LNK 기반 악성파일 분석 : LNK를 이용한 Konni과 Kimsuky 공격 매커니즘 분석

IGLOO analyzes four LNK-based malware samples believed to be distributed by North Korea-linked Konni and Kimsuky activity. The samples are grouped into three types based on C2, code structure, and obfuscation: modular batch-file use, copied legitimate processes, and batch files disguised as .db files. Konni-associated samples use compromised domains and more complex logic, including time-derived encryption for parts of communication URLs and host-based targeting using %COMPUTERNAME%. Kimsuky-associated samples are linked to PebbleDash and RAT-style follow-on activity for remote control and additional malicious actions.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 75375c22c72f1beb76bea39c22a1ed68 2023-09-26 2026-01-14
HASH a523bf5dca0f2a4ace0cf766d9225343 2025-05-19 2025-07-01
HASH 12bfe00206b2e83c7ff79b657d3c56df 2025-05-19 2025-07-01
HASH 913fe4236ca5e34879d2a3228da6b9c6 2025-05-19 2025-07-01
HASH 89a725b08ab0e8885fc03b543638be96 2025-04-18 2025-07-01
IPv4 103.149.98.247 2025-04-18 2025-07-01
HASH cd826967aff6618d6e25f4101a2cc12f 2025-05-19 2025-05-19
HASH 8ba7ce929702a5423eb0ffd5763ab895 2025-05-19 2025-05-19
HASH 217ee812138da82ff8d19af26c164187 2025-05-19 2025-05-19
HASH 83117b531e84c16ef0e65f08a882d6f8 2025-05-19 2025-05-19
HASH fce7a980ec6a93525524fa7ac8e4a94b 2025-05-19 2025-05-19
HASH 40e77deae9d81d0924bf7c1d6afbb3f7 2025-05-19 2025-05-19
HASH 9a038a0d861d88c97efcc8503e002708 2025-05-19 2025-05-19
HASH 9d7802069d563b1e909f2c636bb55deb 2025-05-19 2025-05-19
URL https://ausbildungsbuddy.de/mod… 2025-05-19 2025-05-19
URL https://ausbildungsbuddy.de/mod… 2025-05-19 2025-05-19
URL http://osbrankoradicevickm.com/… 2025-05-19 2025-05-19
URL https://www.holosformations.fr/… 2025-05-19 2025-05-19
URL https://www.holosformations.fr/… 2025-05-19 2025-05-19
URL https://ausbildungsbuddy.de/mod… 2025-05-19 2025-05-19
HASH 777b6a02f7a44582c40ddadb82e60ddb 2025-04-24 2025-05-19
URL https://ausbildungsbuddy.de/mod… 2025-04-23 2025-05-19
URL https://ausbildungsbuddy.de/mod… 2025-04-23 2025-05-19
URL https://ausbildungsbuddy.de/mod… 2025-04-23 2025-05-19
DOMAIN ausbildungsbuddy.de 2025-04-23 2025-05-19
HASH a9b1c04438930c0c7cff3fe8e8520317 2025-04-18 2025-05-19
DOMAIN holosformations.fr 2025-04-18 2025-05-19
DOMAIN osbrankoradicevickm.com 2025-04-01 2025-05-19
IPv4 103.149.98.231 2025-03-07 2025-05-19
URL https://thevintagegarage.com/pl… 2024-07-25 2025-05-19
DOMAIN thevintagegarage.com 2024-07-25 2025-05-19

Related Actors

Related Reports

« Back