북한 김수키(Kimsuky) 한미 군사 동맹 주제로 만든 악성코드-Update Schedule_INVITATION - 250625 UNC Ambassador_s Roundtable.zip(2025.6.11)
2025-08-29 • Sakai • North Korean Kimsuky Malware Using a U.S.-South Korea Military Alliance Theme: Update Schedule_INVITATION - 250625 UNC Ambassador’s Roundtable.zip (2025.6.11) •
Kimsuky activity is described using a password-protected ZIP containing a PDF-themed LNK named Update Schedule_INVITATION - 250625 UNC Ambassador's Roundtable.pdf.lnk. The lure impersonated a United Nations Command ambassador roundtable invitation and was reportedly sent from a Gmail account to a southern European foreign ministry target. Execution decodes embedded Base64 PowerShell, downloads a decoy PDF and additional scripts from raw.githubusercontent.com/landjhon/tokula, and writes components such as chrome.ps1, temp.ps1, and system_first.ps1 under temporary and AppData paths. Persistence is established with a hidden scheduled task that starts after five minutes and repeats every 30 minutes, running PowerShell with hidden, no-profile, non-interactive, and execution-policy-bypass flags.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 96ad2f7ad615d80fc37678ba3e4193c… | 2025-08-29 | 2025-08-29 |
| HASH | 5648d0e3c8baa6ae955fa5441ab8fdb… | 2025-08-29 | 2025-08-29 |
| DOMAIN | bas2.su | 2025-08-29 | 2025-08-29 |
| HASH | 9f5460850a3b5b53568cd450e834069… | 2025-08-18 | 2025-08-29 |
| HASH | 488570af25f908e907c9732aae632b0f | 2025-08-18 | 2025-08-29 |
| HASH | bca4cac80c436e813d93eba1b25257d0 | 2025-08-18 | 2025-08-29 |
| HASH | 9c5964753f8092a98f414a97cfb02cb… | 2025-08-18 | 2025-08-29 |
| [email protected] | 2025-08-18 | 2025-08-29 |