1분기 DPRK Operation Kimsuky 분석

2026-05-15 Logpresso Q1 DPRK Operation Kimsuky Analysis

https://logpresso.com/ko/blog/2026-05-15-1Q-Kimsuky-report

Thumbnail for 1분기 DPRK Operation Kimsuky 분석

Logpresso analyzed four Kimsuky spear-phishing campaigns from early 2026 that used tailored lures against recruiters, business contacts, healthcare and insurance entities, cryptocurrency users and developers, defense-related personnel, and graduate-program stakeholders. The campaigns used LNK files disguised as PDFs or JSE files disguised as HWPX documents, then followed a common flow of lure display, payload drop, persistence, C2 communication, and remote control. Payloads included a PowerShell RAT, a PowerShell infostealer, VBE-to-PowerShell fileless execution, DLL-based reconnaissance, and VS Code tunnel abuse for remote access. The infrastructure mixed attacker-controlled servers with legitimate services such as GitHub raw content, Microsoft CDN delivery, GitHub OAuth, and VS Code tunnels to reduce the effectiveness of reputation-based blocking.

Indicators of Compromise

Type Value First Seen Last Seen
IPv4 103.67.196.25 2026-04-07 2026-05-19
HASH bb5040d54135b0999cc491b41a0a45e2 2026-05-15 2026-05-15
HASH cbb059bd691d846e8279d617134d3129 2026-05-15 2026-05-15
HASH 0dd1cf2d9a72fdbef19e77af59ba9d1f 2026-05-15 2026-05-15
HASH b3c90f52e4b86a94ec637fee4354bb84 2026-05-15 2026-05-15
HASH 8301fc2c740f6309864e68b6e429d0f0 2026-05-15 2026-05-15
HASH 471faa43f4811a0250648d586cb3eebf 2026-05-15 2026-05-15
HASH a3363e0c22c0356fdbcdc37f502bbcde 2026-05-15 2026-05-15
HASH 3fdce08723365d5c06e1183585164118 2026-05-15 2026-05-15
HASH 6869766741b40825e31fd8bbff688bd3 2026-05-15 2026-05-15
HASH 552ca91696fedd387e1ea47f50f18344 2026-05-15 2026-05-15
HASH 2689f58b803364bbfba2edb423a3b572 2026-05-15 2026-05-15
HASH c57a8b40d2ca402656ff3d778f42708c 2026-05-15 2026-05-15
HASH 806fb7876b63ba89d2432cb831be01ba 2026-05-15 2026-05-15
HASH c499e415f7e07f513d8319013a8b2e86 2026-05-15 2026-05-15
HASH 80088af673b0117dbd5cf528021dd970 2026-05-15 2026-05-15
URL https://www.pyrotech.co.kr/comm… 2026-05-15 2026-05-15
URL https://raw.githubusercontent.c… 2026-05-15 2026-05-15
URL https://raw.githubusercontent.c… 2026-05-15 2026-05-15
URL https://nelark.icu/xftaswx/res/… 2026-05-15 2026-05-15
URL https://nelark.icu/xftaswx/res/… 2026-05-15 2026-05-15
URL https://nelark.icu/xftaswx/res/… 2026-05-15 2026-05-15
URL https://nelark.icu/xftaswx/res/… 2026-05-15 2026-05-15
URL https://nelark.icu/xftaswx/res/… 2026-05-15 2026-05-15
URL http://yespp.co.kr/ 2026-05-15 2026-05-15
URL http://103.67.196.25/view1.php?… 2026-05-15 2026-05-15
URL http://103.67.196.25/payload.dat 2026-05-15 2026-05-15
URL http://103.67.196.25/conf.dat 2026-05-15 2026-05-15
DOMAIN www.pyrotech.co.kr 2026-05-15 2026-05-15
DOMAIN nelark.icu 2026-05-15 2026-05-15
HASH bb9e9c893b170b3774c150b1d0b93a73 2026-05-15 2026-05-15
HASH af7330af68a8f79b5a28fcc242e54a7e 2026-05-15 2026-05-15
HASH aa9d5dd632bb90addca480eaa5ff4382 2026-05-15 2026-05-15
HASH 831d7c614ba32aa5d70ff9b0f259ee1d 2026-05-15 2026-05-15
HASH 5c2857913efc6007b3ee7028a132baa4 2026-05-15 2026-05-15
HASH 450774df6785e6eeb6ea906490905888 2026-05-15 2026-05-15
HASH 0331a83b58231cb0cd3bfe319003ed1a 2026-05-15 2026-05-15
DOMAIN yespp.co.kr 2026-01-21 2026-05-15
DOMAIN www.yespp.co.kr 2026-01-21 2026-05-15
URL https://www.yespp.co.kr/common/… 2026-01-21 2026-05-15
HASH 08160acf08fccecde7b34090db18b321 2026-05-14 2026-05-14
HASH 9fe43e08c8f446554340f972dac8a68c 2026-05-14 2026-05-14
HASH 52f1ff082e981cbdfd1f045c6021c63f 2026-05-14 2026-05-14

Related Actors

Related Reports

2026-04-17 • 56% Match
#Kimsuky #Phishing #T1102.002 #T1082 #T1140 #T1041 #T1113 #T1608.001 #T1071.001 #T1115 #T1083 #T1497 #T1056.001 #T1204.001 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1567 #T1057 #T1059.005 #T1583.006 #T1583.003 #T1204.004 #T1518.001 #T1568.001 #T1566.001 #T1547.001 #T1585.002 #T1056.003 #T1053.005 #T1539 #T1608.005 #T1598.003 #T1590.005 #T1583.001 #T1059.001 #T1036.005
Shares tags: Kimsuky, Phishing • Published within a month
« Back