Sep_Threat-Trend-Report-on-Kimsuky-Group.pdf (429 KB)

AhnLab's September 2023 Kimsuky trend report says the group's activity shifted strongly toward RandomQuery while FlowerPower was not observed and AppleSeed/BabyShark activity remained comparatively low. The report counted 11 RandomQuery, 4 AppleSeed, and 6 BabyShark FQDN instances, and describes RandomQuery changes including fragmented VBScript/PowerShell delivery, new URL parameter formats such as qu and ix, scheduled-task persistence, PBKDF2-based decryption, data collection, and keylogging under the Windows Themes path. ASEC interprets the script fragmentation and obfuscation as an effort to hinder analysis and evade existing URL detections.