778 reports
The excerpt attributes a phishing email impersonating a Korean National Tax Service electronic document notice about 2024 comprehensive income tax surcharges to Kimsuky. The lure is image-based and hides recipient-specific link data inside Base64-encoded …
Logpresso attributes a July 2025 LNK-based intrusion to North Korea-linked Kimsuky, using decoy archives themed around sex offender notification and tax notice documents. The infection chain launches mshta.exe from a disguised shortcut, retrieves encrypte…
TmaxTibero discovered a compromise of its customer support site only after notification from the Gyeonggi Nambu Provincial Police Agency’s security cyber investigation unit. Attackers reportedly replaced the Tibero 7 installer with a malicious file, creat…
GitLab Threat Intelligence linked infrastructure active since at least May 2025 to North Korean operators distributing BeaverTail and InvisibleFerret variants associated with Contagious Interview and Famous Chollima activity. The campaign used a fake hiri…
A Kimsuky-attributed LNK masquerades as a Samsung Electronics meeting-related PDF and launches hidden PowerShell to decode and run a temporary script. The infection chain downloads a decoy PDF and additional scripts from raw.githubusercontent.com under th…
The excerpt attributes an OFX text-stage script from the “Update Schedule_INVITATION - 250625 UNC Ambassador's Roundtable” archive to Kimsuky activity using a diplomatic-themed lure. The PowerShell collects host profiling data, including the first network…
Genians describes a Kimsuky spear-phishing campaign that impersonated a South Korean defense-related institution and used generative AI-created military employee ID card imagery as a lure. The campaign connects earlier ClickFix activity targeting North Ko…
Genians reports a Kimsuky-attributed spear-phishing campaign that abused ChatGPT-generated deepfake imagery of South Korean military government employee ID cards to make a defense-sector lure appear like an ID issuance review task. The activity is tied to…
Intel 471 reviews the Phrack 72 leak of a threat actor workstation and VPS that Saber and cyb0rg claimed belonged to a Kimsuky/Emerald Sleet-linked operator, exposing about 9 GB of malware, credentials, tooling, browser histories, and backdoor documentati…
AhnLab’s August 2025 domestic APT telemetry shows spearphishing remained the dominant intrusion method in South Korea, with LNK files making up the largest share of observed cases. The excerpt describes LNK payloads that extract embedded CAB archives and …
The Korean analysis attributes a large malicious LNK file themed around Hyundai data recovery and procedure establishment to Kimsuky, while noting uncertainty about how the lure content was obtained. The shortcut contains PowerShell that searches for an o…
AhnLab’s August 2025 APT trend report highlights North Korea-linked campaigns against South Korean policy, media, finance, technology, and diplomatic targets. One Kimsuky case used a journalist impersonation lure against a policy institute, delivering an …
Lazarus Group activity in 2025 combines fake North Korean IT-worker placement, fraudulent recruiting and interview lures, and malicious open-source packages aimed at technology and cryptocurrency organizations. The excerpt links Operation 99/Contagious In…
S2W TALON identified ongoing Kimsuky activity abusing private GitHub repositories to deliver and manage PowerShell malware. The infection begins with a ZIP containing an LNK file disguised as an electronic tax invoice, which launches PowerShell to downloa…
S2W TALON reported Kimsuky activity in which the North Korea-backed group abused private GitHub repositories for malware delivery, script management, and data exfiltration. The attack starts with a ZIP archive containing an LNK file disguised as an electr…