Analysis of the Triple Combo Threat of the Kimsuky Group
2025-06-09 • Genians •
https://www.genians.co.kr/en/blog/threat_intelligence/triple-combo
Genians analyzed a March-April 2025 AppleSeed campaign attributed in the report to Kimsuky, a North Korea-linked state-sponsored group active against defense, military, cryptocurrency, vaccine, and North Korea-related activist targets. The operators used a multi-channel approach across Facebook, email, and Telegram, including hijacked or deceptive Facebook accounts, Korean-language social engineering, and lures about volunteer support for North Korean defectors. Malicious payloads were delivered in password-protected EGG archives and included obfuscated JSE scripts that created a decoy PDF while decoding and launching malicious DLL components through PowerShell, certutil, and regsvr32. The report links the activity to historical AppleSeed artifacts through PDB paths and describes evasion choices such as Korea-specific archive formats, Base64-encoded scripts, and Windows-focused execution flows. It matters because the campaign shows Kimsuky combining trusted social relationships, multiple messaging platforms, and tailored lures to reach sensitive Korean targets.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | f960ce07c519d1e64a46c7f573eac39b | 2025-06-09 | 2025-06-09 |
| HASH | 2a388f3428a6d44a66f5cb0b210379a0 | 2025-06-09 | 2025-06-09 |
| HASH | b9c2111c753b09e4cc9d497f8fd314fc | 2025-06-09 | 2025-06-09 |
| HASH | 07015af18cf8561866bc5b07e6f70d9a | 2025-06-09 | 2025-06-09 |
| HASH | 5a223c70b65c4d74fea98ba39bf5d127 | 2025-06-09 | 2025-06-09 |
| HASH | fb3c652e795f08cc2529ed33ec1dc114 | 2025-06-09 | 2025-06-09 |
| HASH | afadab22f770956712e9c47460911dad | 2025-06-09 | 2025-06-09 |
| HASH | 7a0c0a4c550a95809e93ab7e6bdcc290 | 2025-06-09 | 2025-06-09 |
| HASH | bfb02dee62c38c3385df92b308499b31 | 2025-06-09 | 2025-06-09 |
| HASH | b128c5db5d973be60f39862ba8bfb152 | 2025-06-09 | 2025-06-09 |
| HASH | 2f6fe22be1ed2a6ba42689747c9e18a0 | 2025-06-09 | 2025-06-09 |
| HASH | 30741e7e4cdd8ba9d3d074c42deac9b1 | 2025-06-09 | 2025-06-09 |
| HASH | f14f332d4273de04ba77e38fd3dcff90 | 2025-06-09 | 2025-06-09 |
| HASH | ca3926dc6c4b2a71832a03fba366cbcd | 2025-06-09 | 2025-06-09 |
| HASH | f4d59b1246e861a2a626cb56c55651f0 | 2025-06-09 | 2025-06-09 |
| HASH | 779f2f4839b9be4f0b8c96f117181334 | 2025-06-09 | 2025-06-09 |
| HASH | 568f7628e6b7bb7106a1a82aebfd348d | 2025-06-09 | 2025-06-09 |
| HASH | fe8626e7c3f47a048c9f6c13c88a9463 | 2025-06-09 | 2025-06-09 |
| HASH | 46fd22acea614407bf11d92eb6736dc7 | 2025-06-09 | 2025-06-09 |
| DOMAIN | onsungtong.n-e.kr | 2025-06-09 | 2025-06-09 |
| DOMAIN | nauji.n-e.kr | 2025-06-09 | 2025-06-09 |
| DOMAIN | jieun.dothome.co.kr | 2025-06-09 | 2025-06-09 |
| DOMAIN | afcafe.kro.kr | 2025-06-09 | 2025-06-09 |
| DOMAIN | nomera.n-e.kr | 2025-06-09 | 2025-06-09 |
| DOMAIN | nocamoto.o-r.kr | 2025-06-09 | 2025-06-09 |
| DOMAIN | woana.n-e.kr | 2025-06-09 | 2025-06-09 |
| DOMAIN | vamboo.n-e.kr | 2025-01-21 | 2025-06-09 |
| HASH | 8346d90508b5d41d151b7098c7a3e868 | 2024-06-07 | 2025-06-09 |
| HASH | 537806c02659a12c5b21efa51b2322c1 | 2024-06-07 | 2025-06-09 |
| DOMAIN | download.uberlingen.com | 2024-06-07 | 2025-06-09 |
| HASH | 7756b4230adfa16e18142d1dbe6934af | 2024-02-08 | 2025-06-09 |
| DOMAIN | peras1.n-e.kr | 2024-02-08 | 2025-06-09 |
| DOMAIN | hyper.cadorg.p-e.kr | 2023-11-01 | 2025-06-09 |
| HASH | ec9dcef04c5c89d6107d23b0668cc1c1 | 2022-06-30 | 2025-06-09 |
| HASH | 1ae2e46aac55e7f92c72b56b387bc945 | 2022-06-30 | 2025-06-09 |
| DOMAIN | dirwear.000webhostapp.com | 2022-06-30 | 2025-06-09 |