From_Surveillance_to_Espionage_Unraveling_the_Latest_Strategies_of_uU7IQCT.pdf (5 MB)

Zscaler ThreatLabZ research tracks Kimsuky activity across government, diplomatic, defense, think-tank, NGO, journalist, defector, academic, cryptocurrency, and e-commerce targets in South Korea, Japan, the United States, and other regions. The slides describe a malicious Chrome extension that abuses broad host permissions, steals email addresses and password-field values, targets login pages for Naver, Kakao, Google, and Daum, and uses a dead-drop resolver to derive a C2 URL ending in /log.php. Additional activity includes screenshot capture every five seconds, repeated ms-powerpoint:// link injection, b374k webshell use, r-e.kr-related infrastructure, and httpSpy backdoor functions such as command execution, file transfer, screenshot capture, configuration updates, and timestomping. The research also highlights overlaps among DPRK actors, including a November 2023 case where Kimsuky-like malware spread through an enterprise software update program and installed DurianBeacon, a backdoor previously identified in Andariel attacks.