Kimsuky 그룹의 워터링 홀 공격, 통일 분야 교육 지원서를 위장한 악성 파일 유포 주의
2025-03-07 • ESTSecurity • Kimsuky Watering-Hole Attack Distributes Malware Disguised as a Unification Education Application •
ESRC reports a Kimsuky watering-hole attack that abused an application document for a university-hosted unification education program. Visitors seeking the application could download a malicious HWP file whose visible link text triggered an embedded OLE object, document.bat, rather than an external URL. The batch file opened a decoy document, renamed dropped files under temporary and public music paths, configured persistence through scheduled execution, and prepared additional C2 download activity, making the campaign a targeted lure against people interested in inter-Korean or unification topics.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 103.149.98.231 | 2025-03-07 | 2025-05-19 |
| HASH | e81f06c7c5793c1afe9a4f847834e69e | 2025-03-07 | 2025-03-07 |
| HASH | 34d8c6e9426dc6c01bb47a53ebfc4efb | 2025-03-07 | 2025-03-07 |
| HASH | 4edae618f59180577a196fa5bab89bb4 | 2025-03-07 | 2025-03-07 |
| HASH | f7faf50f954076525e24020e964ed646 | 2025-03-07 | 2025-03-07 |
| HASH | ce7fa1dc1e5a776dacb27fe2c4385ac2 | 2025-03-07 | 2025-03-07 |
| HASH | 7b6b6471072b8f359435f998a96176e7 | 2025-03-07 | 2025-03-07 |
| HASH | 49c91f24b6e11773acd7323612470ffb | 2025-03-07 | 2025-03-07 |
| IPv4 | 103.76.228.204 | 2025-03-07 | 2025-03-07 |
| DOMAIN | mem.mcgnu.kro.kr | 2024-10-04 | 2025-03-07 |
| IPv4 | 9.2.13.9 | 2024-10-04 | 2025-03-07 |
| DOMAIN | rem.zoom-meeting.kro.kr | 2024-08-29 | 2025-03-07 |