Kimsuky 4
2024-04-10 • somedieyoung ZZ •
Kimsuky targeted the Embassy of the Republic of Korea in China with a malicious Windows shortcut disguised as a familiar document. The LNK runs hidden PowerShell, locates a hardcoded shortcut size, extracts embedded bytes, launches the dropped payload, and deletes the original shortcut. The script uses Dropbox OAuth credentials to request additional staged content and includes AES decryption with the password "pa55w0rd", giving defenders concrete behaviors for shortcut, PowerShell, cloud API, and payload extraction detections.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | https://api.dropboxapi.com/oaut… | 2023-12-29 | 2025-09-03 |
| URL | https://content.dropboxapi.com/… | 2020-03-25 | 2025-09-03 |
| HASH | a4bd6d00abbd79ab00161ff538cfe703 | 2024-04-03 | 2024-04-17 |
| URL | https://api.dropboxapi.com/oaut… | 2024-04-10 | 2024-04-10 |
| HASH | 075d7249d09f14cbf0a4ffcb077c775… | 2024-04-03 | 2024-04-10 |
| HASH | fe156159a26f8b7c140db61dd8b136e… | 2024-04-03 | 2024-04-10 |
Related Actors
Related Reports
Shares tags: Kimsuky, LNK • Shares 3 IOCs • Published within a week
Shares tags: Kimsuky, LNK • Shares 2 IOCs • Published within a month
Shares tags: Kimsuky, LNK • Published within a month
2024-03-18 •
80% Match
Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware
Securonix
Shares tags: Kimsuky, LNK • Published within a month
Shares tags: Kimsuky, LNK • Same author: somedieyoung ZZ
Shares tags: Kimsuky, LNK • Shares 1 IOC