JSAC2025_1_8_hankuk_sangyoon_jeonghee_en.pdf (2 MB)

NSHC's JSAC presentation describes a June 2024 Kimsuky social-engineering operation that used LinkedIn reconnaissance against Republic of Korea Navy-related personnel and then moved into spear phishing. The actors prepared VPS/VDS infrastructure, used mail that passed SPF, DKIM, ARC, and DMARC checks, and delivered Google Drive links to EGG archives to reduce attachment-scanning friction. Execution led to PE malware, with different PowerShell commands for EXE and DLL paths and regsvr32 used to trigger a DLL payload from ProgramData. The deck also notes RC4-encrypted data, fake PDF headers, and attacker infrastructure registration checks as part of the campaign's defense-evasion and resource-development tradecraft.