Looking into Initial Access Payloads by APT Groups
2025-02-21 • Priya Patel •
https://prii308.github.io/Looking-into-Initial-Access-Payloads-by-APT-Groups/
The DPRK-relevant section analyzes a Kimsuky malicious LNK sample used for initial access and payload staging. The shortcut points to mshta.exe, a legitimate Windows utility, and uses obfuscated JavaScript to run PowerShell with execution policy bypass. The PowerShell searches for a specific LNK file by size, extracts hidden data from it after a fixed offset, writes a new script to ProgramData, and launches the staged content. The author reports that the extracted d.ps1 script is obfuscated and downloads a ZIP archive named gs.zip containing the final payload. The blog also compares other APT initial-access examples, but the Kimsuky evidence is specifically centered on LNK abuse, LOLBin execution, PowerShell staging, and simple YARA detection strings.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | trycloudflare.com | 2025-02-21 | 2026-05-14 |
| HASH | 268640934dd1f0cfe3a365322185885… | 2025-02-21 | 2025-03-19 |
| YARA | detect_sidecopy | 2025-02-21 | 2025-02-21 |
| YARA | hta_file | 2025-02-21 | 2025-02-21 |
| YARA | detect_lnk | 2025-02-21 | 2025-02-21 |
| YARA | sidewinder | 2025-02-21 | 2025-02-21 |
| HASH | cc90bf946b495aec9133f6c970dc873… | 2025-02-21 | 2025-02-21 |
| HASH | 95f5db1826819d8d61b85eec206ec6c… | 2025-02-21 | 2025-02-21 |
| HASH | 541039d4eb67935884830657213991b… | 2025-02-21 | 2025-02-21 |
| HASH | 47d77499968244911d0179fb858578d… | 2025-02-21 | 2025-02-21 |
| URL | https://louise-gzip-think-air.t… | 2025-02-21 | 2025-02-21 |
| URL | https://passport.i.ua/login/ | 2025-02-21 | 2025-02-21 |
| URL | https://passport.i.ua/login/? | 2025-02-21 | 2025-02-21 |
| URL | https://pubad-gov-lk.org-co.net… | 2025-02-21 | 2025-02-21 |
| DOMAIN | louise-gzip-think-air.trycloudf… | 2025-02-21 | 2025-02-21 |
| IPv4 | 102.237.232.209 | 2025-02-21 | 2025-02-21 |