Security researchers have confirmed that KimJongRAT, a sophisticated remote access Trojan attributed to the Kimsuky group and believed to be backed by North Korea, is being actively distributed via weaponized .hta files targeting Windows users.
The discovery reveals a carefully orchestrated attack chain designed to harvest sensitive credentials and system information from compromised machines.
The malicious payload is being distributed under the deceptive filename National Tax Notice.pdf as a compressed archive named tax_notice.zip, with initial delivery occurring through phishing emails.
This social engineering tactic leverages the trust placed in official government tax notices to increase the likelihood of user interaction, particularly targeting individuals in regions where such communications are expected.
Once a user extracts the archive, they encounter an Ink file disguised as a legitimate Tax Notice.pdf document.
This obfuscation technique attempts to deceive users into executing the malicious payload. When executed, the Ink file decodes a Base64-encoded URL value using mshta, Microsoft’s HTML Application host utility, to download an additional payload.
Credential Theft Through Social Engineering
The compromised system then redirects to and executes the tax.hta file, progressing the infection chain.
The tax hta loader is implemented in VBScript and serves as the primary execution mechanism for the attack. Upon activation, it downloads malicious files alongside decoy documents while attempting to bypass security protections using Google Drive URLs.
This multi-stage approach allows attackers to evade detection by traditional security solutions that may flag direct server connections as suspicious.
A critical characteristic of this attack is its adaptive payload delivery mechanism. The malware checks the status of Windows Defender on the infected system and drops different payloads based on whether the security software is running or disabled.
If Windows Defender is disabled, the v3.log file is downloaded, ultimately downloading and executing an n64.log file.
This file collects various compromised data including system information, browser storage data, encryption keys, cryptocurrency wallet information, Telegram accounts, Discord credentials, and browser encryption keys.
Conversely, if Windows Defender is enabled, the PC.log file is downloaded instead.
This variant performs similar data collection operations but with additional persistence mechanisms through registry modifications to ensure ongoing credential harvesting and user information transmission.
How Users Can Detect and Prevent the Threat
The malware exhibits strong targeting characteristics specific to the domestic market, suggesting precise creation for regional threat actors.
Organizations are advised to maintain updated Windows and Windows Defender installations, enable file extension view functions in File Explorer, and exercise caution when processing files and extensions, particularly those received through email communications.
The use of localized tax notice templates and Korean-language interface elements indicate that this campaign was engineered explicitly for a particular geographic audience, making it a highly targeted operation rather than opportunistic malware distribution.
Recent activity confirms that HTA-based attacks continue as an effective methodology. The file extension enables direct execution from the internet using mshta, bypassing Windows Secure Boot warnings and avoiding the execution from file extension prompts typically shown before running files.
This technique remains one of the most effective attack methods frequently deployed by threat actors globally.
Microsoft continues strengthening security implementations to counter such threats.
Security experts warn that related malicious files associated with this campaign are currently detected as Trojan.Agent.LlhK.Gen, Trojan.Downloader.VBS.Agent, and related variants across security platforms, enabling defenders to identify and block these threats within enterprise environments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.