Kimsuky APT Hackers Weaponizing LNK Files to Deploy Reflective Malware Bypassing Windows Defender

North Korean state-sponsored cyber-espionage group Kimsuky has unveiled a sophisticated new campaign targeting South Korean entities through malicious Windows shortcut (LNK) files, demonstrating the group’s continued evolution in stealth and precision.

The campaign combines tailored social engineering with advanced malware frameworks designed to systematically infiltrate government agencies, defense contractors, and research organizations while evading traditional security measures.

The operation begins with carefully crafted phishing emails containing malicious LNK files embedded within ZIP archives to bypass email filtering systems.

These files execute obfuscated scripts through trusted Windows utilities, using decoy documents based on publicly available South Korean government materials as psychological lures.

Once activated, the malware performs extensive system profiling, credential theft, and comprehensive data exfiltration while maintaining persistent command-and-control communication channels.

Aryaka Threat Research Labs identified this cyber-espionage campaign specifically targeting South Korean entities, attributing the sophisticated operation to Kimsuky through analysis of the group’s characteristic tactics, techniques, and procedures.

The researchers noted the campaign’s strategic focus on region-specific targeting and its abuse of legitimate system processes to maintain operational security.

The attack leverages deceptive lure documents, including official-looking government notices about nearby sex offenders and tax penalty notifications, designed to create urgency and prompt immediate user engagement.

These documents are automatically downloaded and opened after initial infection, serving as effective social engineering components that mask the underlying malicious activity occurring simultaneously on the victim’s system.

Advanced Infection Chain and Reflective Loading Mechanisms

The malware’s technical sophistication becomes evident in its multi-stage infection process that begins with LNK file execution.

When activated, the shortcut launches an HTA file hosted on a remote Content Delivery Network using the legitimate Windows utility mshta.exe.

This HTA file contains heavily obfuscated VBScript that constructs strings through complex arithmetic operations involving hexadecimal-to-decimal conversions and Chr functions.

The malware implements advanced anti-analysis measures, including virtual machine detection that examines system manufacturers for VMware, Microsoft, or VirtualBox environments.

Upon detection of virtualized systems, the malware triggers a cleanup routine that systematically removes payload files before terminating execution, effectively avoiding sandbox analysis.

Perhaps most notably, the campaign employs reflective DLL injection techniques that represent a significant advancement in evasion capabilities.

The malware downloads and decodes Base64-encoded executables that serve as custom loaders, subsequently retrieving RC4-encrypted payloads from CDN servers.

Rather than writing malicious DLLs to disk, the system decrypts content directly in memory and uses VirtualAllocEx(), WriteProcessMemory(), and CreateRemoteThread() functions to inject code into running processes.

This reflective loading approach ensures the payload operates entirely in memory, substantially reducing detection probability by traditional antivirus solutions that monitor disk-based activities.

The campaign maintains persistent access through registry modifications and establishes robust command-and-control channels that enable real-time remote command execution, additional payload delivery, and systematic data exfiltration in discreet 1MB chunks disguised as standard web traffic.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searche