A North Korean threat group known as Kimsuky has been caught running a cyberattack campaign that uses malicious Windows shortcut files, known as LNK files, to quietly install a Python-based backdoor on victim systems.
The attack stays hidden across multiple stages, making it harder for security tools to detect before the final payload reaches the target machine.
Kimsuky has been active for many years, well-known for targeting government agencies, research institutions, and individuals in South Korea and beyond.
In this latest campaign, the group changed how it delivers malware compared to earlier attacks.
While the overall goal remains the same — getting a Python backdoor running on a victim’s machine — the group added more steps in the middle of the attack chain.
These steps make detection harder and give attackers more control over how the infection unfolds.
Researchers at ASEC identified this shift and noted that the Kimsuky group made a clear structural change in how its malicious LNK files are executed.
In the past, the attack flow moved from an LNK file to PowerShell and directly to a BAT file. In the recent version, the intermediate stage now runs through an XML file, a VBS file, a PS1 file, and finally a BAT file before reaching the payload.
This expanded chain adds layers between each step, giving the malware more room to avoid detection.
The LNK files in this campaign were disguised as everyday documents, with names like “Resume (Sungmin Park).hwp.lnk” and “Guide to Establishing Data Backup and Recovery Procedures (Reference).lnk”.
These names are crafted to look convincing so users click on them without suspicion. Once opened, the LNK file triggers a hidden PowerShell script that creates a concealed folder at C:windirr with hidden and system attributes, keeping it out of normal file browsing views.
.webp)
The decoy HWP document displayed to the victim after LNK execution, designed to mask malicious activity running in the background.
The impact of this campaign is serious. Once the backdoor is fully installed, the attacker gains remote command access over the infected machine.
The threat actor can run shell commands, browse directories, upload and download files, delete files, and execute other programs. This level of access allows the attacker to silently monitor and extract sensitive data from the victim’s system for as long as the infection goes unnoticed.
Multi-Stage Infection Mechanism
The infection process is built across several connected stages, each designed to quietly move to the next without raising security alarms.
After the LNK file is opened, the PowerShell script creates the hidden folder and drops three files: an XML task scheduler file (sch_ha.db), a VBS script (11.vbs), and a PowerShell script (pp.ps1).
.webp)
The task named GoogleUpdateTaskMachineCGI__{56C6A980-91A1-4DB2-9812-5158E7E97388} registered on the victim system to maintain persistent execution every 17 minutes.
The XML file registers a task scheduler named GoogleUpdateTaskMachineCGI, set to run every 17 minutes. This keeps the malware active even after a restart. When the VBS file runs, it launches pp.ps1, which collects system details including the username, running processes, OS version, public IP address, and antivirus information. The stolen data is then sent to the attacker through Dropbox, a legitimate cloud service used here to blend into normal network traffic and avoid detection.
The PowerShell script responsible for harvesting victim system information and uploading it to the attacker’s Dropbox account.
.webp)
The pp.ps1 script also downloads a BAT file (hh.bat) from the attacker’s Dropbox account and executes it. This BAT file pulls two ZIP fragments from remote servers, merges them, and extracts the final payload to C:winii.
The archive holds a Python backdoor named beauty.py, registered as a task called GoogleExtension and launched via XML scheduler.
.webp)
The batch script responsible for downloading, merging ZIP fragments, and deploying the final Python backdoor onto the infected system.
The backdoor connects to C2 server 45.95.186[.]232 port 8080, sends a “HAPPY” packet to confirm infection, and waits for commands.
Users should avoid opening LNK files received through email or messaging apps, especially files disguised as documents. Organizations should monitor Windows Task Scheduler for suspicious entries with Google-themed names.
Keeping endpoint security tools updated and blocking unauthorized outbound connections to unknown services can reduce the risk of a successful intrusion.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
