The North Korean state-linked threat group Kimsuky has expanded its attack methods by distributing a dangerous mobile malware through weaponized QR codes, targeting users through sophisticated phishing sites that imitate package delivery services.
Security researchers discovered the malicious campaign in September 2025, when victims received smishing messages with links that redirected them to fake delivery tracking websites hosting QR codes designed to trick users into downloading infected Android applications on their smartphones.
.webp "Kimsuky Hackers Attacking Users via Weaponized QR Code to Deliver Malicious Mobile App 2")
The malware represents the latest version of “DOCSWAP,” a threat first documented earlier in 2025.
This new variant shows several improvements over earlier versions, including a new native decryption function and more varied decoy behaviors.
.webp "Kimsuky Hackers Attacking Users via Weaponized QR Code to Deliver Malicious Mobile App 3")
Enki analysts identified the malicious application being distributed from a command and control server located at 27.102.137[.]181, where it impersonated legitimate services like CJ Logistics, auction platforms, VPN apps, and cryptocurrency airdrop authentication systems to deceive victims.
When users access the phishing links from a computer, they see a message stating “For security reasons, you cannot view this page from a PC” along with a QR code.
Scanning this code with a mobile device initiates the download of what appears to be a security app. However, accessing the same link from an Android device directly displays fake security scanning screens and prompts users to install a “security app” to complete authentication.
The malicious application uses Base64-encoded URLs and server-side logic that serves different content based on the user’s device type, making detection more difficult.
Once installed, the malware operates in multiple stages. The application first requests extensive permissions including file access, phone, SMS, and location data.
The downloaded APK file, named “SecDelivery.apk,” contains an encrypted APK stored as “security.dat” in its resources. Unlike previous versions that used Java-based XOR decryption, this variant employs a native library called “libnative-lib.so” to decrypt the embedded APK.
The decryption process involves three steps: inverting bits of each byte value, applying a 5-bit left rotation, and performing XOR operations with a 4-byte key (541161FE in hex).
Infection Mechanism and Persistence
The malware establishes persistence through a sophisticated service registration process.
After decryption, the application launches SplashActivity, which loads the encrypted resources, requests necessary permissions, and registers a malicious service called MainService.
To maintain continuous operation, the malware configures intent filters that automatically execute MainService when the device reboots or connects to power.
The AndroidManifest.xml file defines these triggers as “android.intent.action.BOOT_COMPLETED,” “android.intent.action.ACTION_POWER_CONNECTED,” and “android.intent.action.ACTION_POWER_DISCONNECTED”.
The application displays a convincing fake authentication screen that asks users to enter a delivery tracking number and verification code. The hardcoded delivery number “742938128549” is included with the initial phishing message.
.webp "Kimsuky Hackers Attacking Users via Weaponized QR Code to Deliver Malicious Mobile App 5")
After authentication, the app shows the official delivery tracking website through a webview, making users believe they have installed a legitimate application while the malicious service operates silently in the background.
The embedded RAT supports 57 commands that enable comprehensive device control. It communicates with the command and control server using a format that includes length headers, null bytes, and Gzip-compressed payloads.
The command parsing logic uses “10249” as a delimiter, allowing the malware to perform actions such as audio and video recording, file management, location tracking, call log collection, contact list theft, SMS interception, remote command execution, and live keylogging.
The keylogger operates through Android’s Accessibility Service, capturing app icons, package names, event text, and timestamps, which are then compressed and Base64-encoded before transmission.
// Korean comment: "Leave log when button is clicked"
btn.addEventListener("click", () => {
fetch("downcat.php", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
time: new Date().toISOString(),
url: decodedUrl
})
}).catch(err => console.error("Log transmission failed:", err));
});Researchers discovered connections between this campaign and previous Kimsuky operations through shared infrastructure, including the distinctive “Million OK !!!!” string found on the root directory of command and control servers.
Korean-language comments throughout the HTML code and error messages provide additional evidence linking the activity to North Korean threat actors.
The campaign demonstrates Kimsuky’s continued evolution in mobile threats, targeting smartphones that contain sensitive financial and personal information.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
