Kimsuky is using multi-stage malicious LNK files to deploy a Python-based backdoor, adding new intermediate scripts while keeping the final payload logic largely unchanged.
The campaign abuses Windows Task Scheduler, Dropbox, and bundled Python runtimes to evade detection and maintain persistence on infected systems.
The ZIP contained a Python script (can.py), a standalone Python interpreter, and an XML Task Scheduler file (sch.db), which registered a task named Microsoft_Upgrade{10-9903-09-821392134} to execute the Python script and ultimately fetch and run the final Python backdoor.
In the recent activity, the group retains the LNK → PowerShell starting point but replaces the simple BAT-centric middle stage with a more complex XML → VBS → PS1 → BAT chain.
ASEC reports that older Kimsuky LNK chains followed a relatively simple flow: LNK → PowerShell → BAT, with the BAT script downloading a ZIP archive and a decoy document from qugesr[.]online.
This redesign splits execution responsibilities across multiple scripts, making static detection and behavior correlation more difficult while preserving the final Python backdoor delivery.
Kimsuky Uses Malicious LNK Files
Recent lure filenames such as “Resume (Sungmin Park).hwp.lnk” and “Guide to Establishing Data Backup and Recovery Procedures (Reference).lnk” still execute embedded PowerShell, but now first create a stealth folder at C:windirr with hidden and system attributes to hide subsequent artifacts from casual browsing.
The LNK payload then drops a decoy HWP document plus three components: sch_ha.db (XML for Task Scheduler), 11.vbs, and pp.ps1.
The XML task GoogleUpdateTaskMachineCGI__{56C6A980-91A1-4DB2-9812-5158E7E97388} is configured to run wscript.exe /b “C:windirr11.vbs” every 17 minutes starting from a fixed timestamp, providing scheduled, noiseless execution.
When triggered, 11.vbs launches pp.ps1, which collects host data (domain, username, running processes, OS version, public IP, antivirus info) and writes it to tmp.ini.
The script then uses Dropbox as a command-and-control and exfiltration channel, uploading the stolen data under a filename pattern
The hh.bat stage downloads two ZIP fragments from quickcon[.]store, merges them into %TEMP%G9081234.zip, and extracts them to C:winii.
The archive contains another XML Task Scheduler file (norton.db) and the Python backdoor beauty.py; a new task named GoogleExtension{02-2032121-098} is registered to execute beauty.py on a schedule, giving Kimsuky durable Python-based access.
ASEC identifies two Python payload types in this campaign: a downloader and a more feature-complete backdoor.
The backdoor first signals successful infection by sending packets containing the string “HAPPY” to its C2 at 45.95.186[.]232:8080, then switches to a custom 4096‑byte protocol framed by magic bytes 0x99 0x0A 0xBD 0x99.
Based on command codes, the backdoor can enumerate drives, run arbitrary shell commands, list directories, upload and download files, securely delete files by overwriting with random data, and execute EXE, BAT, or VBS files.
Persistent Kimsuky tradecraft
Observed operator activity includes querying disk capacity, running ipconfig, listing processes with tasklist, and recursively listing C: to map the environment shortly after initial infection.
The accompanying Python downloader variant pulls additional VBS and BAT files to %TEMP% from attacker infrastructure, runs them with the CREATE_NO_WINDOW flag so no console appears, waits 180 seconds, and then deletes both files to reduce forensic artifacts.
The campaign reuses long-standing Kimsuky tradecraft while incrementally evolving the chain.
XML-based Task Scheduler registration with GoogleUpdateTaskMachine*-style names and sch_*.db filenames matches earlier Kimsuky activity documented by ASEC, as does reuse of the same decoy documents across multiple LNK waves.
The key change is the move from a simple LNK → PowerShell → BAT path to a more fragmented LNK → PowerShell → (XML → VBS → PS1 → BAT) model, combined with cloud service abuse and Python to sidestep traditional Windows malware signatures.
For defenders, this underscores the need to monitor Task Scheduler XML imports, suspicious folders like C:windirr and C:winii, Dropbox-based traffic from endpoints, and the presence of bundled Python interpreters in user directories.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
