Kimsuky Attack Disguised as Sex Offender Notification Information

Description

In late July 2025, an organized APT attack using shortcut files was discovered, attributed to the North Korean Kimsuky group. The attackers distribute decoy zip files containing password-protected documents and a disguised shortcut file. When executed, it connects to a C2 server, downloads encrypted payloads, and performs various malicious activities. These include collecting sensitive information from browsers, cryptocurrency wallets, messaging apps, and system files. The collected data is encrypted and sent to the C2 server, which can issue additional commands for remote execution. The attack employs anti-VM techniques and establishes persistence through registry modifications. It also includes a separate malicious DLL for browser process injection.