Kimsuky Distributing Malicious Mobile App via QR Code

Dec. 21, 2025, 7:32 p.m.

Description

A new campaign by Kimsuky involves distributing malicious mobile apps through QR codes and phishing websites. The apps, masquerading as delivery services, VPNs, and cryptocurrency tools, decrypt an embedded APK to deploy a RAT with extensive capabilities. The malware uses a native decryption function and diverse decoy behaviors. Infrastructure overlaps and Korean language comments link this activity to Kimsuky. The threat actor employs sophisticated phishing techniques and leverages QR codes to redirect victims to malicious downloads. The malware requests extensive permissions and implements keylogging, audio recording, and data exfiltration. Multiple C&C servers were identified, some hosting Naver and Kakao phishing sites.

External References

https://otx.alienvault.com/pulse/694173582a3c2e9751091e7b
https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code
Tags
rat
phishing
keylogging
apk
dprk
mobile malware
decryption
qr code
docswap
2025-12-16

Date

  • Created: Dec. 16, 2025, 2:57 p.m.
  • Published: Dec. 16, 2025, 2:57 p.m.
  • Modified: Dec. 21, 2025, 7:32 p.m.

Indicators

  • 4fad161414fca5000f6e2d8d1a5623d0ccea3a3d39bc2cb8119d0dc2d70d0bcb
  • 79aa53f47197592f240a8af5030d15ccb06b098acedfa15c6dd1cc3e3e0badb1
  • e9e2d2f41f9f630125199938c1a9c201d6870e14a23488948d2008089319d525
  • 01a0a74bd585ec52d3df8aece76cb8feea91d3c9150a3ee5f3f53f602302a2c5
  • f1808e596e65f31a3fe3e3abfb86e9103fdf635f9708dafaf96b92684ba414b2
  • 27.102.138.181
  • 27.102.138.163
  • 27.102.137.181
  • 27.102.137.180
  • 27.102.137.214
  • 27.102.137.106
  • 27.102.137.93
Download all indicators here!

Attack Patterns

  • DOCSWAP
  • Kimsuky

Additional Informations

  • delivery.cjlogistics.kro.kr
  • hunt.io