Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats

Description

This analysis examines the latest attack flow of the KimJongRAT variant, attributed to the North Korean threat actor Kimsuky. The malware has evolved to include both PE-based and PowerShell-based attack chains, which have been merged into a single workflow. The attackers use phishing emails for initial access, leveraging GitHub and Google Drive for malware distribution. The malware exfiltrates sensitive data including browser credentials, system information, and keystrokes. Additional activities by the same actor include credential theft through phishing sites and spear-phishing campaigns targeting South Korean users. The analysis provides evidence supporting the attribution to Kimsuky and highlights the ongoing development of variants and infrastructure, indicating successful attacks.