North Korea-linked threat group Kimsuky has been running four simultaneous spear-phishing campaigns targeting corporate recruiters, cryptocurrency investors and developers, defense sector officials, and graduate school administrators. Detailed analysis published by LogPresso researchers and shared with Cyber Security News reveals a consistently sophisticated attack chain across all four operations, with a focus on defense evasion, abuse of trusted cloud services, and rapid persistence establishment.
Four Campaigns, One Playbook
Despite targeting four distinct victim profiles, all campaigns followed the same core attack methodology: display a convincing decoy document to keep the victim unsuspecting while simultaneously deploying a malicious payload in the background, establish persistence, and open a remote control channel back to attacker-controlled infrastructure.
The campaigns were distinguished by their lure content and delivery methods:
- Recruiters: Received fake resumes and professional business cards crafted to appear legitimate
- Crypto investors and developers: Lured with content themed around Solana meme coin investments and developer tooling
- Defense officials: Targeted with documents referencing the K-ICTC International Scientific Combat Management Competition
- Graduate school staff: Received what appeared to be enrollment and registration documents
In each case, the immediate objective was identical: establish a silent foothold on the victim’s machine without raising suspicion.
LNK and JSE Lures: Delivery Mechanisms
Three of the four campaigns relied on LNK files disguised to appear as PDF documents. When a victim opened the file, two hidden payloads were activated simultaneously. One payload displayed a convincing decoy document to maintain the victim’s trust, while the other silently dropped a secondary LNK file into the Windows startup folder to ensure persistence across reboots. A PowerShell script was then downloaded and executed from the attacker’s remote server, completing the initial compromise in under five minutes.
The fourth campaign took a different technical approach, using a JSE file with a double extension formatted as .hwpx.jse. Since Windows hides file extensions by default, victims saw what appeared to be a standard Korean HWP document. Once opened, the script decoded a hidden DLL using the legitimate Windows certutil tool and executed it via rundll32.exe — a standard Windows binary — to avoid triggering security tools.
This campaign went further by establishing persistent remote access through a VSCode tunnel, using GitHub OAuth authentication to maintain a covert connection that blended entirely with legitimate developer traffic.
Abuse of Trusted Platforms for Command and Control
One of the most notable aspects of all four campaigns was Kimsuky’s heavy reliance on legitimate, trusted platforms for command-and-control (C2) operations. Rather than relying on dedicated attacker-controlled servers that could be easily blocked by reputation-based security tools, the group routed communications through:
- GitHub raw APIs — used to store payloads and collect victim-specific telemetry
- Microsoft CDN — used to deliver files without triggering network-level alerts
- VSCode tunnels — used to maintain persistent remote access via GitHub OAuth
In specific campaigns, a private server at nelark.icu served as the primary C2, while another funneled stolen data through the Korean website yespp.co.kr. Victim tracking was personalized, with targets identified through unique IDs, IP addresses, and MAC addresses — indicating a level of operational sophistication consistent with a state-sponsored threat actor.
Aggressive Defense Evasion From the First Five Minutes
LogPresso’s analysis found that Kimsuky’s malware began disabling defensive controls almost immediately upon execution. Within five minutes of a victim opening the lure file, the malware was already:
- Disabling Windows User Account Control (UAC)
- Registering Defender exclusions to prevent endpoint detection
- Embedding itself in the Task Scheduler, disguised as legitimate OneDrive or Intel services
This rapid evasion sequence leaves very little window for human or automated detection, and the group’s consistent rotation of infrastructure means that blocking based on static indicators like domain names or file hashes is largely ineffective.
Detection and Defense Recommendations
LogPresso researchers emphasized that organizations cannot rely solely on IoC-based detection to defend against Kimsuky campaigns. Given the group’s use of trusted platforms and rapid infrastructure rotation, behavior-based detection covering the full attack chain is essential. Key indicators to monitor include:
- LNK or JSE files with double extensions (e.g.,
.pdf.lnk,.hwpx.jse) arriving via email - Unexpected Task Scheduler entries, particularly those mimicking OneDrive, Intel, or Microsoft services
- UAC being disabled outside of normal administrative workflows
- Unusual PowerShell execution originating from startup folder contents
- Outbound connections to GitHub raw API endpoints or VSCode tunnel infrastructure from non-developer machines
The Kimsuky group’s multi-campaign operation demonstrates that North Korean cyber espionage units continue to refine their techniques rapidly. Organizations in the defense, financial, academic, and cryptocurrency sectors should treat these campaigns as a persistent and evolving threat requiring layered defenses, continuous monitoring, and regular security awareness training for employees in targeted roles.