FortiGuard Labs has uncovered a multi-stage cyberattack campaign by North Korea-linked group Kimsuky targeting South Korean organizations. The attack begins with phishing emails containing obfuscated LNK files that silently execute PowerShell scripts while displaying decoy PDFs. The scripts perform anti-analysis checks, establish persistence via scheduled tasks, and exfiltrate data to attacker-controlled GitHub repositories, which also serve as C2 infrastructure. The campaign is linked to previous Xeno RAT and MoonPeak malware distribution, and a related variant uses Dropbox as interim C2 before deploying a Python-based backdoor. Recommendations include enhanced email security, monitoring cloud repository access from endpoints, PowerShell logging, and application whitelisting.
Table of contents
Executive SummaryAttack Chain BreakdownConnection to Previous CampaignsGet Excalibra ’s stories in your inboxRelated TTP EvolutionURLsSHA256Researcher CommentsRecommendationsSort: