Kimsuky Distributing Malicious Mobile App via QR Code
Essential information
- Published
- 16/12/2025 14:57
- Modified
- 21/12/2025 19:32
- Tags
- 2025-12-16 apk decryption docswap dprk keylogging mobile malware phishing qr code rat
- Related entities
- 12 observables, 1 intrusion sets (apt), 2 techniques (mitre), 1 malware, 2 others
Description
A new campaign by Kimsuky involves distributing malicious mobile apps through QR codes and phishing websites. The apps, masquerading as delivery services, VPNs, and cryptocurrency tools, decrypt an embedded APK to deploy a RAT with extensive capabilities. The malware uses a native decryption function and diverse decoy behaviors. Infrastructure overlaps and Korean language comments link this activity to Kimsuky. The threat actor employs sophisticated phishing techniques and leverages QR codes to redirect victims to malicious downloads. The malware requests extensive permissions and implements keylogging, audio recording, and data exfiltration. Multiple C&C servers were identified, some hosting Naver and Kakao phishing sites.