Kimsuky Attack Disguised as Sex Offender Notification Information
Essential information
- Published
- 24/09/2025 10:38
- Modified
- 24/09/2025 12:03
- Tags
- 2025-09-24 anti-vm apt browser hijacking cryptocurrency theft data exfiltration north korea spear-phishing
- Related entities
- 7 observables, 1 intrusion sets (apt), 25 techniques (mitre)
Description
In late July 2025, an organized APT attack using shortcut files was discovered, attributed to the North Korean Kimsuky group. The attackers distribute decoy zip files containing password-protected documents and a disguised shortcut file. When executed, it connects to a C2 server, downloads encrypted payloads, and performs various malicious activities. These include collecting sensitive information from browsers, cryptocurrency wallets, messaging apps, and system files. The collected data is encrypted and sent to the C2 server, which can issue additional commands for remote execution. The attack employs anti-VM techniques and establishes persistence through registry modifications. It also includes a separate malicious DLL for browser process injection.