216.73.216.133

Kimsuky Attack Disguised as Sex Offender Notification Information

· Published 24/09/2025 10:38 · Modified 24/09/2025 12:03

Export JSON

Essential information

Published
24/09/2025 10:38
Modified
24/09/2025 12:03
Tags
2025-09-24 anti-vm apt browser hijacking cryptocurrency theft data exfiltration north korea spear-phishing
Related entities
7 observables, 1 intrusion sets (apt), 25 techniques (mitre)

Description

In late July 2025, an organized attack using shortcut files was discovered, attributed to the North Korean Kimsuky group. The attackers distribute decoy zip files containing password-protected documents and a disguised shortcut file. When executed, it connects to a C2 server, downloads encrypted payloads, and performs various malicious activities. These include collecting sensitive information from browsers, cryptocurrency wallets, messaging apps, and system files. The collected data is encrypted and sent to the C2 server, which can issue additional commands for remote execution. The attack employs techniques and establishes persistence through registry modifications. It also includes a separate malicious DLL for browser process injection.