Skip to content

Kimusky evolves to a new advanced LNK-based malware tactics

  • by
  • 3 min read
What is code-signed Malware and ways to protect your device

Kimusky threat group, suspected to be backed by North Korea, has evolved tactics, raising security experts’ concerns. Recent developments indicate a shift in their attack strategy as they increasingly employ LNK shortcut-type malware instead of traditional Hangul Word Processor (HWP) or MS Office document formats.

Since its inception in 2013, the group has primarily targeted South Korea, focusing on research institutes and energy corporations. However, cases of attacks against other countries have surfaced since 2017.

Kimusky’s modus operandi involves spear phishing attacks against various sectors, including national defence, industries, the press, diplomatic organisations, and academia. They aim to pilfer internal information and technology.

Cybersecurity researchers from ASEC have traced the group’s recent evolution. The group follows a pattern of enticing users to download compressed files through email attachments or links within phishing emails. Once downloaded, these files reveal a legitimate document and a concealed malicious LNK file.

Upon gaining initial access, the Kimusky group installs remote control malware, including custom-made threats like AppleSeed and PebbleDash, as well as utilising open-source or commercial malware like XRat, HVNC, Amadey, and Metasploit Meterpreter.

The threat actor often resorts to remote desktop protocols (RDP) or installs Google’s Chrome Remote Desktop to exfiltrate information from compromised systems.

However, in 2023, Kimusky began to deploy Amadey and RftRAT. Unlike previous attacks, these instances revealed the deployment of AutoIt, a scripting language, indicating a continuous evolution in their techniques.

Malware in LNK files. | Source: ASEC

The Amadey malware used by Kimusky is different from other versions. Kimusky uses Domain Generation Algorithms (DGA) that scan the system for antivirus and product names. DGA allows the data to be sent to the subsidiary command and control server if the connection to the primary C&C server is disrupted.

Amadey also supports download in the exe format, DLL, PowerShell, vbs and js.

RftRAT is installed via the ‘d015700.dll’ dropper that eventually creates an Infostealer after being installed into svshost.exe. After that, another malware, Appleseed, is installed on the system.

Amadey and RftRAT have similar AutoIt scripts, with the only difference being RftRAT acts as an injector. Kimusky group ports AutoIt and uses it to inject RftRAT. This tactic switch complicates detection as it introduces a new layer of obfuscation.

In their pursuit of information exfiltration, the Kimsusky group deploys keyloggers, Infostealers, and tools for extracting account details and cookies from web browsers. Notably, the group leverages RDP Wrapper for multiple sessions, and recent discoveries highlight their focus on monitoring user login records to exploit idle times.

“Users must carefully check the senders of emails and refrain from opening files from unknown sources. It is also recommended to apply the latest patch for OS and programs such as Internet browsers and update V3 to the latest version to prevent such malware infection in advance,” advised researchers.

In November, it was discovered that Kimusky was targeting South Korean institutes with malicious JSK files.

In the News: SLAM attack targets AMD CPUs; future Intel CPUs are at risk

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: