Kimsuky Uses Malicious LNK Files for Python Backdoor in Multi-Stage Attack
Key Takeaways The North Korean state-sponsored hacking group Kimsuky is employing a sophisticated multi-stage attack using malicious LNK files. The campaign aims to deploy a Python-based backdoor,...
Key Takeaways
- The North Korean state-sponsored hacking group Kimsuky is employing a sophisticated multi-stage attack using malicious LNK files.
- The campaign aims to deploy a Python-based backdoor, granting attackers comprehensive remote control over compromised systems.
- The attack chain now incorporates additional intermediate steps, including XML and VBS files, designed to evade detection by traditional security solutions.
- Targets typically include government entities, research institutions, and individuals, primarily in South Korea.
Kimsuky Group Enhances Evasion Tactics with Multi-Stage Python Backdoor Delivery
The notorious North Korean advanced persistent threat (APT) group Kimsuky has launched a new cyberattack campaign, leveraging an intricate multi-stage process involving weaponized Windows shortcut (LNK) files to implant a Python-based backdoor on victim systems. This refined attack methodology, designed for enhanced stealth, has been thoroughly analyzed by security researchers.
Table Of Content
This latest campaign demonstrates a significant evolution in Kimsuky’s operational tactics. The threat actor, known for its persistent targeting of government agencies, research institutions, and individuals, particularly within South Korea, has introduced additional layers of obfuscation to its malware delivery chain. This makes detection considerably more challenging for security tools before the final malicious payload establishes itself on the target machine. A recent analysis provides a detailed breakdown of these new techniques.
Evolving Attack Chain for Enhanced Stealth
While Kimsuky’s ultimate objective remains consistent—to achieve persistent remote access via a Python backdoor—the group has substantially modified its delivery mechanism. Previous attack flows typically progressed from an LNK file directly to PowerShell and then a batch (.BAT) file. In this updated version, the execution path now includes an XML file, a VBScript (.VBS) file, and a PowerShell (.PS1) script before reaching the final .BAT file that deploys the payload. This expanded sequence creates multiple intermediate stages, providing greater control over the infection process and increasing the difficulty for security solutions to flag the malicious activity.
Researchers at ASEC were instrumental in identifying this strategic shift by the Kimsuky group, noting a distinct structural change in how their malicious LNK files are executed. The added layers between each step are a clear indication of the group’s efforts to enhance evasion capabilities.
Initial Infection Vector and Persistence
The LNK files used in this campaign are meticulously crafted to appear legitimate, often using filenames such as “Resume (Sungmin Park).hwp.lnk” and “Guide to Establishing Data Backup and Recovery Procedures (Reference).lnk”. These names are chosen to deceive users into clicking them, believing they are opening a standard document.
Upon execution, the LNK file initiates a hidden PowerShell script. This script then creates a concealed folder at C:windirr, configured with hidden and system attributes to prevent it from appearing in typical file browsers. A decoy HWP document is simultaneously displayed to the victim, masking the malicious operations occurring in the background.
Backdoor Capabilities and Data Exfiltration
The successful deployment of the Python backdoor grants attackers extensive remote command and control (C2) capabilities. This includes the ability to execute arbitrary shell commands, navigate file systems, upload and download files, delete data, and launch other programs. Such a high level of access enables the threat actor to covertly monitor victim systems and exfiltrate sensitive information for extended periods, often without detection.
Multi-Stage Infection Mechanism
The infection process is a carefully orchestrated sequence of stages, each designed to progress silently to the next while circumventing security alerts. After the initial LNK file execution, the PowerShell script establishes the hidden directory and drops three critical files: an XML task scheduler file (sch_ha.db), a VBScript (11.vbs), and a PowerShell script (pp.ps1).
The XML file registers a task scheduler entry named GoogleUpdateTaskMachineCGI__{56C6A980-91A1-4DB2-9812-5158E7E97388}, configured to execute every 17 minutes. This mechanism ensures the malware maintains persistence across system reboots. The VBS file then launches pp.ps1, which is responsible for collecting a wide array of system information, including the username, active processes, operating system version, public IP address, and installed antivirus software details. This stolen data is subsequently exfiltrated to the attacker’s Dropbox account. The use of a legitimate cloud service like Dropbox helps the attackers blend their malicious network traffic with normal activity, further aiding evasion.
The pp.ps1 script also downloads and executes a batch file, hh.bat, from the attacker’s Dropbox. This batch file retrieves two fragmented ZIP archives from remote servers, merges them, and then extracts the final payload to C:winii. The extracted archive contains the core Python backdoor, named beauty.py. This backdoor is then registered as a task called GoogleExtension and launched via another XML scheduler entry.
Once active, the beauty.py backdoor establishes a connection to the C2 server at 45.95.186[.]232 on port 8080. It sends a “HAPPY” packet to confirm a successful infection and then awaits further commands from the attackers.
What You Should Do
- Exercise Caution with LNK Files: Users should be highly suspicious of LNK files received via email, messaging platforms, or untrusted sources, even if they appear to be legitimate documents.
- Monitor Task Scheduler: Organizations should actively monitor Windows Task Scheduler for newly created or modified entries, especially those with suspicious names or Google-themed disguises like
GoogleUpdateTaskMachineCGIorGoogleExtension. - Maintain Endpoint Security: Ensure all endpoint detection and response (EDR) and antivirus solutions are up-to-date with the latest threat intelligence and signatures.
- Implement Network Segmentation and Filtering: Restrict unauthorized outbound connections to known malicious IP addresses and suspicious cloud services (like Dropbox, if not used for legitimate business purposes) to prevent data exfiltration and C2 communications.
- User Awareness Training: Conduct regular cybersecurity awareness training for employees to educate them about phishing, social engineering tactics, and the dangers of opening unexpected attachments or files.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.