Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/Threats/North Korean Hackers Target Pharma with Weaponized Excel Malware
Threats

North Korean Hackers Target Pharma with Weaponized Excel Malware

Key Takeaways The North Korean Kimsuky hacking group is actively targeting pharmaceutical companies with a sophisticated malware campaign. Attackers are deploying a weaponized Windows shortcut (.lnk)...

Sarah simpson
Sarah simpson
April 27, 2026 4 Min Read
36 0

Key Takeaways

  • The North Korean Kimsuky hacking group is actively targeting pharmaceutical companies with a sophisticated malware campaign.
  • Attackers are deploying a weaponized Windows shortcut (.lnk) file disguised as an Excel document to gain initial access.
  • The malware establishes persistence through a scheduled task and uses Dropbox for command-and-control, exfiltrating system information.
  • The campaign specifically targets the pharmaceutical sector, risking sensitive research data and patient records.

North Korean Kimsuky Group Deploys Weaponized Excel Malware Against Pharma Sector

The Kimsuky hacking collective, known to be state-sponsored by North Korea, has launched a new campaign specifically targeting prescription pharmaceutical companies. This operation utilizes a custom malware file, “White Life Science ERP Specification,” crafted to infiltrate these high-value organizations.

Table Of Content

  • Key Takeaways
  • North Korean Kimsuky Group Deploys Weaponized Excel Malware Against Pharma Sector
  • Intricate Deception and Multi-Payload Delivery
  • Strategic Targeting of Life Sciences
  • Inside the Infection and Persistence Chain
  • What You Should Do

The attack vector relies on social engineering, leveraging a counterfeit Excel document to trick employees into unknowingly executing malicious code. This tactic grants the attackers covert access to the victim’s system, highlighting the continued efficacy of deceptive methods even against advanced threat actors.

Intricate Deception and Multi-Payload Delivery

The malware initially arrives as a file named White Life Science ERP Specification.lnk. This Windows shortcut file is meticulously disguised to appear identical to a legitimate Excel spreadsheet. When a user opens what they believe is a standard business document, a complex chain of hidden scripts is silently initiated in the background, leaving no immediate visible signs of compromise.

Analysts at Wezard4u meticulously analyzed this malware, uncovering that the .lnk file functions as a multi-payload container. It bundles a decoy Excel file, a PowerShell script, a JavaScript file, and a Windows Task Scheduler XML, all compressed within a single 23,079-byte shortcut. The attackers appear to be impersonating a legitimate prescription drug manufacturer, enhancing the credibility of the bait document for the intended targets.

Upon execution, PowerShell discreetly extracts and runs each component sequentially, effectively concealing the infection from the user. The complete execution flow progresses from the LNK file to an XML definition, then to a JavaScript file, and finally to a PowerShell script, making detection at any individual stage particularly challenging.

Strategic Targeting of Life Sciences

The broader implications of this campaign are significant due to its direct focus on the pharmaceutical sector—an industry rich in sensitive research data, confidential patient records, and proprietary drug formulations. Kimsuky has a documented history of targeting academic, government, and research institutions, and this latest campaign signals a clear expansion of their operational scope into the life sciences.

Should these attackers successfully establish a foothold, they could exfiltrate critical clinical trial data, intellectual property, or maintain long-term surveillance over internal communications. Security teams can use the following file identifiers for immediate detection: White Life Science ERP Specification.lnk with an MD5 hash of 5c3bf036ab8aadddb2428d27f3917b86, SHA-1 of e9c16aa2e322a65fc2621679ca8e7414ebcf89c0, and SHA-256 of d4c184f4389d710c8aefe296486d4d3e430da609d86fa6289a8cea9fde4a1166.

Inside the Infection and Persistence Chain

The technical sophistication of this attack lies in its methods for concealing payloads and maintaining persistent access without triggering common security defenses. When the victim opens the deceptive Excel file, a lengthy command is executed via cmd.exe, invoking PowerShell through the SysWOW64 path. This specifically launches the 32-bit version of PowerShell on a 64-bit Windows system, a known technique to bypass certain security monitoring tools that may only observe 64-bit processes.

The PowerShell script proceeds to decrypt embedded payloads using XOR 0xC7 encoding. These payloads are then dropped into a hidden directory named C:sysconfigs, intentionally chosen to mimic a legitimate Windows system directory. Two primary files are saved: opakib.ps1, serving as the main PowerShell payload, and copa08o.js, a JavaScript launcher.

To ensure persistence, the JavaScript file is registered as a scheduled task, cleverly named “Avast Secure Browser VPS Differential Update Ex.” This naming convention is designed to make the malicious task appear as a benign and trusted browser update process, further aiding its stealth.

Once active, opakib.ps1 establishes a connection to Dropbox utilizing its official API, effectively transforming the cloud storage service into a command-and-control (C2) server. The malware gathers critical victim information, including the domain name, username, operating system version, public IP address, and a list of running processes. This data is then encoded using RC4 and Base64 before being uploaded to Dropbox. Subsequently, the attacker can place custom command files within Dropbox, which the malware downloads and silently executes on the compromised machine.

What You Should Do

  • Enable File Extension Visibility: Ensure that Windows settings are configured to always show file extensions, making it harder for .lnk files to be mistaken for legitimate Excel documents.
  • Monitor PowerShell Execution: Implement robust monitoring and, where possible, restrictions on PowerShell execution, particularly through SysWOW64 paths, which can indicate attempts to bypass security controls.
  • Audit Scheduled Tasks: Regularly review and audit Windows scheduled tasks for any unfamiliar or suspicious entries, especially those impersonating legitimate software updates.
  • Flag Unusual Dropbox API Connections: Monitor corporate networks for unusual or unauthorized Dropbox API connections, which could indicate C2 activity.
  • Deploy Indicator of Compromise (IoC) Hashes: Add the provided MD5, SHA-1, and SHA-256 file hashes to endpoint detection and response (EDR) platforms and other security tools to identify and quarantine infected systems promptly.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachHackerMalwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

ClickFix Attack Replaces PowerShell with Cmdkey and Remote Regsvr32

Next Post

macOS textutil, KeePassXC Flaws Let Attackers Hijack Automation

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us