Threats

Kimsuky Hackers Use LNK and JSE Lures to Target Recruiters, Crypto

The North Korea-linked Kimsuky threat group significantly broadened its targeting in the first half of 2025, launching four distinct spear-phishing campaigns. This well-known cyber espionage unit,...

Marcus Rodriguez
Marcus Rodriguez
May 19, 2026 4 Min Read
2 0

The North Korea-linked Kimsuky threat group significantly broadened its targeting in the first half of 2025, launching four distinct spear-phishing campaigns. This well-known cyber espionage unit, identified by its ties to the Democratic People’s Republic of Korea (DPRK), focused its operations on corporate recruiters, cryptocurrency investors and developers, defense sector

Each campaign used a different disguise but followed the same basic playbook: trick someone into opening a file and quietly take over their computer.

What makes these attacks stand out is the variety of people they went after. Recruiters received fake resumes and business cards.

Crypto users were lured with content themed around Solana meme coins. Defense officials were sent documents tied to the K-ICTC International Scientific Combat Management Competition.

Campaigns (Source - LogPresso)
Campaigns (Source – LogPresso)

Graduate school staff were handed what appeared to be enrollment documents. In every case, the goal was identical: get a foothold without raising any flags.

Analysts at LogPresso said in a report shared with Cyber Security News that all four campaigns followed a consistent attack flow that started with displaying a decoy document while silently dropping a malicious payload, then securing persistence, and finally establishing a remote control channel.

The campaigns were distinguished mainly by their lure topics, entry methods, and command-and-control infrastructure.

The attackers showed clear signs of sophistication. Instead of using obviously suspicious servers, they routed communications through trusted platforms like GitHub raw APIs, Microsoft CDN, and VSCode tunnels.

This made their traffic blend in with normal activity, making it harder for reputation-based security tools to catch them.

Target identification was also personalized, with victims tracked through unique IDs, IP addresses, and MAC addresses.

One of the most consistent findings across all four campaigns was aggressive defense evasion from the very start.

Within five minutes of a victim opening the bait file, the malware was already disabling Windows UAC, registering Defender exceptions, and embedding itself in the Task Scheduler to survive reboots.

LogPresso noted that blocking based on individual IoCs has clear limitations, and that defenders need behavior-based detection covering the full attack chain.

Kimsuky Hackers Use LNK and JSE Lures

Three of the four campaigns relied on LNK files disguised to look like PDFs. When a victim opened one, two hidden payloads separated inside. One part quietly displayed a convincing decoy document to keep the victim unsuspecting.

The other saved a secondary LNK file to the Windows startup folder, establishing persistence before downloading and running PowerShell scripts from the attacker’s server.

The entire process completed in under five minutes, leaving very little room for human detection.

The fourth campaign took a different approach, using a JSE file with a double extension formatted as .hwpx.jse. Since Windows hides extensions by default, the victim saw what looked like a Korean HWP document.

Once opened, the script decoded a hidden DLL using the built-in certutil tool and loaded it using rundll32.exe, a legitimate Windows component.

This campaign went further by using a VSCode tunnel to maintain persistent remote access, riding on Microsoft’s own signed binaries to stay undetected.

Abuse of Legitimate Services for C2

A thread that ran through every campaign was Kimsuky’s heavy use of legitimate services for command-and-control operations. GitHub repositories stored payloads and collected victim data.

Microsoft CDN helped deliver files without triggering network alerts. VSCode tunnels created persistent remote access through GitHub OAuth authentication.

In one case, a private server at nelark.icu acted as the C2, while another campaign funneled data through the Korean site yespp.co.kr.

LogPresso’s analysis makes clear that defenders cannot rely on blocking domains or file hashes alone.

Since Kimsuky rotates its infrastructure quickly, organizations should watch for LNK or JSE files with double extensions, monitor unexpected Task Scheduler entries disguised as OneDrive or Intel services, and flag any instance of UAC being disabled outside normal administrative activity.

Building detection around behaviors rather than static indicators is the only reliable way to stay ahead of a group this adaptive.

Indicators of Compromise (IoCs):-

Type Indicator Description
File Hash (MD5) 80088af673b0117dbd5cf528021dd970 1.pdf.lnk (Campaign 1) 
File Hash (MD5) c499e415f7e07f513d8319013a8b2e86 1.pdf.lnk.zip (Campaign 1) 
File Hash (MD5) 0331a83b58231cb0cd3bfe319003ed1a OneDrive.lnk (Campaign 1) 
File Hash (MD5) 806fb7876b63ba89d2432cb831be01ba a.ps1 (Campaign 1) 
File Hash (MD5) c57a8b40d2ca402656ff3d778f42708c bb.ps1 (Campaign 1) 
File Hash (MD5) 2689f58b803364bbfba2edb423a3b572 bpersist.ps1 (Campaign 1) 
File Hash (MD5) 552ca91696fedd387e1ea47f50f18344 scheduler-once.bat (Campaign 1) 
URL hxxps://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1 C2 URL – Campaign 1 
URL hxxps://nelark.icu/xftaswx/res/post_proc.php?fpath=bpersist.ps1 C2 URL – Campaign 1 
URL hxxps://nelark.icu/xftaswx/res/index.php C2 URL – Campaign 1 
URL hxxps://nelark.icu/xftaswx/res/post_proc.php?fpath=scheduler-once C2 URL – Campaign 1 
URL hxxps://nelark.icu/xftaswx/res/bypass.b C2 URL – Campaign 1 
File Hash (MD5) a9d5dd632bb90addca480eaa5ff4382 PumpGuard-Pumpfun-AI-Attack-Defence-Requirements.pdf.lnk (Campaign 2) 
File Hash (MD5) 5c2857913efc6007b3ee7028a132baa4 PumpGuard-Pumpfun…pdf.zip (Campaign 2) 
File Hash (MD5) 6869766741b40825e31fd8bbff688bd3 bpvme.ps1 (Campaign 2) 
File Hash (MD5) 3fdce08723365d5c06e1183585164118 PumpGuard_Pumpfun…GameEngine(2).rar (Campaign 2) 
File Hash (MD5) a3363e0c22c0356fdbcdc37f502bbcde firefox.ps1 (Campaign 2) 
File Hash (MD5) 471faa43f4811a0250648d586cb3eebf bpvme.ps1 variant (Campaign 2) 
File Hash (MD5) 8301fc2c740f6309864e68b6e429d0f0 whale.vbs (Campaign 2) 
File Hash (MD5) af7330af68a8f79b5a28fcc242e54a7e doc_2026-03-26_08-58-03.NetAngular.pdf.zip (Campaign 2) 
File Hash (MD5) 450774df6785e6eeb6ea906490905888 firefox.ps1 variant (Campaign 2) 
File Hash (MD5) 831d7c614ba32aa5d70ff9b0f259ee1d wale.ps1 (Campaign 2) 
URL hxxps://raw.githubusercontent.com/brandonleeodd93-blip/doc7/main/1.txt GitHub C2 payload – Campaign 2 
URL hxxps://raw.githubusercontent.com/brandonleeodd93-blip/doc7/main/view.pdf GitHub C2 payload – Campaign 2 
URL hxxps://api.github.com/repos/brandonleeodd93-blip/doc7/contents/report/ GitHub exfil endpoint – Campaign 2 
File Hash (MD5) b3c90f52e4b86a94ec637fee4354bb84 2026 4th K-ICTC Information.pdf.lnk (Campaign 3) 
File Hash (MD5) 0dd1cf2d9a72fdbef19e77af59ba9d1f 2026 4th K-ICTC Information.pdf.zip (Campaign 3) 
File Hash (MD5) cbb059bd691d846e8279d617134d3129 conf.dat (Campaign 3) 
IP Address 103.67.196.25 C2 server – Campaign 3 
URL hxxp://103.67.196.25/conf.dat C2 payload URL – Campaign 3 
URL hxxp://103.67.196.25/payload.dat C2 payload URL – Campaign 3 
URL hxxp://103.67.196.25/view1.php?type=apple&seed=<MAC> MAC-based victim identification – Campaign 3 
File Hash (MD5) bb5040d54135b0999cc491b41a0a45e2 .hwpx.jse.zip (Campaign 4) 
File Hash (MD5) 9fe43e08c8f446554340f972dac8a68c .hwpx.jse (Campaign 4) 
File Hash (MD5) 52f1ff082e981cbdfd1f045c6021c63f .hwpx.jse variant (Campaign 4) 
File Hash (MD5) bb9e9c893b170b3774c150b1d0b93a73 iIdypWi.zgyY (Campaign 4) 
File Hash (MD5) 08160acf08fccecde7b34090db18b321 kE2I3TP.crqn (Campaign 4) 
URL hxxps://www.pyrotech.co.kr/common/include/tech/default.php C2 URL – Campaign 4 
URL hxxps://www.yespp.co.kr/common/include/code/out.php C2 exfil URL – Campaign 4 
Domain nelark.icu C2 domain – Campaign 1 
Domain yespp.co.kr C2/exfil domain – Campaign 4 
Domain vscode.dev/tunnel/bizeugene VSCode tunnel used for persistent remote access 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwarephishingSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts