CP
cyberpings
Malware & RansomwareHIGH

Kimsuky - Malicious LNK Files Deliver Python-Based Backdoor

Featured image for Kimsuky - Malicious LNK Files Deliver Python-Based Backdoor
CSCyber Security News
KimsukyPython backdoorLNK filesPowerShellmalware campaign
🎯

Basically, a North Korean hacker group is using fake shortcut files to secretly install harmful software on computers.

Quick Summary

Kimsuky, a North Korean hacker group, is using malicious LNK files to deploy a Python backdoor on victim systems. This multi-stage attack complicates detection efforts, posing serious risks to sensitive data. Stay alert and avoid opening suspicious files to protect your systems.

What Happened

A North Korean threat group known as Kimsuky has been caught running a sophisticated cyberattack campaign. This campaign utilizes malicious Windows shortcut files, or LNK files, to quietly install a Python-based backdoor on victim systems. The attack unfolds in multiple stages, making it increasingly difficult for security tools to detect the malicious activity before the final payload is executed.

Who's Affected

Kimsuky has a history of targeting government agencies, research institutions, and individuals, particularly in South Korea and beyond. This latest campaign showcases a shift in their tactics, indicating that they are evolving to bypass traditional security measures.

How It Works

The attack starts when a user opens an LNK file disguised as a common document, such as a resume or a guide. Once executed, this file triggers a hidden PowerShell script that creates a concealed folder on the victim's machine. This folder is designed to remain undetected, as it has hidden and system attributes.

The infection process involves a series of steps:

  1. LNK file → triggers a PowerShell script.
  2. PowerShell script creates a hidden folder and drops three files:
    • An XML task scheduler file (sch_ha.db)
    • A VBS script (11.vbs)
    • A PowerShell script (pp.ps1)
  3. The XML file registers a scheduled task that runs every 17 minutes, ensuring the malware remains active even after system reboots.

Signs of Infection

Victims may notice unusual activity, such as the creation of hidden folders or unexpected scheduled tasks. The backdoor allows attackers to execute commands, browse directories, and extract sensitive data without raising alarms.

How to Protect Yourself

To mitigate the risk of infection from this campaign, users should:

  • Avoid opening LNK files received via email or messaging apps, especially those disguised as legitimate documents.
  • Monitor Windows Task Scheduler for suspicious entries, particularly those with Google-themed names.
  • Keep endpoint security tools updated and block unauthorized outbound connections to unknown services.

By remaining vigilant and implementing these protective measures, individuals and organizations can reduce their risk of falling victim to Kimsuky's evolving tactics.

🔒 Pro insight: Kimsuky's multi-stage approach highlights the need for advanced detection mechanisms that can identify layered malware delivery methods.

Original article from

CSCyber Security News· Tushar Subhra Dutta
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Multi-Extortion Ransomware - Understanding Its Evolution

Multi-extortion ransomware is on the rise, pressuring victims with data leaks. Healthcare and finance sectors are particularly affected. Organizations must adapt their defenses to protect sensitive data effectively.

BleepingComputer·
HIGHMalware & Ransomware

CrystalX RAT - New MaaS Malware Combines Spyware and Access

Kaspersky has uncovered CrystalX RAT, a new MaaS malware that combines spyware and remote access features. This sophisticated tool poses significant risks to users globally. Stay informed and protect your data.

Security Affairs·
HIGHMalware & Ransomware

Malicious Chrome Extension Steals ChatGPT Conversations

A new malicious Chrome extension is stealing ChatGPT conversations and sending them to a hidden Discord channel. This poses serious privacy risks for users. Stay informed and protect your data.

Cyber Security News·
HIGHMalware & Ransomware

Claude Code Source Leak - Malware Exploits Developers' Trust

A source code leak of Anthropic's Claude Code tool has led to malware disguised as 'unlocked' software. Developers are at risk of downloading harmful files. Stay vigilant and verify sources to protect against these threats.

Help Net Security·
HIGHMalware & Ransomware

Venom Stealer - New Malware Turns ClickFix Lures Into Threats

Venom Stealer is a new malware that automates data theft through ClickFix lures. It continuously exfiltrates sensitive information, posing a serious risk to victims. Organizations must implement strong defenses to combat this evolving threat.

Cyber Security News·
HIGHMalware & Ransomware

Phorpiex Botnet - Spreading Ransomware and Sextortion Tactics

The notorious Phorpiex botnet is back, spreading ransomware and sextortion schemes. Millions are at risk as it targets users globally. Stay alert and protect your devices from this evolving threat.

Cyber Security News·