·         US technology, critical manufacturing, and transportation companies

·         Global companies hiring for technology-related positions in various industries

·         Some government agencies (at least two in the US)

·         Used fake resumes and IDs to infiltrate the remote IT hiring process

·         Created fake portfolios and accounts on LinkedIn, GitHub, and freelance sites

·         Contacted recruiters or intermediaries on Facebook, Telegram, and other platforms when necessary

·         Faceswap and other AI image generation and editing tools

·         Voice changer software

·         RMM tools (TinyPilot, Rust Desk, TeamViewer, AnyViewer, Anydesk, etc.)

·         VPN/Astrill VPN

·         VPS/Proxy

·         IP-based KVM devices (PiKVM, TinyPilot)

·         Infiltrates the hiring process using fake identities and profiles

·         Makes ID and profile photos and changes voices with AI

·         After being hired, delivers company hardware to an accomplice and uses it for remote access

·         Hides location and activities with RMM and VPN

·         Avoids video interviews with false excuses or having an accomplice attend instead

·         Exfiltration of confidential information, such as source code, IP, and trade secrets

·         Infiltrated at least 64 US companies and obtained more than $860,000

·         North Korean IT workers used Chinese or Russian IP addresses or stolen foreign identities to apply for US and global IT jobs, and used AI to forge identity documents to gain trust.

·         After being hired, they sent company hardware to North Korea or an accomplice, or connected to an accomplice’s laptop farm to work remotely.

·         Then, they installed RMM software, used a VPN to hide their location, and had an accomplice handle video or in-person interviews if necessary.

·         Sent friend requests on Facebook Messenger to start a conversation and deliver a malicious file

·         Sent a malicious compressed file by email

·         Sent a malicious file via Telegram message

·         Multi-step approach through Facebook, email, and Telegram (three-step combo)

·         Pretends to support North Korean defectors to gain trust, then sends a malicious file

·         Evades detection by using the EGG compressed file format

·         Runs Windows Script Host (JSE), loading DLL with regsvr32, and securing persistence

·         Hides collected information with RC4 and RSA encryption, and sends it disguised as a PDF

·         Continuous command and control communication with the C2 server

·         Exfiltration of confidential information from infected systems

·         Executing commands and resending through the C2 server

·         The Kimsuky group uses three channels—Facebook, email, and Telegram—to try to communicate with their targets. They pretend to be volunteers for North Korean defectors and send an EGG archive file that contains a malicious JSE file.

·         Compared to previous cases, there is a high similarity in the use of JSE and DLL files and in the attack patterns. They also use the Korean EGG compression format and try to avoid detection by prompting users to use a decompression program.

·         Sent spear phishing emails impersonating a Korean law firm

·         The attached malicious compressed file contains an LNK and PowerShell-based downloader that leads to initial infection

·         XenoRAT

·         onf.txt

·         ofx.txt

·         Github PAT(Personal Access Token)

·         PowerShell script

·         Uses GitHub private repositories and hard-coded PAT for command and control and data leak

·         Malware distribution using Dropbox

·         Uses tailored decoy documents (such as debt collection notices, power of attorney documents, etc.)

·         Maintains persistence through the Task Scheduler and regular log uploads

·         Uses XenoRAT to control infected systems, perform keylogging, and steal information

·         Stole the victim’s personal and system information

·         Continuous collection of information, including keylogging and clipboard data

·         The Kimsuky group operates multiple private repositories on GitHub dedicated to attacks, and manages decoy documents, Infostealers, logs files in each repository.

·         Many collected XenoRAT variants had the same build environment (GUID) and encryption method. The reuse of test IPs from previous MoonPeak cases linked to Kimsuky and the same C2 server used for Naver phishing sites also indicates a link to Kimsuky.