Time of Attack

·         Unknown

Targeted Victims

·         Specialized researchers in the defense and related industries

Initial Access

·         Spear phishing email disguised as a consultation: “[Consultation] New North Korean Suicide Drone.msc”

·         The MSC file (Windows MMC file) was disguised as a Word document, and the user was prompted to open it

·         Upon opening the document, the user was shown the contents of a “New North Korean Suicide Drone.docx” file from Google Docs (cloud), establishing trust

Exploited Vulnerability

·         None

Malware and Tools

·         [Consultation] New North Korean Suicide Drone.msc

Techniques

·         Social engineering lure: Disguising an MMC (.msc) file as a Word document

·         Hardcoded shellcode executed within the MSC file to download the external payload

·         Establishing trust through the Google Docs display and prompting the user to open the document

·         Registering the downloaded XML/VBS files in the Task Scheduler to ensure persistence

·         Communicating with the C&C and attempting to receive and execute remote commands (backdoor features)

Damage

·         The malware infected the system and performed backdoor functions, receiving commands from the C&C for long-term APT attacks

Details

·         The provided information is about a file disguised as a Word document: “[Consultation] New North Korean Suicide Drone.msc”

·         The file contains hardcoded shellcode that connects to a specified C&C server and downloads and saves four files (XML/VBS). It then registers these files in the Task Scheduler to ensure persistence

·         The file ultimately operates as a payload with backdoor features, executing remote commands

Source

·         Malicious MSC document disguised as “New North Korean Suicide Drone”[1]

Time

·         February to July 2025

Target

– Korean defense-related institutions and departments issuing military officer IDs

·         Private researchers on North Korea, North Korean human rights activists, journalists, etc.

Initial Access

·         Spear-phishing emails (disguised as a draft of a military ID card for public officials and a request for article submission)

·         Phishing email (Disguised as a portal security alert and an HWP document attachment)

·         Encouraging users to click on malicious links (connecting to C2 server)

Vulnerability

·         None

Malware and Tool

·         HncUpdateTray.exe (actually AutoIt3.exe): Runs AutoIt script

·         config.bin: Compiled AutoIt script

·         LhUdPC3G.bat: Obfuscated batch file

·         Batch files such as ms3360.bat, zarokey291.bat, and tempprivate0082.bat

Technique

· Deepfake Image Created to Forge Military Officer Credential

·         Spear-phishing emails using military agencies, research institutes, and portal security warnings as bait

·         Executing obfuscated PowerShell/Batch scripts

·         Attacks based on AutoIt scripts

·         Process Hollowing technique

·         AI theme (e.g., email account management, ID issuance)

·         Comment and padding-based Python code obfuscation

Damage

·         Potential account credential theft

·         Potential internal data exfiltration and remote control

Details

·         The Kimsuky group impersonated defense-related organizations by using a deepfake image of a military officer created by ChatGPT in a spear-phishing attack

·         They employed the ClickFix technique (disguising as a security alert from a portal site)

·         They employed the LNK file, batch script, AutoIt script, and Pythonw.exe-based obfuscation techniques

·         Launching attack campaigns using Korean defense, reunification, and political and social issues as bait

Source

Kimsuky APT Campaign Leveraging AI Deepfake to Forge Military IDs[2]

Timeline

·         Infra activities identified after May 2025

Targeted Industries

. Cryptocurrency (Web3) traders and marketing support staff

. Employees of a U.S. e-commerce (retail) company

Initial Access

·         ClickFix social engineering (fake employment platform, fake error/troubleshooting guidelines)

·         Distribution through a package repository

Vulnerability Exploited

·         None

Malware and Tools

·         BeaverTail: JavaScript-based information exfiltration and secondary payload loader

·         InvisibleFerret: Python-based information exfiltration and remote access tool

·         ClickFix: Using fake CAPTCHAs and error messages to prompt command executions

Tactics

·         ClickFix prompts (displaying fake error messages and executing commands specific to OS)

·         Impersonating a job search platform and investment company

·         Using a malicious repository (GitHub upload and GitLab integration)

·         Distributing in compiled executable format (using pkg and PyInstaller)

·         Delivery of payloads through password-protected compressed files

Affected Asset

·         Possibility of data theft including cryptocurrency wallet-related data and browser credentials

Description

·         Expanding the target from developers to marketing and trading professionals

·         Utilizing infection chains tailored to each environment (macOS, Windows, and Linux)

·         Using VPN/proxy IP for verification

·         Seeming to be in the low-risk testing stage, but indicating the potential for trying new tactics

Source

·         Tech Note – BeaverTail variant distributed via malicious repositories and ClickFix lure[3]

Time

·         June 2025

Target

·         South Korea

Individuals working in North Korea-related fields such as international relations, political science, academia, and research

Initial Access

·         Execute LNK (shortcut) → PowerShell (Chinotto)

·         CHM (Windows Help) → HTA · PowerShell

·         Download and execute remote CAB/RAR files.

Exploited Vulnerability

·         None

Malware and Tools

·         Rustonotto: Rust-compiled HTTP/Backdoor (Base64 commands and responses)

·         Chinotto: PowerShell Backdoor (File Transfer, Command Execution, Registry and Scheduled Tasks)

·         FadeStealer: Infiltrates system by collecting encryption RAR files with keylogging, screenshots, audio, device, and file data

Tactics

·         Social engineering with disguised political and diplomatic documents

·         Concealed execution with TxF-based Process Doppelgänging (transaction file creation, section maintenance, and mapping after rollback)

·         Ensuring persistence with a scheduler and registry

Damage

·         Collection and exfiltration of sensitive data

·         Continuous monitoring through keylogging, 30-second interval screenshots, microphone recording, and USB/MTP device content collection

Description

·         Conducted multi-stage infiltration and information collection using the Rustonotto backdoor developed in the Rust language and a Python-based loader

·         C2 infrastructure uses a single PHP-based structure to integrate Chinotto, FadeStealer, and Rustonotto

·         FadeStealer Performs Comprehensive Monitoring Features Such as Keylogging, Screenshots, and Collecting Audio, USB, and Smartphone Data

Source

·         APT37 Targets Windows with Rust Backdoor and Python Loader[4]