A malicious LNK that spreads a Python-based backdoor and how it’s spreading (Kimsuky group)
overview
AhnLab SEcurity intelligence Center (ASEC) recently identified a change in the Kimsuky group’s method of distributing malicious LNK files. the overall attack flow remains the same as before, with a malicious LNK ultimately executing a Python-based backdoor or downloader. however, a structural change was observed in the intermediate execution phase.
| distinction | historical Distribution Method | recent Distribution Method |
|---|---|---|
| initial execution | LNK → PowerShell → BAT | LNK → PowerShell → Generate Decoy-XML-PS1-VBS |
| intermediate stage | Run BAT alone | XML → VBS → PS1 → BAT |
| download files | Download ZIP, decoy file | Download ZIP file |
| ZIP Internal Organization | Python Script, Python Interpreter, XML Scheduler Files | Python Script, Python Interpreter, XML Scheduler Files |
| final Execution | Execute a Python script by XML → Download and execute a Python backdoor | Execute Python backdoor by XML |
| features | relatively simple execution structure | multiplexing of intermediate stages and separation of execution flows |
[Table 1] Historical and recent changes in distribution methods
1. past LNK dissemination methods
1.1 Initial Execution
In the initial execution phase of LNK files distributed in the past, PowerShell scripts executed through LNK files worked by downloading a BAT file from the URL below.
- URL : hxxps://qugesr[.]online/m/bDw
[Figure 1] Malicious BAT script file
1.2 Intermediate Steps
When the BAT file is executed, a ZIP file and a decoy file are downloaded. the decoy file is then downloaded from the URL below and merged into a single ZIP file after downloading each of the two split ZIP file fragments. the ZIP file contains a Python script(can.py), a Python Interpreter, and an XML Task Schedulerfile (sch.db). based on the contents of the XML file, a Task Scheduler named Microsoft_Upgrade{10-9903-09-821392134} is then registered, and the Python script is executed by the XML Task Scheduler. during this process, the final Python backdoor file is downloaded and executed. a detailed analysis of this backdoor is covered in Section 3.
| URL | separator |
|---|---|
| hxxps://qugesr.online/dwparts_view/view.php?in=comm.part000 | ZIP_1 |
| hxxps://qugesr.online/dwparts_view/view.php?in=comm.part001 | ZIP_2 |
| hxxps://qugesr.online/dwparts_view/view.php?in=normal | decoy file |
[Table 2] Additional file downloads
[Figure 2] Normal decoy file
2. recent LNK Distribution Methods
2.1 Initial execution
The recently distributed LNK files, “Resume (Sungmin Park).hwp.lnk” and “Guide to Establishing Data Backup and Recovery Procedures (Reference).lnk”, execute a PowerShell script the same as in previous cases and create a folder with hidden and system file attributes in the C:\windirr path. this is believed to be done for stealth purposes to prevent the path from being exposed during the user’s normal file browsing. lNK then creates and executes the LNK files in that folder. the generated files include a legitimate decoy file and an HWP document that uses the file name of the LNK file.
 |
 |
| decoy file of resume(Sungmin Park).hwp.lnk | decoy file of Guide to Establishing Data Backup and Recovery Procedures (Reference).LNK file |
[Figure 3] Normal decoy file
generated file
function
sch_ha.db
xML Task Scheduler file
11.vbs
pp.ps1 executable
pp.ps1
additional file downloads
[Table 3] File-specific features
2.2 Intermediate steps
create a Task Scheduler through an xml file with the file name GoogleUpdateTaskMachineCGI__{56C6A980-91A1-4DB2-9812-5158E7E97388}. inside the xml file, the Task Scheduler is defined to run the command wscript.exe /b “C:\windirr\11.vbs” starting from 2025-08-26 15:17 and continuing to run every 17 minutes. when the 11.vbs file is executed by the Task Scheduler , the C:\windirr\pp.ps1 file is executed.
[Figure 4] Registered Task Scheduler
The pp.ps1 file creates the C:\Users\Public\Documents\tmp.ini file and stores the information listed in Table 2 in that file. the threat actor used the Dropbox service as a C2 channel for information transmission, and the stolen information is uploaded with a file name in the format of <userdomain>_<date>_info.ini. in addition, the threat actor downloads the zzz09_test.db_sent file that exists in the threat actor’s Dropbox account, saves it to the C:\Users\Public\Music\hh.bat path, and executes it through the cmd.exe /c C:\Users\Public\Music\hh.bat command.
| hijack information |
|---|
| userdomain, username, list of currently running processes, OSVersion, public IP information, and antivirus information |
[Table 4] Hijack information
[Figure 5] Part of the pp.ps1 code
The hh.bat file downloads two separate ZIP file fragments from the URL below and merges them together to create a single ZIP file in the path %TEMP%\G9081234.zip. then decompress the ZIP file to the path C:\winii. the compressed file contains an XML Task Scheduler file (norton.db) and a Python backdoor file (beauty.py).
| URL | save path |
|---|---|
|
Hxxps://quickcon.store/man/logo.php?au=beauty.part000 |
C:\winii\part000 |
| hxxps://quickcon.store/man/logo.php?au=beauty.part001 | C:\winii\part001 |
[Table 5] Additional file downloads
[Figure 6] Part of the hh.bat code
The final Python backdoor file is executed through an XML Task Scheduler file. the hh.bat file registers a task to run the file C:\winii\beauty.py with a Task Scheduler name of GoogleExtension{02-2032121-098}, which is how the Python backdoor is executed. below, we’ll summarize how this backdoor file is configured and how it works.
3. Python malware
There are two types of Python-based malware. one is a downloader that downloads additional payloads from an external server, and the other is a backdoor that remotely executes commands from the threat actor.
3.1 Backdoor
The backdoor sends packets with the string “HAPPY” to the C2 server, 45.95.186[.]232:8080. this is presumably to inform the victim of the infection. it then communicates with a fixed-size (4096 bytes) custom protocol based on magic bytes (0x99 0x0A 0xBD 0x99) and, depending on the command code, performs various functions such as shell command execution, drive list inquiry, file upload/download, file deletion (random data overwriting before deletion), and file execution (.exe, .bat, .vbs).
[Figure 7] Functional branching based on threat actor commands
| command | function |
|---|---|
| 0100 | get drive capacity |
| 0010 | shell command execution |
| 0110 | get directory list |
| 0120 0121 | upload a file |
| 0130/0131 | download a file |
| 0140 | delete a file |
| 0150 | Run BAT, VBS, EXE |
| 1110 | exit |
[Table 6] Command-specific functions
threat actor command observation
We observed the behavior of the threat actor passing commands to the infected system. we first checked the drive capacity, then checked the network settings with ipconfig, and examined the running processes with tasklist.
| time | command | meaning |
|---|---|---|
| 2026-02-12 13:00 |
Infected |
|
| 2026-02-12 13:08 | 0100 | drive capacity inquiry |
| 2026-02-12 13:09 | 0010 | ipconfig |
| 2026-02-12 13:10 | 0100 | get drive capacity |
| 2026-02-12 13:10 | 0010 | tasklist |
| 2026-02-12 13:11 | 0010 | ipconfig |
| 2026-02-12 13:11 | 0010 | dir /s C:\ |
[Table 7] Commands passed by the threat actor
3.2 Downloader
The downloader connects to the server operated by the threat actor, saves the VBS and BAT files to the %TEMP% path, and applies the CREATE_NO_WINDOW(0x08000000) flag to run in the background without a console window. wait 180 seconds and then delete the two files to remove any traces.
[Figure 8] Part of the Python download code
4. Kimsuky Threat Group Features
1. XML file-based Task Scheduler registration and similarity in task names
We observed similarities between the Task Scheduler task names used by the Kimsuky group in past RAT malware distributions and the Task Scheduler task names used in this backdoor distribution. this past practice was disclosed in our TI content.
| the Task Scheduler used by the Kimsuky group in the past had the following working name | GoogleUpdateTaskMachineUA{1C791230-CA8D-6D04-AC55-F706378A30E} |
| task Scheduler’s task name used by the Kimsuky group in this case | GoogleUpdateTaskMachineCGI__{56C6A980-91A1-4DB2-9812-5158E7E97388} |
[Table 8] Similarity of task names in Task Scheduler
[Figure 9] Internal TI content
2. similarity of XML file names for Task Scheduler registration purpose
In the past, it has been confirmed that the Kimsuky group utilized XML files in the form of sch_*.db for Task Scheduler registration. such cases were disclosed through their blog. [1]
| xML file names used by the Kimsuky group in the past | sch_0514.db |
| xML file names used by the Kimsuky group in this case | sch.db, sch_ha.db |
[Table 9] Similarity of XML file names
3. using the same decoy file
The decoy file used by the Kimsuky group in the past was also used in the same LNK file in this case. the previous case was published in our TI content.
[Figure 10] Normal decoy file used by the Kimsuky group in the past
5. conclusion
In this analysis, we identified a change in the execution structure of the malicious LNK file distribution method recently utilized by the Kimsuky group. compared to the past, the overall execution flow has become more complex and multi-stage with the addition of intermediate scripts. in addition, malware distribution methods that exploit legitimate cloud services such as Dropbox and attempts to evade diagnostics using Python are also characteristic. such changes demonstrate the tactical nature of threat actors who maintain the broad outline of the attack flow, but continuously modify the detailed implementation to bypass detection.
Because LNK files disguised as document files are difficult to determine maliciousness based on appearance alone, users should be especially cautious about executing files of unknown origin.
6. references
[1] https://asec.ahnlab.com/ko/88419/
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
