Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics

Seqrite Labs analyzed two Kimsuky campaigns targeting South Korean entities that use malicious .lnk attachments to fetch obfuscated VBScript which decodes embedded PDF/ZIP payloads; the resulting VBScript and PowerShell components implement persistence, browser and cryptocurrency-wallet data theft, keylogging, VM checks, and chunked exfiltration to C2 servers. The report provides technical disassembly of each stage, IoCs (hashes and C2 domains), and MITRE ATT&CK mappings for detection and mitigation.