Dissecting the Infection Chain: Technical Analysis of the Kimsuky JavaScript Dropper

This report analyzes a Kimsuky JavaScript dropper (Themes.js) that fetches additional JavaScript stages from an adversary-controlled subdomain on medianewsonline.com, collects system and process information and directory listings, encodes and exfiltrates the data in .cab files via POST requests (using certutil as a LOLBIN), and persists by writing Themes.js to %APPDATA% and creating a scheduled task; the report includes sample hashes, network IOCs, decoded payload details, and recommended mitigations.