A malicious LNK that spreads a Python-based backdoor and how it’s spreading (Kimsuky group)

This report analyzes a Kimsuky campaign that altered its LNK-based delivery to a multi-stage chain (LNK → PowerShell → generated XML/VBS/PS1/BAT), ultimately executing Python downloaders/backdoors; it documents task scheduler XML usage, Dropbox as a C2/exfiltration channel, file hashes, URLs/domains, a C2 IP (45.95.186.232:8080), and observed attacker commands used to enumerate drives, run shell commands, and transfer files.