Attack Activities by Kimsuky Targeting Japanese Organizations

JPCERT/CC confirmed Kimsuky-targeted spearphishing attacks against Japanese organizations in March 2024 that used ZIP attachments with filenames containing large spaces and double extensions to hide an EXE. Execution of the EXE downloads and runs VBS which fetches PowerShell functions (PokDoc and InfoKey) to fingerprint hosts, maintain persistence via Run registry keys and C:\Users\Public\*\desktop.ini.bak files, exfiltrate system/process/network and user file listings, and capture keystrokes/clipboard data to attacker-controlled URLs; decoy DOCX files were used and similar TTPs have been observed in related South Korean targeting.