Kimsuky Hackers Use LNK and JSE Lures to Target Recruiters, Crypto Users, and Defense Officials

North Korea-linked hackers are at it again, and this time they are casting a wide net. The Kimsuky threat group, a well-known cyber espionage unit with ties to the DPRK, ran four separate spear-phishing campaigns in the first half of 2025 targeting corporate recruiters, cryptocurrency investors and developers, defense sector officials, and graduate school administrators.

Each campaign used a different disguise but followed the same basic playbook: trick someone into opening a file and quietly take over their computer.

What makes these attacks stand out is the variety of people they went after. Recruiters received fake resumes and business cards.

Crypto users were lured with content themed around Solana meme coins. Defense officials were sent documents tied to the K-ICTC International Scientific Combat Management Competition.

Campaigns (Source - LogPresso) — Campaigns (Source – LogPresso)

Graduate school staff were handed what appeared to be enrollment documents. In every case, the goal was identical: get a foothold without raising any flags.

Analysts at LogPresso said in a report shared with Cyber Security News that all four campaigns followed a consistent attack flow that started with displaying a decoy document while silently dropping a malicious payload, then securing persistence, and finally establishing a remote control channel.

The campaigns were distinguished mainly by their lure topics, entry methods, and command-and-control infrastructure.

The attackers showed clear signs of sophistication. Instead of using obviously suspicious servers, they routed communications through trusted platforms like GitHub raw APIs, Microsoft CDN, and VSCode tunnels.

This made their traffic blend in with normal activity, making it harder for reputation-based security tools to catch them.

Target identification was also personalized, with victims tracked through unique IDs, IP addresses, and MAC addresses.

One of the most consistent findings across all four campaigns was aggressive defense evasion from the very start.

Within five minutes of a victim opening the bait file, the malware was already disabling Windows UAC, registering Defender exceptions, and embedding itself in the Task Scheduler to survive reboots.

LogPresso noted that blocking based on individual IoCs has clear limitations, and that defenders need behavior-based detection covering the full attack chain.

Kimsuky Hackers Use LNK and JSE Lures

Three of the four campaigns relied on LNK files disguised to look like PDFs. When a victim opened one, two hidden payloads separated inside. One part quietly displayed a convincing decoy document to keep the victim unsuspecting.

The other saved a secondary LNK file to the Windows startup folder, establishing persistence before downloading and running PowerShell scripts from the attacker’s server.

The entire process completed in under five minutes, leaving very little room for human detection.

The fourth campaign took a different approach, using a JSE file with a double extension formatted as .hwpx.jse. Since Windows hides extensions by default, the victim saw what looked like a Korean HWP document.

Once opened, the script decoded a hidden DLL using the built-in certutil tool and loaded it using rundll32.exe, a legitimate Windows component.

This campaign went further by using a VSCode tunnel to maintain persistent remote access, riding on Microsoft’s own signed binaries to stay undetected.

Abuse of Legitimate Services for C2

A thread that ran through every campaign was Kimsuky’s heavy use of legitimate services for command-and-control operations. GitHub repositories stored payloads and collected victim data.

Microsoft CDN helped deliver files without triggering network alerts. VSCode tunnels created persistent remote access through GitHub OAuth authentication.

In one case, a private server at nelark.icu acted as the C2, while another campaign funneled data through the Korean site yespp.co.kr.

LogPresso’s analysis makes clear that defenders cannot rely on blocking domains or file hashes alone.

Since Kimsuky rotates its infrastructure quickly, organizations should watch for LNK or JSE files with double extensions, monitor unexpected Task Scheduler entries disguised as OneDrive or Intel services, and flag any instance of UAC being disabled outside normal administrative activity.

Building detection around behaviors rather than static indicators is the only reliable way to stay ahead of a group this adaptive.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
File Hash (MD5)	80088af673b0117dbd5cf528021dd970	1.pdf.lnk (Campaign 1)
File Hash (MD5)	c499e415f7e07f513d8319013a8b2e86	1.pdf.lnk.zip (Campaign 1)
File Hash (MD5)	0331a83b58231cb0cd3bfe319003ed1a	OneDrive.lnk (Campaign 1)
File Hash (MD5)	806fb7876b63ba89d2432cb831be01ba	a.ps1 (Campaign 1)
File Hash (MD5)	c57a8b40d2ca402656ff3d778f42708c	bb.ps1 (Campaign 1)
File Hash (MD5)	2689f58b803364bbfba2edb423a3b572	bpersist.ps1 (Campaign 1)
File Hash (MD5)	552ca91696fedd387e1ea47f50f18344	scheduler-once.bat (Campaign 1)
URL	hxxps://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1	C2 URL – Campaign 1
URL	hxxps://nelark.icu/xftaswx/res/post_proc.php?fpath=bpersist.ps1	C2 URL – Campaign 1
URL	hxxps://nelark.icu/xftaswx/res/index.php	C2 URL – Campaign 1
URL	hxxps://nelark.icu/xftaswx/res/post_proc.php?fpath=scheduler-once	C2 URL – Campaign 1
URL	hxxps://nelark.icu/xftaswx/res/bypass.b	C2 URL – Campaign 1
File Hash (MD5)	a9d5dd632bb90addca480eaa5ff4382	PumpGuard-Pumpfun-AI-Attack-Defence-Requirements.pdf.lnk (Campaign 2)
File Hash (MD5)	5c2857913efc6007b3ee7028a132baa4	PumpGuard-Pumpfun…pdf.zip (Campaign 2)
File Hash (MD5)	6869766741b40825e31fd8bbff688bd3	bpvme.ps1 (Campaign 2)
File Hash (MD5)	3fdce08723365d5c06e1183585164118	PumpGuard_Pumpfun…GameEngine(2).rar (Campaign 2)
File Hash (MD5)	a3363e0c22c0356fdbcdc37f502bbcde	firefox.ps1 (Campaign 2)
File Hash (MD5)	471faa43f4811a0250648d586cb3eebf	bpvme.ps1 variant (Campaign 2)
File Hash (MD5)	8301fc2c740f6309864e68b6e429d0f0	whale.vbs (Campaign 2)
File Hash (MD5)	af7330af68a8f79b5a28fcc242e54a7e	doc_2026-03-26_08-58-03.NetAngular.pdf.zip (Campaign 2)
File Hash (MD5)	450774df6785e6eeb6ea906490905888	firefox.ps1 variant (Campaign 2)
File Hash (MD5)	831d7c614ba32aa5d70ff9b0f259ee1d	wale.ps1 (Campaign 2)
URL	hxxps://raw.githubusercontent.com/brandonleeodd93-blip/doc7/main/1.txt	GitHub C2 payload – Campaign 2
URL	hxxps://raw.githubusercontent.com/brandonleeodd93-blip/doc7/main/view.pdf	GitHub C2 payload – Campaign 2
URL	hxxps://api.github.com/repos/brandonleeodd93-blip/doc7/contents/report/	GitHub exfil endpoint – Campaign 2
File Hash (MD5)	b3c90f52e4b86a94ec637fee4354bb84	2026 4th K-ICTC Information.pdf.lnk (Campaign 3)
File Hash (MD5)	0dd1cf2d9a72fdbef19e77af59ba9d1f	2026 4th K-ICTC Information.pdf.zip (Campaign 3)
File Hash (MD5)	cbb059bd691d846e8279d617134d3129	conf.dat (Campaign 3)
IP Address	103.67.196.25	C2 server – Campaign 3
URL	hxxp://103.67.196.25/conf.dat	C2 payload URL – Campaign 3
URL	hxxp://103.67.196.25/payload.dat	C2 payload URL – Campaign 3
URL	hxxp://103.67.196.25/view1.php?type=apple&seed=	MAC-based victim identification – Campaign 3
File Hash (MD5)	bb5040d54135b0999cc491b41a0a45e2	.hwpx.jse.zip (Campaign 4)
File Hash (MD5)	9fe43e08c8f446554340f972dac8a68c	.hwpx.jse (Campaign 4)
File Hash (MD5)	52f1ff082e981cbdfd1f045c6021c63f	.hwpx.jse variant (Campaign 4)
File Hash (MD5)	bb9e9c893b170b3774c150b1d0b93a73	iIdypWi.zgyY (Campaign 4)
File Hash (MD5)	08160acf08fccecde7b34090db18b321	kE2I3TP.crqn (Campaign 4)
URL	hxxps://www.pyrotech.co.kr/common/include/tech/default.php	C2 URL – Campaign 4
URL	hxxps://www.yespp.co.kr/common/include/code/out.php	C2 exfil URL – Campaign 4
Domain	nelark.icu	C2 domain – Campaign 1
Domain	yespp.co.kr	C2/exfil domain – Campaign 4
Domain	vscode.dev/tunnel/bizeugene	VSCode tunnel used for persistent remote access

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

Original article can be found here

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.