North Korean-linked advanced persistent threat (APT) group Kimsuky has deployed sophisticated new phishing tactics and malware payloads in targeted attacks observed in March 2025.
The group, known for targeting government entities, think tanks, and individuals related to foreign policy and national security, has enhanced its technical capabilities with multi-stage attack chains designed to evade detection while extracting sensitive information from compromised systems.
The latest campaign begins with victims receiving a compressed ZIP file containing malicious scripts that initiate a complex infection chain.
.png
)
Upon execution, the malware deploys multiple obfuscated components that work together to establish persistence, gather system information, and exfiltrate sensitive data to attacker-controlled servers.
The attack specifically targets cryptocurrency wallets, browser credentials, and implements keylogging functionality to capture user inputs across the system.
K7 Security Labs researchers identified the attack after analyzing indicators of compromise shared through security community channels.
Their investigation revealed that Kimsuky has refined its techniques to include enhanced anti-analysis capabilities, sophisticated data exfiltration methods, and specialized targeting of cryptocurrency assets – representing a significant evolution in the group’s operational tactics.
The infection begins with a deceptively simple VBScript file that uses advanced obfuscation techniques to avoid detection.
The script employs chr () and CLng () functions to dynamically generate characters that, when assembled, form PowerShell commands to execute the next stage of the attack.
This obfuscation helps bypass signature-based detection systems by ensuring malicious code remains hidden during execution.
The VBScript ultimately launches a PowerShell script that decodes and executes Base64-encoded payloads contained in accompanying log files.
The PowerShell component first collects the system’s BIOS serial number to create a unique identifier for the compromised machine and implements anti-VM checks to terminate execution if running in virtualized environments – a common technique to evade analysis by security researchers.
What makes this attack particularly concerning is its sophisticated infection mechanism.
The decoded PowerShell payload contains eleven specialized functions that systematically harvest sensitive data from the victim’s machine.
These functions include capabilities for uploading exfiltrated data, extracting browser information, targeting cryptocurrency wallets, and establishing persistence through scheduled tasks.
The malware specifically targets major browsers including Edge, Firefox, Chrome, and Naver Whale, extracting login credentials, cookies, and browsing history.
Most notably, it contains an extensive database of cryptocurrency wallet extensions to target, including MetaMask, Trust Wallet, Tron, and over 30 others.
For each identified wallet, the malware extracts critical database files that likely contain access keys and transaction information.
After gathering the targeted information, the malware compresses all collected data into a ZIP file, renames it to “init.dat” to appear benign, and transmits it to a command-and-control server at “http://srvdown[.]ddns[.]net/service3/”.
.webp)
The server can issue additional commands to the infected system, establishing persistent remote access for the attackers.
This evolving threat demonstrates Kimsuky’s continued investment in sophisticated malware development and highlights the growing risk to individuals and organizations holding cryptocurrency assets or sensitive information.
Security professionals are advised to implement advanced threat detection technologies and educate users about sophisticated phishing tactics that serve as the initial vector for these complex attacks.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.
