Kimsuky Strikes Again – Coordinated Attacks Target Facebook, Email, and Telegram

A recent investigation by Genians Security Center (GSC) has uncovered a highly sophisticated, multi-channel cyber espionage campaign attributed to the North Korea-aligned advanced persistent threat (APT) group known as Kimsuky.

Between March and April 2025, the group leveraged Facebook, email, and Telegram to infiltrate targets primarily within the defense sector, North Korea-related activists, and cryptocurrency exchanges.

The campaign, codenamed ‘AppleSeed,’ is notable for its use of Korea-specific compressed file formats, encoded malicious scripts, and persistent multi-stage infection chains.

- Advertisement -

Kimsuky, also known as Thallium, Black Banshee, and Velvet Chollima, has been active since at least 2013, focusing on government entities in South Korea while also targeting organizations in the U.S. and Japan.

The group’s latest operations employ a blend of social engineering and technical subterfuge, distributing the AppleSeed backdoor—a modular malware capable of remote command execution, data exfiltration, and additional payload delivery.

Triple Combo Threat Analysis

The campaign unfolded through three distinct yet interconnected channels:

• Facebook-Based Attacks: The threat actor used hijacked or impersonated Facebook accounts, such as ‘Transitional Justice Mission,’ to send friend requests and direct messages to individuals involved in North Korea-related activities. Posing as missionaries or researchers, the attackers shared password-protected EGG archives containing malicious files. The archives required specific Korean decompression tools, a tactic designed to ensure execution on Windows PCs rather than mobile devices.
• Email-Based Spear Phishing: After establishing contact via Facebook, the attackers requested the target’s email address and followed up with spear-phishing emails. These emails contained large attachments or embedded URLs, again using EGG archives. Recipients were instructed to use a particular decompression tool, reinforcing the Windows-centric infection vector.
• Telegram and Multi-Stage Delivery: If the attacker obtained the target’s mobile number, they escalated the attack via Telegram, delivering structurally identical malicious files under the guise of ‘volunteer support for North Korean defectors.’ The multi-stage approach ensured persistent access and minimized detection.

Malware Payload and Command-and-Control

According to the report, the core of the campaign centered on a malicious JavaScript file named ‘탈북민지원봉사활동.jse’ (Defector Volunteer Support.jse).

Upon execution via Windows Script Host (WSH), the script creates two files: a benign-looking PDF decoy and a malicious DLL named ‘vmZMXSx.eNwm.’

The PDF is generated from Base64-encoded data stored in the script, while the DLL is encoded twice—first in Base64, then using PowerShell and certutil for decoding.

The DLL, protected by VMProtect, is loaded silently using:

textregsvr32.exe /s /n /i:tgvyh!@#12 vmZMXSx.eNwm

The DllInstall function is called with the parameter ‘tgvyh!@#12’; mismatched parameters trigger self-deletion.

The DLL’s payload is decoded using an XOR key (0x5E) and relocated in memory.

For persistence, the malware registers a ‘TripServiceUpdate’ entry in the Windows registry (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) and stores additional payloads in ‘C:\Users$$Username]\AppData\Roaming\trip\service\.

Once operational, the malware collects system information, checks for UAC and administrative privileges, and compresses the data into a ZIP file.

The ZIP is encrypted with RC4, and the session key is further encrypted with RSA.

The encrypted data is transmitted to a command-and-control (C2) server at ‘woana.n-e[.]kr’ via HTTP POST requests, using unique identifiers derived from the infected system’s volume serial number and username.

Ongoing Threat and Detection Challenges

Kimsuky’s campaign highlights the evolving sophistication of North Korean cyber operations.

The group’s use of automated script generation, multi-stage infection, and evasion techniques—such as VMProtect and double-encoded payloads—poses significant challenges for traditional signature-based security products.

However, endpoint detection and response (EDR) solutions like Genian EDR can provide enhanced visibility by mapping process relationships, decoding Base64-encoded scripts, and leveraging machine learning for threat detection.

Security teams are advised to remain vigilant against unexpected files, especially those requiring specific decompression tools, and to monitor for suspicious registry modifications and network traffic.

As Kimsuky continues to innovate, organizations must adopt layered defenses, including behavior-based detection, regular patching, and user education, to mitigate the risk of similar APT campaigns.

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here