Summary: The North Korean hacking group Kimsuky has been observed using custom-built remote access tools in a recent campaign, marking a shift from older methods like PebbleDash. Their new tactics involve spear-phishing emails with malicious attachments that enable stealthy access to compromised machines. These evolving techniques highlight Kimsuky’s persistence and adaptability in cyber-espionage activities.

Affected: Organizations targeted by Kimsuky

Keypoints :

• Kimsuky is employing a modified version of RDP Wrapper for persistent access and to bypass security measures.
• The group now relies on customized remote access tools instead of traditional backdoors, allowing for stealthier operations.
• Infection chains initiate with spear-phishing emails containing manipulated .LNK files, indicating prior reconnaissance on victims.
• Secondary payloads deployed include keyloggers, credential stealers, and in-memory execution tools to enhance their foothold.
• Kimsuky’s tactics suggest a focus on prolonged dwell times to gather intelligence without detection.