{ "id": "24b29cfc-e582-4945-8a25-f55b466eacf9", "created_at": "2026-04-06T00:10:56.469428Z", "updated_at": "2026-04-10T13:11:58.926001Z", "deleted_at": null, "sha1_hash": "0c64582643fe90dacdb8ed76a4724a523907621e", "title": "Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts and Payloads", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 492256, "plain_text": "Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts\r\nand Payloads\r\nPublished: 2025-03-25 · Archived: 2026-04-05 20:23:29 UTC\r\nKimsuky, also known as “Black Banshee,” a North Korean APT group active at least from 2012, is believed to be\r\nstate-sponsored. Their cyber espionage targets countries like South Korea, Japan, and the U.S. Their tactics\r\ninclude phishing, malware infections (RATs, backdoors, wiper malware), supply chain attacks, lateral movement\r\nwithin networks and data exfiltration.\r\nRecently , we came across IOCs of this APT’s latest attack shared in a tweet, which pointed to a ZIP file\r\ncontaining the actual payloads. In this blog, we will analyse the infection chain and conduct a deep dive into the\r\nexamination of these payloads. We will also explore how the malware operates, its behaviour, and the techniques\r\nused to execute the attack.\r\nFig.1.Tweet.\r\nInside the ZIP file, there are four files: a VBScript, a PowerShell script, and two encoded text files. These encoded\r\ntext files contain obfuscated data, which, with further analysis, could provide crucial insights into the malware’s\r\nbehaviour and objectives. Below are the figures showing the encoded content of the two text files, which we will\r\ndecode and analyse to uncover the next steps in the attack chain.\r\nFig.2.Inside Zip file.\r\nhttps://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/\r\nPage 1 of 12\n\nFig.3.Encoded data of “1.log”.\r\nFig.4.Encoded data of “2.log”.\r\nIn the 1.vbs file, the obfuscated script uses the chr() and CLng() functions to dynamically generate characters and\r\nexecute commands. This obfuscation technique helps the script bypass signature-based detection methods,\r\nensuring that it remains hidden during execution.\r\nAt the end of the script, the generated characters together form a command that is executed. This command likely\r\nruns the 1.ps1 PowerShell script passing 1.log as an argument to it.\r\nhttps://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/\r\nPage 2 of 12\n\nFig.5. Script in “1.Vbs” file to generate characters.\r\nFig.6. Deobfuscated command to run “1.ps1”.\r\nIn the 1.ps1 file, the script contains a function to decode base64-encoded data found in the 1.log file and executes\r\nthe script.\r\nFig.7. Script in “1.ps1” file.\r\nhttps://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/\r\nPage 3 of 12\n\nFig.8. ”1.log” file after decoding.\r\nThe 1.ps1 script then collects the BIOS serial number, a unique identifier of the compromised system. This serial\r\nnumber is then used to create a new directory within the system’s temp folder, ensuring that the attack-related files\r\nare stored in a machine-specific location which is shown in Fig.8.\r\n Being a VMAware sample, the script determines if it is running in a VM, if yes, it will delete all four files\r\ninvolved in the attack (1.vbs, 1.ps1, 1.log, and any payload files stored in the serial number named directory),\r\neffectively aborting its execution which is shown in Fig.8.\r\nThis script contains 11 functions that outline the further steps in the malware’s operation, including data\r\nexfiltration, Coin information stealing, and Command-and-Control (C2) communication execution. These\r\nfunctions represent the core of the attack, allowing the malware to perform its objectives and establish a\r\nconnection with the attacker.\r\n1. UploadFile ()\r\nIn the upload function, it uploads the data exfiltrated as a file to the server in chunks of 1MB, ensuring it can\r\nhandle large files. It waits for the server’s response; if it gets a “200” status, it proceeds with the execution.\r\nOtherwise, it terminates the execution. It sends each chunk via an HTTP POST request and checks for success\r\nwith each loop.\r\nFig.9. UploadFile function.\r\n2. Unprotect-Data ()\r\nIn the unprotect-data function, it takes the encrypted data from the browser paths of Edge, Firefox, Chrome, and\r\nNaver Whale, decodes that data and stores it into a file.\r\nhttps://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/\r\nPage 4 of 12\n\nFig.10. Unprotect-Data function.\r\n3. GetExWFile ()\r\nIn the GetExWFile function, it checks for the crypto wallet extensions mentioned in the following three hash\r\ntables. If it finds any of those wallets, it takes the “.ldb” and “.log” files of those extensions for exfiltration\r\npurposes and stores them in the destination folder specified by “$Storepath”.\r\nFig.11. GetExWFile function.\r\nFig.12. Hash Table1.\r\nhttps://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/\r\nPage 5 of 12\n\nFig.13. Hash Table2.\r\nFig.14. Hash Table3.\r\n4.GetBrowserData ()\r\nIn the getbrowserdata() function, it verifies if any of Edge, Firefox, Chrome, and Naver Whale is currently\r\nrunning to extract user profile data such as cookies, login info, bookmarks, and web data.  It also stops the\r\nbrowser  before collecting information about the installed extensions and cache data, such as webcacheV01.dat,\r\nfor each browser. For some of the browsers, it also performs decryption to access encrypted keys and retrieve\r\nsensitive data, which is then stored along with the decrypted master key of encryption.\r\nhttps://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/\r\nPage 6 of 12\n\nFig.15. Content inside Get Browser Data ().\r\n5. Init ()\r\nIn the Init() function, it collects detailed information about the system hardware, disk and volume details, network\r\nadapter status, and a list of all installed programs, including their version, publisher, and installation date. These\r\ndetails are then saved into a text file called “info.txt”.\r\nFig.16. Init function.\r\n6. Download file ()\r\nThe download file function downloads any file based on the C2 command.\r\nFig.17. Download file function.\r\n7. CreateFileList ()\r\nThe create_file_list() function checks all the drives in the system for specific extensions and name patterns, and\r\nstores the results in the path “$storepath/filelist.txt”.\r\nhttps://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/\r\nPage 7 of 12\n\nFig.18. CreateFileList function.\r\nFig.19. Extensions for checking in drivers.\r\nFig.20. Searching name patterns.\r\n8.RegisterTask ()\r\nIt creates persistence for the files “1.log” and “1.vbs”.\r\nFig.21. Persistence.\r\n9. Send ()\r\nThe send () function uploads all the collected information to the server after compressing the data into a ZIP file\r\nnamed “init.zip”. It then renames the ZIP file to “init.dat” and deletes all backup files from the system after\r\nuploading.\r\nFig.22. Send function.\r\n10. Get-ShortcutTargetPath () and RecentFiles ()\r\nIt checks all the “.lnk” files in the Recent folder and stores all the target paths, which are retrieved with the help of\r\nthe Get-ShortcutTargetPath function. This information is then saved to the text file “recent.txt”.\r\nhttps://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/\r\nPage 8 of 12\n\nFig.23. Get-ShortcutTargetPath function.\r\nFig.24. RecentFiles function.\r\n11. Work ()\r\nThe work function handles the execution of C2 commands along with uploading files and writing files to the\r\nsystem. It enters an infinite loop, sleeping for 600 seconds (10 minutes) before uploading the “k.log” file, which\r\nwas generated from the execution of the “2.log” file. After uploading, it deletes the file from the system. \r\nFig.25. Work function.\r\nFig.26. C2 Command execution.\r\nhttps://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/\r\nPage 9 of 12\n\nThis is the flow of execution of the above functions in this attack, where it executes another PowerShell command\r\nthat invokes the “2.log” file, which performs keylogging.\r\nFig.27. Flow of execution of functions and command to execute “2.log”.\r\nFig.28. “2.log” after decoding.\r\nThe above figure.28 shows the “2.log” file after decoding. It contains a script for importing all the Windows API\r\nfunctions required for detecting key presses, getting window titles, and managing keyboard states. It performs\r\nactions such as clipboard monitoring, keystroke monitoring, and window title logging.\r\nFig.29. Code for clipboard monitoring.\r\nhttps://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/\r\nPage 10 of 12\n\nFig.30.Window title logging.\r\nFig.31.Keystroke monitoring.\r\nMalicious activities by this stealer discussed here could be considered the groundwork to understand the victim \r\nand the further C2 commands from the attacker could cause further damage. \r\nAs we can see, threat actors are employing techniques that are time consuming, interlinked multi component\r\nbased to to become more evasive. Compared to other stealers, this one is mainly focused on network related\r\ninformation which could be used for active reconnaissance. As the stealer is aiming at the user’s sensitive\r\ninformation, protecting yourself with  a reputable security product such as K7 Antivirus is necessary in today’s\r\nhttps://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/\r\nPage 11 of 12\n\nworld. We at K7 Labs provide detection for such kinds of stealers at different stages of infection and all the latest\r\nthreats. \r\nIOCs\r\nName Hash Detection Name\r\n1.vbs CE4549607E46E656D8E019624D5036C1 Trojan ( 0001140e1 )\r\n1.ps1 1119A977A925CA17B554DCED2CBABD85 Trojan ( 0001140e1 )\r\n1.log 64677CAE14A2EC4D393A81548417B61B Trojan ( 0001140e1 )\r\nSource: https://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/\r\nhttps://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/" ], "report_names": [ "inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434256, "ts_updated_at": 1775826718, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0c64582643fe90dacdb8ed76a4724a523907621e.pdf", "text": "https://archive.orkl.eu/0c64582643fe90dacdb8ed76a4724a523907621e.txt", "img": "https://archive.orkl.eu/0c64582643fe90dacdb8ed76a4724a523907621e.jpg" } }