Analysis of the Triple Combo Threat of the Kimsuky Group

A North Korean state-sponsored group identified as Kimsuky conducted a covert multi-stage campaign using Facebook, email, and Telegram to target defense and North Korea–related activists, delivering password-protected EGG archives containing obfuscated JSE scripts and VMProtect-packed DLLs that establish persistent RATs. The campaign used Korea-specific compressed formats, double Base64/encoded payloads, and Telegram-based C2 communications (woana.n-e[.]kr) to evade detection and maintain long-term access. #Kimsuky #AppleSeed #woana.n-e.kr

Keypoints

Kimsuky used a coordinated three-stage access chain (Facebook → email → Telegram) to socially engineer targets involved with North Korean defector activities.
Malicious payloads were delivered as password-protected EGG archives and instructed targets to use Korean decompression tools to force Windows execution.
Obfuscated JSE scripts created decoy PDF files and dropped VMProtect-packed DLLs (vmZMXSx.eNwm) that unpacked and installed a persistent RAT (tripservice.dll).
The malware used double Base64 decoding, certutil/PowerShell, regsvr32 execution, XOR-based decoding, and RC4/RSA encryption to exfiltrate data and receive commands from C2 (woana.n-e[.]kr).
Persistence was achieved by registering a Run key (TripServiceUpdate) that launches regsvr32 with the malicious DLL on user login.
EDR-based detection (Genian EDR) and behavior/ML-based hunting were effective at exposing execution flow, Base64 decoding, and parent-child process relationships.
Campaign artifacts and techniques show continued evolution and reuse of AppleSeed/BabyShark/FlowerPower toolsets and script generation patterns across incidents.

MITRE Techniques

[T1566 ] Phishing – Used Facebook and email to lure victims with malicious files and social-engineered messages: “The threat actor used an account named ‘Transitional Justice Mission’ to send friend requests and direct messages… delivered a malicious file.”
[T1071 ] Command and Control – Communicated with compromised devices through HTTP requests via Telegram/C2 domain to send/receive commands: “An HTTP request is sent to the ‘woana.n-e[.]kr’ domain… the domain responds by returning data that contains commands.”
[T1203 ] Exploitation for Client Execution – Delivered malicious JSE files that execute under Windows Script Host to spawn further payloads: “The JSE file… is an obfuscated JScript file that runs under Microsoft’s Windows Script Host (WSH).”
[T1003 ] Credential Dumping – Extracted credentials from compromised devices and harvested SNS/email credentials for lateral access and account hijacking: “the attacker then monitored the victim and extracted their credentials for SNS and email accounts.”
[T1547 ] Persistence – Registered malicious DLL execution via HKCU Run registry entry to maintain persistence across reboots: ‘reg add HKCUSoftwareMicrosoftWindowsCurrentVersionRun… “TripServiceUpdate”… regsvr32.exe /s /n /i:tgvyh!@#12 C:Users[UserName]AppDataRoamingtripservicetripservice.dll’

Indicators of Compromise

[file hash ] Samples associated with the campaign – 2f6fe22be1ed2a6ba42689747c9e18a0, 5a223c70b65c4d74fea98ba39bf5d127 (and multiple other hashes listed in report)
[file hash ] Additional DLL/sample examples – 7a0c0a4c550a95809e93ab7e6bdcc290, 46fd22acea614407bf11d92eb6736dc7 (and 20+ more hashes)
[domain ] C2 and command infrastructure – woana.n-e[.]kr (primary C2 used for data exfiltration and command retrieval), afcafe.kro[.]kr
[domain ] Additional associated domains observed – dirwear.000webhostapp[.]com, download.uberlingen[.]com (and other infrastructure such as nomera.n-e[.]kr, vamboo.n-e[.]kr)

<li/[filename ] Malicious file names and formats used – 탈북민지원봉사활동.jse (Defector Volunteer Support.jse) delivered inside password-protected .egg archives; tripservice.dll and vmZMXSx.eNwm DLL files