GSC detailed a new APT campaign by North Korea–linked Kimsuky targeting South Korean defense, activist, and North Korea–related communities through multi-channel social engineering. The campaign leveraged Facebook, email, and Telegram to deliver AppleSeed malware, establishing remote access and persistence. #Kimsuky #AppleSeed #APTattack #SouthKorea
Keypoints
- Kimsuky conducted a multi-stage campaign using social engineering on Facebook, email, and Telegram.
- The threat actor used themed narratives about North Korean defectors to deceive victims.
- The AppleSeed backdoor was disguised as a file named “Defector Volunteer Support.jse” and used multiple obfuscation techniques.
- The malware established persistence and communicated with a C2 server hosted on woana.n-e[.]kr.
- Unique techniques included Korea-specific file formats and PDF disguises to evade detection and target Windows systems.