CyberSecurity news
FlagThis
@securityonline.info
//
North Korea-linked APT group Kimsuky, also known as Monolithic Werewolf, has resurfaced with an evolved version of its AppleSeed campaign, targeting Korean users via social media. The Genians Security Center (GSC) detected this activity, noting that it spanned from March to April 2025. The attackers leveraged multiple communication channels, including Facebook, email, and Telegram, to distribute malicious files, demonstrating a multi-platform infiltration model. This campaign specifically targeted individuals involved in North Korean defector support, using coordinated social engineering efforts to gain trust.
The attackers employed various techniques to bypass security measures and achieve persistence. They used two Facebook accounts to initiate conversations, posing as missionaries or church researchers to build rapport with their targets. Once trust was established, they sent password-protected EGG-format archives containing a malicious JScript file, designed to evade mobile-based scanning and force execution on Windows PCs. The malicious JScript file then triggered a chain of file drops and stealthy installations, including decoding Base64-encoded DLLs using PowerShell and Certutil, and achieving persistence by adding a Run registry entry.
The AppleSeed malware functions as a remote access trojan (RAT), capable of collecting sensitive system information, encrypting it, and sending it back to the attackers. The final-stage payload collects host information, checks for admin privileges and UAC settings, then compresses and encrypts the data. The campaign reveals the group's adaptive tactics, utilizing Facebook for initial contact and lure delivery, email for follow-up spear phishing with EGG archives, and Telegram for targets whose phone numbers were obtained. Security analysts are recommending proactive threat hunting and triage strategies to defend against this evolving threat.
ImgSrc: securityonline.
References :
The attackers employed various techniques to bypass security measures and achieve persistence. They used two Facebook accounts to initiate conversations, posing as missionaries or church researchers to build rapport with their targets. Once trust was established, they sent password-protected EGG-format archives containing a malicious JScript file, designed to evade mobile-based scanning and force execution on Windows PCs. The malicious JScript file then triggered a chain of file drops and stealthy installations, including decoding Base64-encoded DLLs using PowerShell and Certutil, and achieving persistence by adding a Run registry entry.
The AppleSeed malware functions as a remote access trojan (RAT), capable of collecting sensitive system information, encrypting it, and sending it back to the attackers. The final-stage payload collects host information, checks for admin privileges and UAC settings, then compresses and encrypts the data. The campaign reveals the group's adaptive tactics, utilizing Facebook for initial contact and lure delivery, email for follow-up spear phishing with EGG archives, and Telegram for targets whose phone numbers were obtained. Security analysts are recommending proactive threat hunting and triage strategies to defend against this evolving threat.
ImgSrc: securityonline.
Share:
References :
- securityonline.info: Kimsuky’s AppleSeed Returns: North Korea-Linked APT Targets Korean Users via Social Media
- Virus Bulletin: Genians Security Center detected part of an AppleSeed campaign by Kimsuky group that targeted users of Facebook, email and Telegram in Korea between March & April 2025. AppleSeed was first described by researcher Jae-Ki Kim in papers presented at VB2019 & VB2021.
- www.genians.co.kr: Genians Security Center detected part of an AppleSeed campaign by Kimsuky group that targeted users of Facebook, email and Telegram in Korea between March & April 2025. AppleSeed was first described by researcher Jae-Ki Kim in papers presented at VB2019 & VB2021.
- securityonline.info: Kimsuky APT Group Abuses HWP and AnyDesk for Covert Remote Surveillance