Kimsuky LNK Malware Using Dropbox API for Host Profiling and Payload Delivery
Kimsuky-linked malware delivered through malicious LNK files was observed targeting likely South Korean users, using shortcut execution to unpack a PowerShell-based implant, establish persistence via Task Scheduler, collect host information, and communicate through the Dropbox API. IIJ reported that the LNK extracts files into C:\PerfLog, deploys www.ps1 and a VBScript launcher, creates a scheduled task named P, and drops a decoy document in a Hancom Office format. The malware generates a client ID from the victim MAC address, gathers system details including domain, username, OS version, process lists, and external IP address, then uploads the data to attacker-controlled Dropbox folders before attempting to download and run a follow-on batch payload.
AhnLab's February 2026 APT trend reporting for South Korea provides broader context showing that spear phishing remained the dominant delivery method and that LNK-based attacks were the most prevalent format observed, including campaigns that used PowerShell to fetch additional components and register persistence. While AhnLab's report is a monthly trend overview rather than a dedicated write-up on the Dropbox variant, it aligns with IIJ's assessment that the malware shares substantial TTP overlap with previously reported Kimsuky activity. The reporting indicates continued abuse of legitimate cloud services such as Dropbox and, more broadly, GitHub and similar platforms to blend command-and-control and payload staging into normal network traffic.
Timeline
Apr 27, 2026
Kimsuky targets pharmaceutical firms with Excel-themed LNK malware
Researchers reported that Kimsuky launched a targeted campaign against prescription pharmaceutical companies using a malicious LNK file disguised as an Excel document. The multi-stage chain used XML, JavaScript, and PowerShell, established persistence via a fake Avast Secure Browser scheduled task, and used Dropbox API communications to exfiltrate host data and stage follow-on commands.
Apr 1, 2026
ASEC details Kimsuky’s updated LNK-to-Python backdoor chain
ASEC reported that Kimsuky updated its malicious LNK infection flow to add XML, VBS, and PowerShell stages while still delivering Python-based malware. The campaign used Dropbox for host-data exfiltration and follow-on BAT retrieval, and the deployed Python backdoor communicated with 45.95.186[.]232:8080 and supported command execution, file transfer, and payload execution.
Mar 17, 2026
Kimsuky uses Dropbox API in malware operations
IIJ Security Diary reported on Kimsuky malware that used the Dropbox API as part of its operation. No earlier event date is provided in the reference, so the publication date is used as the best estimate.
Feb 28, 2026
AhnLab documents February spear-phishing APT activity in South Korea
AhnLab reported that most APT attacks detected against South Korean targets in February 2026 were delivered through spear phishing, with LNK-based attacks the most common and CHM-based attacks also observed. The report described two LNK infection chains, including PowerShell-delivered AutoIt malware with Task Scheduler persistence and curl.exe retrieval of malicious HTA files from GitHub or Google Drive that deployed infostealer, keylogger, and backdoor loader components.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Organizations
Affected Products
Sources
2 more from sources like ahnlab asec blog and sect.iij.ad.jp
Related Stories
Kimsuky Uses Malicious LNK Files to Deliver Python Backdoor
North Korea-linked threat group **Kimsuky** has been reported using malicious Windows shortcut (`.LNK`) files to initiate a **multi-stage infection chain** that ends with deployment of a **Python-based backdoor**. Reporting shared from both AhnLab and Excalibra indicates the campaign relies on weaponized LNK files as the initial access vector, with the malware delivery process evolving from earlier distribution patterns. The activity was attributed to Kimsuky in threat-intelligence reporting and social media amplification, with references also linking the cluster to **DPRK** operations and possible overlap or comparison with **Konni** tracking. While the cited summaries did not include victimology or technical indicators, they consistently described a shift in how the group distributes malware and highlighted the use of LNK-based social engineering to stage follow-on payloads.
1 weeks ago
Phishing campaigns using Windows LNK files and PowerShell loaders to deliver RATs and ransomware
Multiple recent intrusion reports describe **phishing-led Windows compromises** that rely on **weaponized `.LNK` shortcuts** to trigger **obfuscated PowerShell** execution, display decoy documents, and then fetch additional payloads from public cloud/code platforms. In South Korea, attackers distributed an LNK disguised as financial trading guidance that opens a decoy PDF while running PowerShell; subsequent stages perform anti-analysis/virtualization checks, establish persistence, and retrieve a masked executable from **GitHub** that decrypts code at runtime to run **MoonPeak** malware. Researchers assessed the activity as likely **North Korea–linked** based on GitHub commit metadata and naming patterns. A separate Russia-targeted campaign used business-themed archives containing decoy documents and a malicious LNK to pull a PowerShell loader that establishes persistence and then weakens defenses (including **Microsoft Defender exclusion changes** and use of **`defendnot`**), performs reconnaissance, and tampers with system tooling and file associations before deploying **Amnesia RAT** (fetched from **Dropbox**) and a **Hakuna Matata–derived ransomware** payload for encryption. By contrast, reporting on **KazakRAT** describes a different espionage operation in Kazakhstan/Afghanistan delivered via malicious **MSI** installers and using simple, unencrypted HTTP C2; it is not part of the LNK/PowerShell delivery chains described in the other incidents.
1 months ago
North Korean Phishing Campaign Uses GitHub as Covert C2 Against South Korean Firms
FortiGuard Labs reported a high-severity cyber espionage campaign linked to North Korean state-sponsored actors that targets organizations in South Korea with phishing emails carrying malicious Windows `.lnk` files disguised as PDF documents. When opened, the shortcut launches PowerShell and other native Windows scripting tools while showing a decoy document, then performs anti-analysis checks for tools including Wireshark, Fiddler, x64dbg, Procmon, and `vmtoolsd`. Researchers said the operation has been active since at least 2024 and has evolved from earlier, less-obfuscated variants associated with XenoRAT into more sophisticated samples that embed decoding logic and payload data directly in the shortcut file. The malware establishes persistence through a Scheduled Task disguised as a technical paper and set to run every 30 minutes, then collects host data such as OS version, build number, process lists, and keep-alive logs. Operators used trusted GitHub accounts and private repositories as covert command-and-control and data-staging infrastructure, allowing malicious HTTPS traffic to blend with normal web activity while exfiltrating system information and retrieving follow-on instructions. Decoy filenames and metadata, including the "Hangul Document" naming convention, indicate deliberate targeting of South Korean companies and tradecraft aligned with clusters such as **Kimsuky**, **APT37**, and **Lazarus**.
2 weeks ago