Kimsuky Uses Malicious LNK Files to Deliver Python Backdoor
North Korea-linked threat group Kimsuky has been reported using malicious Windows shortcut (.LNK) files to initiate a multi-stage infection chain that ends with deployment of a Python-based backdoor. Reporting shared from both AhnLab and Excalibra indicates the campaign relies on weaponized LNK files as the initial access vector, with the malware delivery process evolving from earlier distribution patterns.
The activity was attributed to Kimsuky in threat-intelligence reporting and social media amplification, with references also linking the cluster to DPRK operations and possible overlap or comparison with Konni tracking. While the cited summaries did not include victimology or technical indicators, they consistently described a shift in how the group distributes malware and highlighted the use of LNK-based social engineering to stage follow-on payloads.
Timeline
Apr 20, 2026
Excalibra details Kimsuky multi-stage LNK-to-Python backdoor attack
An Excalibra report outlined a multi-stage Kimsuky intrusion chain in which malicious LNK files were used as the initial infection vector to implant a Python-based backdoor. The reporting further associated the activity with DPRK-linked threat operations and Konni-related clustering context.
Apr 5, 2026
AhnLab reports Kimsuky using malicious LNK files and a Python backdoor
An AhnLab publication described Kimsuky distributing malicious LNK files to deliver a Python-based backdoor and noted changes in the group's distribution methods. The reporting linked the activity to the North Korea-aligned threat group Kimsuky.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Kimsuky LNK Malware Using Dropbox API for Host Profiling and Payload Delivery
**Kimsuky**-linked malware delivered through malicious **LNK** files was observed targeting likely South Korean users, using shortcut execution to unpack a PowerShell-based implant, establish persistence via **Task Scheduler**, collect host information, and communicate through the **Dropbox API**. IIJ reported that the LNK extracts files into `C:\PerfLog`, deploys `www.ps1` and a VBScript launcher, creates a scheduled task named `P`, and drops a decoy document in a Hancom Office format. The malware generates a client ID from the victim MAC address, gathers system details including domain, username, OS version, process lists, and external IP address, then uploads the data to attacker-controlled Dropbox folders before attempting to download and run a follow-on batch payload. AhnLab's February 2026 APT trend reporting for South Korea provides broader context showing that **spear phishing** remained the dominant delivery method and that **LNK-based attacks** were the most prevalent format observed, including campaigns that used PowerShell to fetch additional components and register persistence. While AhnLab's report is a monthly trend overview rather than a dedicated write-up on the Dropbox variant, it aligns with IIJ's assessment that the malware shares substantial **TTP** overlap with previously reported **Kimsuky** activity. The reporting indicates continued abuse of legitimate cloud services such as **Dropbox** and, more broadly, GitHub and similar platforms to blend command-and-control and payload staging into normal network traffic.
5 days ago
North Korean Phishing Campaign Uses GitHub as Covert C2 Against South Korean Firms
FortiGuard Labs reported a high-severity cyber espionage campaign linked to North Korean state-sponsored actors that targets organizations in South Korea with phishing emails carrying malicious Windows `.lnk` files disguised as PDF documents. When opened, the shortcut launches PowerShell and other native Windows scripting tools while showing a decoy document, then performs anti-analysis checks for tools including Wireshark, Fiddler, x64dbg, Procmon, and `vmtoolsd`. Researchers said the operation has been active since at least 2024 and has evolved from earlier, less-obfuscated variants associated with XenoRAT into more sophisticated samples that embed decoding logic and payload data directly in the shortcut file. The malware establishes persistence through a Scheduled Task disguised as a technical paper and set to run every 30 minutes, then collects host data such as OS version, build number, process lists, and keep-alive logs. Operators used trusted GitHub accounts and private repositories as covert command-and-control and data-staging infrastructure, allowing malicious HTTPS traffic to blend with normal web activity while exfiltrating system information and retrieving follow-on instructions. Decoy filenames and metadata, including the "Hangul Document" naming convention, indicate deliberate targeting of South Korean companies and tradecraft aligned with clusters such as **Kimsuky**, **APT37**, and **Lazarus**.
2 weeks ago
Kimsuky Deploys HttpTroy Backdoor in Targeted South Korean Attack
The North Korean threat actor Kimsuky has been identified distributing a new backdoor, codenamed **HttpTroy**, in a targeted spear-phishing campaign against a South Korean victim. The attack leveraged a phishing email containing a ZIP file disguised as a VPN invoice, which, when opened, initiated a multi-stage infection chain involving a dropper, a loader (`MemLoad`), and the final **HttpTroy** backdoor. The malware is capable of file transfer, screenshot capture, command execution with elevated privileges, in-memory loading of executables, reverse shell access, process termination, and trace removal. Persistence is established via a scheduled task impersonating the South Korean cybersecurity company AhnLab, and communication with the command-and-control server is conducted over HTTP POST requests. **HttpTroy** employs advanced obfuscation techniques, including custom API hashing and string obfuscation using XOR and SIMD instructions, to evade detection and analysis. The campaign highlights the continued evolution of North Korean APT toolsets, with Kimsuky adopting stealthier malware to enhance their cyber-espionage capabilities. Security researchers have emphasized the sophistication of the infection chain and the backdoor's ability to provide attackers with full control over compromised systems.
1 months ago