Kimsuky Group Uses Malicious LNK Files to Deploy Python-Based Backdoor

Severity: High (Score: 60.0)

Sources: Gbhackers, Cybersecuritynews, Asec.Ahnlab

Summary

The Kimsuky group, a North Korean threat actor, has been identified using malicious LNK files to deliver a Python-based backdoor to victim systems. This attack method involves multiple stages, making it difficult for security tools to detect the final payload. AhnLab's recent findings indicate a structural change in the intermediate execution phase of the attack, although the overall flow remains consistent with previous campaigns. The specific impact scope and number of affected systems have not been disclosed. The campaign is ongoing, with security experts urging vigilance against this evolving threat. The use of LNK files as a delivery mechanism highlights a persistent trend in targeted cyberattacks. Organizations should be aware of this method to enhance their defensive measures. Key Points: • Kimsuky group employs malicious LNK files to install a Python-based backdoor. • The attack features multiple stages, complicating detection efforts. • Recent changes in the attack's execution phase have been observed.

Key Entities

• Kimsuky (apt_group)
• Malware (attack_type)
• T1053 - Scheduled Task/Job (mitre_attack)
• T1059.006 - Python (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• Dropbox (tool)
• Python (tool)
• Python Interpreter (tool)
• Windows (platform)