Kimsuky APT hackers are utilizing LNK files as a means to deploy reflective malware, successfully evading detection by Windows Defender.

The North Korean state-sponsored cyber-espionage group Kimsuky has launched a sophisticated campaign targeting South Korean entities through malicious Windows shortcut (LNK) files. This operation exemplifies the group’s evolution in stealth and precision, combining tailored social engineering with advanced malware frameworks. The campaign systematically infiltrates government agencies, defence contractors, and research organisations while evading traditional security measures. It begins with carefully crafted phishing emails that contain malicious LNK files embedded within ZIP archives, designed to bypass email filtering systems. Once activated, these files execute obfuscated scripts via trusted Windows utilities, using decoy documents based on publicly available South Korean government materials as psychological lures. The malware performs extensive system profiling, credential theft, and comprehensive data exfiltration while maintaining persistent command-and-control communication channels.

Aryaka Threat Research Labs identified this cyber-espionage campaign specifically targeting South Korean entities and attributed the operation to Kimsuky through an analysis of the group’s characteristic tactics, techniques, and procedures. The researchers noted the campaign’s strategic focus on region-specific targeting and its abuse of legitimate system processes to maintain operational security. The attack employs deceptive lure documents, including official-looking government notices about nearby sex offenders and tax penalty notifications, which create urgency and prompt immediate user engagement. These documents are automatically downloaded and opened after initial infection, effectively masking the underlying malicious activity. The malware’s technical sophistication is evident in its multi-stage infection process, which begins with LNK file execution and employs advanced anti-analysis measures, including virtual machine detection to avoid sandbox analysis.