: The heavy focus on .hwp files and South Korean political entities is a hallmark of this specific threat actor. 5. Why It Matters
: Extracting saved passwords and cookies from Chrome, Edge, and Whale (a popular Korean browser). 4. Attribution: The Kimsuky Connection Ghost Clients.zip
: The PowerShell scripts used in Ghost Clients.zip shared significant code blocks with previously documented Kimsuky malware like AppleSeed and Alphabat . : The heavy focus on
: Recording every keystroke to capture login credentials and private communications. Once a user executed the LNK file, a
Once a user executed the LNK file, a complex, scripted infection process was triggered to bypass security software:
: The emails often masqueraded as legitimate communications from South Korean government agencies or think tanks.
: Inside the ZIP file were LNK (Windows Shortcut) files disguised as harmless documents (e.g., "Meeting_Minutes.pdf.lnk"). 2. The Infection Chain