A recent investigation into advanced persistent threat activity has revealed a sophisticated attack chain orchestrated by the North Korea-linked Kimsuky group.
This operation, running for over two months in early 2025, targeted individuals involved with North Korean defector support, defense circles, and NGOs.
The hackers deployed an intricate multi-platform scheme, engaging their targets through Facebook, email, and Telegram to maximize the likelihood of a successful compromise and minimize early detection.
The attack began with reconnaissance and initial contact on Facebook.
The attackers masqueraded as missionaries or researchers, using fake or hijacked accounts and approaching targets with credible messages about defector volunteer activities.
Once rapport was established, they lured victims into downloading a password-protected EGG-compressed archive attached to a message or email.
This compressed file, often named in Korean to appear legitimate, contained an obfuscated JScript file (.jse).
The attackers specifically instructed victims to use Korean decompression software, thereby steering the infection process onto Windows PCs, which were more susceptible to their payloads.
After securing an email address or phone number, the threat actors continued their engagement through email or Telegram, demonstrating persistence and an ability to shift platforms to maintain contact with their targets.
The use of EGG archives and direct file transmissions also helped evade email filters and traditional antivirus solutions, which are less likely to scan or recognize files inside region-specific compression formats.
Social engineering elements such as the use of informal, natural Korean language and references to known support activities lent further credibility to the attacks, making them harder for recipients to dismiss as spam or malicious.
Technical Anatomy Of The AppleSeed Malware Chain
At the core of the operation was a multi-stage malware dropper built around the AppleSeed Remote Access Trojan.
Once a victim ran the ‘Defector Volunteer Support.jse’ script, the JScript executed two key actions: it created and opened a decoy PDF document, and then decoded and extracted a DLL file encoded in double Base64, using PowerShell and the Windows utility certutil for decryption.
The DLL, named ‘vmZMXSx.eNwm’, was silently loaded using the following command:
regsvr32.exe /s /n /i:tgvyh!@#12 vmZMXSx.eNwm
This DLL was protected using VMProtect, a virtualization tool to hinder reverse engineering.
Upon execution, it performed parameter checks using a specific string, decoded additional DLL data using an XOR key, and then injected itself into memory.
To ensure persistence, it registered a new startup entry in the Windows registry using:
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v “TripServiceUpdate” /d “regsvr32.exe /s /n /i:tgvyh!@#12 C:\Users$$Username]\AppData\Roaming\trip\service\tripservice.dll” /f
.webp)
The final payload, ‘tripservice.dll’, collected detailed system and user information by executing Windows commands and checking for administrative privileges and UAC status.
According to Genians, Results were stored and encrypted using RC4, with randomly generated session keys further encrypted by RSA, and then packaged into files disguised as PDFs.
Communication with the attackers’ servers was conducted through regular HTTP POST requests, repeatedly sending stolen information and receiving additional commands for execution.
What makes the attack especially dangerous is its automation and sophistication.
The malware used layered encoding and encryption, manual memory loading, and region-specific tactics such as EGG file usage and Korean language lures.
The attackers continuously updated their scripts and payloads, indicating the use of automated toolkits for generating new variants and helping them evade traditional detection.
Security researchers confirmed that advanced EDR solutions with behavioral monitoring were able to detect the threat by tracking suspicious parent-child process chains such as wscript.exe spawning PowerShell and regsvr32.exe, alongside the manipulation of registry settings for persistence.
However, the highly targeted and context-driven nature of this campaign made user vigilance and robust endpoint protection essential in thwarting these advanced threats.
The Kimsuky group’s multi-stage, multi-platform campaign highlights a new standard in APT attacks, blending technical stealth with high-level social engineering.
By leveraging trusted social networks and localized tactics, they effectively bypassed conventional security boundaries.
As these methods proliferate, organizations and individuals working in sensitive areas must adopt advanced, behavior-based security solutions and maintain constant vigilance against nuanced, context-aware threats delivered via everyday communication channels.
