Beware: Weaponized Research Papers Delivering Malware Through Password-Protected Documents

The AhnLab Security Intelligence Center (ASEC) recently made the concerning revelation that the infamous Kimsuky hacking organization was connected to a crafty phishing email campaign that targeted unwary people.

Disguised as a seemingly legitimate request for a paper review from a professor, these emails lure recipients into opening a password-protected HWP document embedded with a malicious OLE object.

Sophisticated Phishing Tactics

The document, themed around the Russo-Ukraine War, prompts the user to enter a provided password to access its contents.

Once opened, the document covertly generates six files in the user’s temporary folder (%TEMP%), setting the stage for a deeper infection.

A deceptive “More…” hyperlink within the document body triggers the execution of a batch file named “peice.bat,” which orchestrates a series of malicious actions, including renaming files, registering scheduled tasks, and copying executables to hidden ...