SOC Prime Bias: High

01 Jul 2026 09:16 UTC

Inside Kimsuky’s CHM Tradecraft: Multi-Stage Execution and Selective Payload Delivery

Author Photo
SOC Prime Team linkedin icon Follow
Inside Kimsuky’s CHM Tradecraft: Multi-Stage Execution and Selective Payload Delivery
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

Kimsuky uses malicious Compiled HTML (.chm) files as initial lures to trigger a multi-stage infection chain. The operation abuses native Windows utilities such as PowerShell, certutil, and wscript to profile the system, establish persistence through scheduled tasks, and exfiltrate collected data. The actor also applies selective payload delivery, providing the final operational component only after certain environmental or behavioral conditions are satisfied.

Investigation

The researcher analyzed a suspicious CHM sample and reconstructed its execution chain, which consisted of multiple VBScript and PowerShell stages. By replaying network requests and testing from different proxy locations, the researcher uncovered a selective response model in which the final payload was not delivered to the sandboxed environment. The investigation also connected the infrastructure to known Kimsuky activity through favicon similarities and web server fingerprinting.

Mitigation

Organizations should monitor suspicious process ancestry, especially cases where hh.exe or wscript.exe launches PowerShell or cmd.exe. Restricting execution of script content from user-writable locations such as the Internet cache can help block persistence. Monitoring unauthorized changes to Internet Explorer and Microsoft Edge registry settings can also improve detection of host tampering.

Response

If this activity is detected, isolate the affected endpoint immediately to prevent additional command-and-control traffic. Perform memory forensics to identify any fileless PowerShell payloads loaded into process memory. Review scheduled tasks for suspicious entries such as Edge Updater and inspect the %USERPROFILE%\Links directory for deceptive .dat or .ini files.

"flowchart TD step_initial_access["T1218.001 u2013 System Binary Proxy Execution: Compiled HTML File: Launches hidden PowerShell via HTML Help ActiveX in a CHM file."] step_obfuscation["T1140 u2013 Deobfuscate/Decode Files or Information: Uses certutil.exe to decode a Base64 blob in Link.dat into Link.ini."] rules_for_obfuscation("<b>Rule Name</b>: Using Certutil for Data Encoding and Cert Operations (via cmdline)<br/><b>Rule ID</b>: 7f343395-e8bc-46ba-b8d2-b7a3bab53d5f") step_script_execution["T1216.002 u2013 System Script Proxy Execution: Executes Link.ini using wscript.exe."] rules_for_script_execution("<b>Rule Name</b>: LOLBAS WScript / CScript (via process_creation)<br/><b>Rule ID</b>: 0c53847c-3f24-4320-a753-f33776408eea") step_reconnaissance["T1082 u2013 System Information Discovery: Uses WMI to collect hardware, OS details, and process enumeration."] rules_for_reconnaissance("<b>Rule Name</b>: Possible System Enumeration (via cmdline)<br/><b>Rule ID</b>: 0c63fa98-c4f0-48de-b06f-d11bb5a7731a") step_security_discovery["T1518.001 u2013 System Information Discovery: Searching for antivirus or firewall software configurations."] rules_for_security_discovery("<b>Rule Name</b>: Possible Antivirus or Firewall Software Enumeration (via process_creation)<br/><b>Rule ID</b>: 1dad2a56-fa1f-499c-8abe-4a3caf2a05a4") step_exfiltration["T1041 u2013 Exfiltration Over C2 Channel: Uploads encoded system inventory (Info.txt) to C2 server."] step_persistence["T1053.005 u2013 Scheduled Task: Creates hidden 'Edge Updater' task to execute VBScript every 60 minutes."] step_final_payload["T1059.001 u2013 PowerShell: Uses Invoke-Expression to fetch and run code from a Traffic Distribution System (TDS)."] step_initial_access –>|leads_to| step_obfuscation step_obfuscation –>|then| step_script_execution step_obfuscation -.->|detected_by| rules_for_obfuscation step_script_execution –>|enables| step_reconnaissance step_script_execution -.->|detected_by| rules_for_script_execution step_reconnaissance –>|leads_to| step_security_discovery step_reconnaissance -.->|detected_by| rules_for_reconnaissance step_security_discovery –>|leads_to| step_exfiltration step_security_discovery -.->|detected_by| rules_for_security_discovery step_exfiltration –>|then| step_persistence step_persistence –>|enables| step_final_payload "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary aims to achieve initial execution via a weaponized .chm file. Once the user opens the file, the compiled HTML Help file uses an embedded script to invoke hh.exe. To evade standard detection, the actor uses hh.exe to launch PowerShell, effectively masking the shell execution under a legitimate Windows help process. The goal is to establish a foothold by executing a hidden PowerShell command that can pull down a secondary stage payload.

  • Regression Test Script:

    # Simulation of Kimsuky CHM-to-PowerShell Execution Chain
    # This script simulates the behavior of hh.exe spawning PowerShell as detected by the rule.
    
    Write-Host "[+] Starting Kimsuky CHM Simulation..." -ForegroundColor Cyan
    
    # 1. Simulate hh.exe spawning PowerShell (Matches selection_hh)
    Write-Host "[+] Triggering Rule: hh.exe spawning PowerShell..." -ForegroundColor Yellow
    Start-Process "hh.exe" -ArgumentList "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Write-Output 'Simulation Success'"
    
    # 2. Simulate wscript.exe executing VBScript (Matches selection_wscript)
    Write-Host "[+] Triggering Rule: wscript.exe with VBScript flag..." -ForegroundColor Yellow
    $tempVBS = "$env:TEMPtest_sim.vbs"
    "WScript.Echo ""Simulation Success""" | Out-File -FilePath $tempVBS -Encoding ascii
    Start-Process "wscript.exe" -ArgumentList "/e:vbscript $tempVBS"
    
    # 3. Simulate cmd.exe with hidden window (Matches selection_cmd)
    Write-Host "[+] Triggering Rule: cmd.exe with Hidden Window Style..." -ForegroundColor Yellow
    Start-Process "cmd.exe" -ArgumentList "/c PowerShell -WindowStyle Hidden -Command Write-Output 'Simulation Success'"
    
    Write-Host "[+] Simulation commands dispatched." -ForegroundColor Green
  • Cleanup Commands:

    # Cleanup temporary files created during simulation
    Remove-Item -Path "$env:TEMPtest_sim.vbs" -ErrorAction SilentlyContinue
    Write-Host "[+] Cleanup complete." -ForegroundColor Cyan