Kimsuky APT Campaign Detection Targeting Japanese Organizations 

Since early spring 2024, the notorious North Korea-linked hacking collective tracked as Kimsuky APT has been launching a targeted campaign against South Korean academic institutions. Defenders have also unveiled the group’s offensive operations, which actively target Japanese organizations. The ongoing adversary campaign relies on a phishing attack vector, with hackers leveraging targeted emails that disguise a sender as a security or diplomatic agency. 

Detect Kimsuky Attacks Targeting Japan

The North Korean Kimsuky APT group is ramping up the volume and sophistication of its attacks, particularly in East Asia. Continuously enhancing its malicious toolkit, Kimsuky’s recent campaign used the TRANSLATEXT Chrome extension for data theft and introduced a new Linux backdoor called Gomir to target organizations in South Korea and neighboring countries.

Recently, security researchers uncovered another Kimsuky campaign actively targeting Japan, using a complex infection chain to infiltrate networks of interest. To stay on top of associated attacks, SOC Prime Platform for collective cyber defense offers a set of curated detections addressing TTPs used by adversaries in this campaign. 

Just press the Explore Detections button below and immediately drill down to a dedicated Sigma rule set. All the rules are compatible with 30+ SIEM, EDR, and Data Lake technologies and mapped to the MITRE ATT&CK® framework. Additionally, detections are enriched with extensive metadata, including threat intel references, attack timelines, and triage recommendations to smooth out threat investigation.

Explore Detections

Security professionals looking to analyze Kimsuky’s TTPs in more detail can find additional detection content by searching the Threat Detection Marketplace with the “Kimsuky” tag or by following this link to access all rules associated with the hacking collective.

Kimsuky Attacking Japanese Organizations: A Campaign Analysis

In March 2024, JPCERT/CC uncovered novel malicious activity by the nefarious North Korea-nexus Kimsuky APT gang, which has Japanese organizations among its primary targets. In addition to the offensive campaign against the South Korean academic sector, Kimsuky hackers have been attacking organizations from Japan using EXE and DOCX files sent via a phishing attack vector and aiming to steal sensitive data from compromised devices.

The infection flow is triggered by a spear-phishing email impersonating a security and diplomatic organization. The email goes with an archive with weaponized files containing double file extensions, along with a large number of spaces in each file name to hide the extension. Once executed, the main EXE file leads to downloading a VBS file from an external source, which is then executed using wscript.exe. The VBS file, in turn, downloads a PowerShell script from an external source and invokes the PokDoc function. The same malicious VBS file ensures persistence by setting the registry Run key to automatically execute the hidden file at each system startup.

The PowerShell downloaded by the VBS file serves as a keylogger and is intended to steal data from the targeted devices, including the system and network details, the list of files in specific user folders, and user account data. Adversaries send the stolen data to a predefined URL to check if the execution environment is a sandbox or analysis system. Further, the script creates another VBS file in a public directory. Once executed, it downloads additional PowerShell code and calls an InfoKey function with a specific parameter, facilitating detection evasion and helping attackers maintain stealthy persistence.

As Kimsuky continuously experiments with new offensive capabilities to bypass security measures and remain under the radar while increasing the sophistication of its ongoing attacks, it’s imperative for organizations to increase cyber vigilance. SOC Prime’s complete product suite for AI-powered Detection Engineering, Automated Threat Hunting, and Detection Stack Validation equips security teams with cutting-edge solutions for proactive cyber defense to minimize the risks of emerging threats most challenging the organization.