A new campaign that disseminates Android malware has been connected to a North Korean threat actor. The campaign makes use of QR codes that are hosted on phishing websites that imitate the logistics company CJ Logistics. Threat actors are tricking recipients into clicking on booby-trapped URLs hosting the apps by posing as delivery companies in phishing emails or smishing texts.

According to the South Korean cybersecurity firm ENKI, some of these artifacts pose as apps for package delivery services. "The threat actor claims the app is a safe, official release to trick victims into ignoring the warning and installing the malware because Android blocks apps from unknown sources and displays security warnings by default," the company stated in a blog post on Monday. to initiate a RAT service, akin to previous instances but exhibiting advanced capabilities, like utilizing a The security firm stated, "new native function to decrypt the internal APK and incorporating diverse decoy behaviors." The Kimsuky hacking group has been linked to a phishing campaign that spreads the KimJongRAT Windows remote access trojan using tax-themed lures.

Disguised as a PDF document, the LNK file uses "mshta.exe" to launch an HTML Application (HTA) payload when it is opened. The HTA malware drops the RAT payload to periodically gather and send user data while also acting as a loader to download and display a fake PDF. In addition to data from web browsers, numerous cryptocurrency wallet extensions, Telegram, Discord, and NPKI/GPKI certificates—a digital signature certificate service utilized for online banking in South Korea—this also includes system metadata.

As stated by According to an organizational assessment published by DTEX, Kimsuky is a member of the Reconnaissance General Bureau (RGB), an umbrella organization commonly referred to as the Lazarus Group that also houses several threat clusters in charge of carrying out cryptocurrency heists and cyber espionage.