How Kimsuky APT Conducts Multi-Stage Cyber Attacks: A Step-by-Step Guide

Introduction

This guide provides a detailed walkthrough of the attack methodology employed by the Kimsuky threat actor group, also known as APT43, Ruby Sleet, and others. Based on in-depth analysis of recent campaigns, we outline the sequential phases from initial reconnaissance to post-exploitation. By following these steps, security teams can better understand the group's tactics and improve defenses.

What You Need

• Basic understanding of cybersecurity concepts (phishing, malware, C2 infrastructure)
• Familiarity with network traffic analysis tools (e.g., Wireshark, Zeek)
• Access to threat intelligence feeds or sandboxes for malware analysis
• Knowledge of Windows file execution mechanisms (JSE, PIF, SCR, EXE)
• Understanding of tunneling technologies (Ngrok, Cloudflare Quick Tunnels, VSCode Tunnels)

Step-by-Step Attack Process

Step 1: Initial Access via Spear-Phishing Emails

Kimsuky initiates contact with targeted individuals by sending carefully crafted spear-phishing emails. These emails include malicious attachments disguised as legitimate documents (e.g., Word files, PDFs). In some cases, they also approach targets through messaging platforms. The goal is to trick the recipient into opening the attachment, which delivers the first-stage dropper.

Step 2: Delivery of Malicious Droppers

The attachments contain droppers in various formats such as JSE, PIF, SCR, or EXE. These droppers are designed to evade initial detection and execute the next stage of malware. Kimsuky frequently updates its dropper code to avoid signature-based antivirus engines.

Step 3: Deployment of Core Malware Clusters

Once executed, the droppers deploy malware from two primary clusters:

• PebbleDash Cluster: Includes variants like HelloDoor, httpMalice, MemLoad, and httpTroy. This cluster often targets defense sectors and has been observed in South Korea, Brazil, and Germany.
• AppleSeed Cluster: Includes AppleSeed and HappyDoor. This cluster focuses more on government organizations.

The malware establishes persistence, steals credentials, and enables remote control.

Step 4: Post-Exploitation Using Legitimate Tools

For ongoing access and lateral movement, Kimsuky leverages legitimate tools:

• Visual Studio Code (VSCode): The attacker uses VSCode tunneling mechanisms with GitHub authentication to maintain persistent access and execute commands.
• DWAgent: An open-source remote monitoring and management tool used for post-exploitation activities like file transfer, command execution, and screen control.

Step 5: Command and Control (C2) Infrastructure

Kimsuky hosts its C2 servers primarily on domains registered with a free South Korean hosting provider. They also use compromised South Korean websites and public tunneling services like Ngrok or VSCode tunnels to obfuscate traffic. This infrastructure allows the attackers to receive stolen data and issue commands.

Tips for Detection and Mitigation

• Implement email filtering that scans for malicious attachments and links, especially those using JSE, PIF, or SCR extensions.
• Monitor for unusual usage of VSCode tunneling or Cloudflare Quick Tunnels from endpoints that normally do not require such tools.
• Track network connections to domains registered with free South Korean hosting providers; flag any that are associated with non-South Korean targets.
• Use behavioral analysis to detect DWAgent or similar RMM tools that are not part of the standard IT toolkit.
• Conduct regular employee training on spear-phishing recognition, especially for personnel in defense and government sectors.

Understanding the Kimsuky attack chain helps organizations prepare for these sophisticated and evolving threats. For more information, refer to our related guides on initial access and post-exploitation defense.