CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 19, 2026

Kimsuky Hackers Use LNK and JSE Lures to Target Recruiters, Crypto Users, and Defense Officials

Cybersecurity News Archived May 19, 2026 ✓ Full text saved

North Korea-linked hackers are at it again, and this time they are casting a wide net. The Kimsuky threat group, a well-known cyber espionage unit with ties to the DPRK, ran four separate spear-phishing campaigns in the first half of 2025 targeting corporate recruiters, cryptocurrency investors and developers, defense sector officials, and graduate school administrators. […] The post Kimsuky Hackers Use LNK and JSE Lures to Target Recruiters, Crypto Users, and Defense Officials appeared first on

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Kimsuky Hackers Use LNK and JSE Lures to Target Recruiters, Crypto Users, and Defense Officials By Tushar Subhra Dutta May 19, 2026 North Korea-linked hackers are at it again, and this time they are casting a wide net. The Kimsuky threat group, a well-known cyber espionage unit with ties to the DPRK, ran four separate spear-phishing campaigns in the first half of 2025 targeting corporate recruiters, cryptocurrency investors and developers, defense sector officials, and graduate school administrators. Each campaign used a different disguise but followed the same basic playbook: trick someone into opening a file and quietly take over their computer. What makes these attacks stand out is the variety of people they went after. Recruiters received fake resumes and business cards. Crypto users were lured with content themed around Solana meme coins. Defense officials were sent documents tied to the K-ICTC International Scientific Combat Management Competition. Campaigns (Source – LogPresso) Graduate school staff were handed what appeared to be enrollment documents. In every case, the goal was identical: get a foothold without raising any flags. Analysts at LogPresso said in a report shared with Cyber Security News that all four campaigns followed a consistent attack flow that started with displaying a decoy document while silently dropping a malicious payload, then securing persistence, and finally establishing a remote control channel. The campaigns were distinguished mainly by their lure topics, entry methods, and command-and-control infrastructure. The attackers showed clear signs of sophistication. Instead of using obviously suspicious servers, they routed communications through trusted platforms like GitHub raw APIs, Microsoft CDN, and VSCode tunnels. This made their traffic blend in with normal activity, making it harder for reputation-based security tools to catch them. Target identification was also personalized, with victims tracked through unique IDs, IP addresses, and MAC addresses. One of the most consistent findings across all four campaigns was aggressive defense evasion from the very start. Within five minutes of a victim opening the bait file, the malware was already disabling Windows UAC, registering Defender exceptions, and embedding itself in the Task Scheduler to survive reboots. LogPresso noted that blocking based on individual IoCs has clear limitations, and that defenders need behavior-based detection covering the full attack chain. Kimsuky Hackers Use LNK and JSE Lures Three of the four campaigns relied on LNK files disguised to look like PDFs. When a victim opened one, two hidden payloads separated inside. One part quietly displayed a convincing decoy document to keep the victim unsuspecting. The other saved a secondary LNK file to the Windows startup folder, establishing persistence before downloading and running PowerShell scripts from the attacker’s server. The entire process completed in under five minutes, leaving very little room for human detection. The fourth campaign took a different approach, using a JSE file with a double extension formatted as .hwpx.jse. Since Windows hides extensions by default, the victim saw what looked like a Korean HWP document. Once opened, the script decoded a hidden DLL using the built-in certutil tool and loaded it using rundll32.exe, a legitimate Windows component. This campaign went further by using a VSCode tunnel to maintain persistent remote access, riding on Microsoft’s own signed binaries to stay undetected. Abuse of Legitimate Services for C2 A thread that ran through every campaign was Kimsuky’s heavy use of legitimate services for command-and-control operations. GitHub repositories stored payloads and collected victim data. Microsoft CDN helped deliver files without triggering network alerts. VSCode tunnels created persistent remote access through GitHub OAuth authentication. In one case, a private server at nelark.icu acted as the C2, while another campaign funneled data through the Korean site yespp.co.kr. LogPresso’s analysis makes clear that defenders cannot rely on blocking domains or file hashes alone. Since Kimsuky rotates its infrastructure quickly, organizations should watch for LNK or JSE files with double extensions, monitor unexpected Task Scheduler entries disguised as OneDrive or Intel services, and flag any instance of UAC being disabled outside normal administrative activity. Building detection around behaviors rather than static indicators is the only reliable way to stay ahead of a group this adaptive. Indicators of Compromise (IoCs):- Type Indicator Description File Hash (MD5) 80088af673b0117dbd5cf528021dd970 1.pdf.lnk (Campaign 1)  File Hash (MD5) c499e415f7e07f513d8319013a8b2e86 1.pdf.lnk.zip (Campaign 1)  File Hash (MD5) 0331a83b58231cb0cd3bfe319003ed1a OneDrive.lnk (Campaign 1)  File Hash (MD5) 806fb7876b63ba89d2432cb831be01ba a.ps1 (Campaign 1)  File Hash (MD5) c57a8b40d2ca402656ff3d778f42708c bb.ps1 (Campaign 1)  File Hash (MD5) 2689f58b803364bbfba2edb423a3b572 bpersist.ps1 (Campaign 1)  File Hash (MD5) 552ca91696fedd387e1ea47f50f18344 scheduler-once.bat (Campaign 1)  URL hxxps://nelark.icu/xftaswx/res/post_proc.php?fpath=a.ps1 C2 URL – Campaign 1  URL hxxps://nelark.icu/xftaswx/res/post_proc.php?fpath=bpersist.ps1 C2 URL – Campaign 1  URL hxxps://nelark.icu/xftaswx/res/index.php C2 URL – Campaign 1  URL hxxps://nelark.icu/xftaswx/res/post_proc.php?fpath=scheduler-once C2 URL – Campaign 1  URL hxxps://nelark.icu/xftaswx/res/bypass.b C2 URL – Campaign 1  File Hash (MD5) a9d5dd632bb90addca480eaa5ff4382 PumpGuard-Pumpfun-AI-Attack-Defence-Requirements.pdf.lnk (Campaign 2)  File Hash (MD5) 5c2857913efc6007b3ee7028a132baa4 PumpGuard-Pumpfun…pdf.zip (Campaign 2)  File Hash (MD5) 6869766741b40825e31fd8bbff688bd3 bpvme.ps1 (Campaign 2)  File Hash (MD5) 3fdce08723365d5c06e1183585164118 PumpGuard_Pumpfun…GameEngine(2).rar (Campaign 2)  File Hash (MD5) a3363e0c22c0356fdbcdc37f502bbcde firefox.ps1 (Campaign 2)  File Hash (MD5) 471faa43f4811a0250648d586cb3eebf bpvme.ps1 variant (Campaign 2)  File Hash (MD5) 8301fc2c740f6309864e68b6e429d0f0 whale.vbs (Campaign 2)  File Hash (MD5) af7330af68a8f79b5a28fcc242e54a7e doc_2026-03-26_08-58-03.NetAngular.pdf.zip (Campaign 2)  File Hash (MD5) 450774df6785e6eeb6ea906490905888 firefox.ps1 variant (Campaign 2)  File Hash (MD5) 831d7c614ba32aa5d70ff9b0f259ee1d wale.ps1 (Campaign 2)  URL hxxps://raw.githubusercontent.com/brandonleeodd93-blip/doc7/main/1.txt GitHub C2 payload – Campaign 2  URL hxxps://raw.githubusercontent.com/brandonleeodd93-blip/doc7/main/view.pdf GitHub C2 payload – Campaign 2  URL hxxps://api.github.com/repos/brandonleeodd93-blip/doc7/contents/report/ GitHub exfil endpoint – Campaign 2  File Hash (MD5) b3c90f52e4b86a94ec637fee4354bb84 2026 4th K-ICTC Information.pdf.lnk (Campaign 3)  File Hash (MD5) 0dd1cf2d9a72fdbef19e77af59ba9d1f 2026 4th K-ICTC Information.pdf.zip (Campaign 3)  File Hash (MD5) cbb059bd691d846e8279d617134d3129 conf.dat (Campaign 3)  IP Address 103.67.196.25 C2 server – Campaign 3  URL hxxp://103.67.196.25/conf.dat C2 payload URL – Campaign 3  URL hxxp://103.67.196.25/payload.dat C2 payload URL – Campaign 3  URL hxxp://103.67.196.25/view1.php?type=apple&seed=<MAC> MAC-based victim identification – Campaign 3  File Hash (MD5) bb5040d54135b0999cc491b41a0a45e2 .hwpx.jse.zip (Campaign 4)  File Hash (MD5) 9fe43e08c8f446554340f972dac8a68c .hwpx.jse (Campaign 4)  File Hash (MD5) 52f1ff082e981cbdfd1f045c6021c63f .hwpx.jse variant (Campaign 4)  File Hash (MD5) bb9e9c893b170b3774c150b1d0b93a73 iIdypWi.zgyY (Campaign 4)  File Hash (MD5) 08160acf08fccecde7b34090db18b321 kE2I3TP.crqn (Campaign 4)  URL hxxps://www.pyrotech.co.kr/common/include/tech/default.php C2 URL – Campaign 4  URL hxxps://www.yespp.co.kr/common/include/code/out.php C2 exfil URL – Campaign 4  Domain nelark.icu C2 domain – Campaign 1  Domain yespp.co.kr C2/exfil domain – Campaign 4  Domain vscode.dev/tunnel/bizeugene VSCode tunnel used for persistent remote access  Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers Abuse OAuth Device Authorization Flow to Steal Microsoft 365 Tokens PraisonAI Vulnerability Exploited Within Hours of Public Disclosure iOS 26.5 Brings End-to-end Encrypted RCS Messaging Between iPhone and Android Hackers Compromise 170 npm Packages to Steal GitHub, npm, AWS, and Kubernetes Secrets Microsoft Releases Cumulative Update for Windows 11, Version 25H2 and 24H2 Latest News Cyber Security News Malware Campaign Uses JavaScript, PowerShell, and Shellcode to Deliver Crypto Clipper Cyber Security News DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released ANY.RUN 3 Tactics Elite SOCs Use to Operationalize Threat Intelligence Cyber Security News Operation Ramz Seizes 53 Servers Linked to Cyber Scams and Malware Threats Cyber Security News Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 19, 2026
    Archived
    May 19, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗