North Korean Kimsuky APT exploits Dropbox & phishing lures in DEEP#DRIVE campaign targeting South Korean entities. Key insights & defenses revealed

Continue reading
Threat Research team has uncovered a highly coordinated cyber espionage campaign, dubbed DEEP#DRIVE, linked to the North Korean state-sponsored group Kimsuky. The operation, active since late 2024, targets South Korean businesses, government agencies, and cryptocurrency users through meticulously crafted phishing lures and cloud-based infrastructure designed to evade detection.
The campaign began with phishing emails distributing ZIP archives containing shortcut files (`.lnk`). These files masqueraded as innocuous Office or PDF documents (e.g., `종신안내장V02_곽성환D.pdf.lnk`), leveraging Windows’ default hiding of file extensions. Once clicked, the `.lnk` triggered a PowerShell script padded with over 100 spaces to obscure its intent in logs.
Example Lure: A fake forklift safety guide titled 지게차 중량물 윙바디 작업계획서.pptx targeted logistics sector employees, while crypto-themed lures like 메타마스크 니모닉.txt aimed at digital asset holders.
The initial PowerShell script (`user.ps1`) downloaded secondary payloads from Dropbox, including a decoy document to distract victims. A scheduled task named ChromeUpdateTaskMachine ensured the malware ran every 30 minutes, while `system_first.ps1` mapped victim environments: ```powershell
$ip = Get-WmiObject Win32_NetworkAdapterConfiguration | Select-Object -ExpandProperty IPAddress $av = Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct | Select-Object -ExpandProperty displayName ``` Data was exfiltrated to Dropbox under `/github/cjfansgmlans1_first/[IP]-[timestamp]-RRR-cjfansgmlans1.txt`.
The final payload, `temp.ps1`, retrieved a Gzip-compressed .NET assembly (`system_drive.dat`) from Dropbox. After modifying its header to match Gzip signatures, the script loaded it directly into memory to execute a `Main` method—a technique avoiding disk-based detection.
Critical Oversight: One payload, `Telegram.exe`, was mistakenly a renamed `.pptx` file, highlighting procedural errors in Kimsuky’s workflow.
Securonix researchers attributed DEEP#DRIVE to Kimsuky based on:
The attackers’ Dropbox accounts revealed a trove of victim data, including thousands of system profiles dating to September 2024. Phishing lures were stored in folders like `/github/`, with filenames tailored to Korean corporate jargon (e.g., 24년 10 월 업무일지 translates to October 2024 Work Log).
Notable Infrastructure:
Why It Matters: DEEP#DRIVE underscores North Korea’s evolving cyber warfare tactics, blending social engineering with trusted services to exploit human and technical vulnerabilities.
Securonix Advisory:
Industry Quote: “Kimsuky’s abuse of Dropbox shows how attackers weaponize trust,” said Den Iuzvyk, Securonix researcher. “Defenders must assume legitimate services are potential threat vectors.”
Active since 2012, Kimsuky (aka APT43) focuses on intelligence gathering to support Pyongyang’s geopolitical objectives. Recent campaigns have targeted academic institutions, think tanks, and defense contractors, often using credential theft and supply chain compromises.
MITRE ATT&CK Mapping:
While critical Dropbox links were swiftly dismantled, Kimsuky’s infrastructure agility suggests DEEP#DRIVE is one phase in a protracted campaign. Organizations are urged to adopt behavioral analytics and cross-platform monitoring to counter such adaptive adversaries.
For detection rules, IOCs, and hunting queries, refer to the full Securonix advisory [here].
Stay informed with real-time threat intelligence at [Securonix.com].
About Securonix Threat Research: The team specializes in tracking APT groups, ransomware syndicates, and emerging cybercrime tactics. Follow their advisories for in-depth analysis and actionable insights.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation