A malicious LNK that spreads a Python-based backdoor and how it’s spreading (Kimsuky group) The ASEC analysis describes how Kimsuky modified its LNK-based distribution chain to add multiple intermediate stages (XML, VBS, PS1, BAT) while retaining a final Python backdoor or downloader delivered via ZIP fragments and Task Scheduler registrations. The campaign uses cloud services (Dropbox) and a custom C2 protocol to exfiltrate system information...

Kimsuky’s LNK-based attack chain now includes multiple stages (XML, VBS, PS1, BAT) before deploying a Python backdoor via ZIP fragments and Task Scheduler. Uses Dropbox and custom C2 for data exfiltration. #Kimsuky #PythonBackdoor #SouthKorea