Triple Combo – Kimsuky Hackers Attack Facebook, Email, and Telegram Users

[[{“value”:”

North Korean state-sponsored hackers from the notorious Kimsuky group have launched a sophisticated multi-platform campaign targeting users across Facebook, email, and Telegram platforms between March and April 2025.

The Advanced Persistent Threat (APT) operation, dubbed the “Triple Combo” attack, represents a significant escalation in the group’s social engineering tactics, employing a coordinated three-stage communication strategy to infiltrate and compromise high-value targets in South Korea’s defense and North Korea-related activist communities.

The campaign demonstrates unprecedented coordination across multiple communication channels, with threat actors leveraging hijacked Facebook accounts, personalized email communications, and Telegram messaging to establish trust and deliver malicious payloads.

The attackers specifically targeted individuals involved in North Korean defector support activities, using carefully crafted lures related to volunteer work and humanitarian assistance to lower victims’ suspicions and encourage engagement with malicious files.

PDB Path of AppleSeed (Source – Genians)

Genians Security Center analysts identified this campaign as part of the larger “AppleSeed” operation, a well-documented Kimsuky initiative first exposed at VB Conferences in 2019 and 2021.

The researchers noted that the threat actors employed Korea-specific compressed file formats and sophisticated encoding techniques specifically designed to evade traditional security detection mechanisms while ensuring execution on Windows PC environments rather than mobile devices.

The attack methodology reveals a high degree of operational security and target research, with perpetrators conducting extensive reconnaissance through social media platforms before initiating contact.

Initial approach vectors included Facebook accounts masquerading as religious missionaries or academic researchers, followed by strategic requests for email addresses to facilitate secondary contact channels.

When successful, attackers escalated to Telegram communications, demonstrating persistent and adaptive tactics that maximize the likelihood of successful compromise.

The technical sophistication of the malware payload underscores the state-sponsored nature of this campaign, with multiple layers of obfuscation and anti-analysis techniques employed to maintain persistence and avoid detection by endpoint security solutions.

Infection Mechanism and Malware Analysis

The core of the Triple Combo attack revolves around a malicious JScript Encoded (JSE) file disguised as a document related to North Korean defector volunteer activities.

Message Posing as Inquiry into Defector Volunteer Activities (Source – Genians)

The primary payload, named ‘탈북민지원봉사활동.jse’ (Defector Volunteer Support.jse), employs a sophisticated two-stage deployment mechanism that creates both a legitimate-looking PDF decoy and a hidden malicious DLL component.

Upon execution, the JSE file utilizes Microsoft’s Windows Script Host environment to decode Base64-encoded data stored in internal variables.

The script creates a convincing PDF document at C:ProgramData탈북민지원봉사활동.pdf using the Microsoft.XMLDOM object, which automatically opens to distract the victim while malicious activities occur in the background.

Simultaneously, the script performs a double Base64 decoding process, first using Microsoft.XMLDOM and then executing certutil through PowerShell to create the malicious DLL file C:ProgramDatavmZMXSx.eNwm.

The DLL payload represents a particularly sophisticated piece of malware, protected by VMProtect virtualization technology that significantly complicates reverse engineering efforts.

When executed via the command regsvr32.exe /s /n /i:tgvyh!@#12 vmZMXSx.eNwm, the malware performs parameter verification against the hardcoded string “tgvyh!@#12” before proceeding with its malicious activities.

If verification fails, the malware creates a batch file for self-deletion, demonstrating robust operational security measures.

The persistence mechanism involves registering a registry entry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the value “TripServiceUpdate” that ensures automatic execution on system reboot.

Execution Flow of ‘탈북민지원봉사활동.jse’ (Source – Genians)

The malware creates a directory structure at C:Users$$Username]AppDataRoamingtripservice and deploys a secondary payload called tripservice.dll.

This secondary component functions as a remote access trojan (RAT) that establishes communication with the command and control server at woana.n-e.kr using a combination of RC4 and RSA encryption to protect transmitted data.

The data exfiltration process employs multiple layers of encryption and obfuscation, beginning with ZIP compression of collected system information, followed by RC4 encryption using a randomly generated session key.

The RC4 key itself undergoes RSA encryption using a 1024-bit public key before transmission.

To further evade detection, the encrypted payload is disguised as a PDF file with appropriate headers and XOR encoding applied using keys generated from the system’s GetTickCount function.

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests

The post Triple Combo – Kimsuky Hackers Attack Facebook, Email, and Telegram Users appeared first on Cyber Security News.

“}]]