The attack typically began with emails directed at high-value targets in South Korea, including government officials, academics, and defense contractors.
Once a user executed the LNK file, a complex, scripted infection process was triggered to bypass security software:
: Allowing the attackers to execute arbitrary commands on the infected machine.
: The heavy focus on .hwp files and South Korean political entities is a hallmark of this specific threat actor. 5. Why It Matters
: The PowerShell scripts used in Ghost Clients.zip shared significant code blocks with previously documented Kimsuky malware like AppleSeed and Alphabat .
It serves as a reminder of the persistent threat posed to the Korean Peninsula's digital infrastructure and the continued refinement of social engineering techniques used by APT (Advanced Persistent Threat) groups.
: The email contained a link to a cloud storage service (like Google Drive or OneDrive) or an attachment titled Ghost Clients.zip .
: Extracting saved passwords and cookies from Chrome, Edge, and Whale (a popular Korean browser). 4. Attribution: The Kimsuky Connection