North Korean Hacker Group Kimsuky Launches Sophisticated Cyber Attacks Targeting Cryptocurrency and Sensitive Data
The North Korean-linked advanced persistent threat group known as Kimsuky has been observed deploying advanced phishing techniques and malware in targeted cyberattacks that took place in March 2025.
Kimsuky, which has a history of targeting government agencies, think tanks, and individuals involved in foreign policy and national security, has significantly upgraded its technical capabilities. The group now uses multi-stage attack chains designed to avoid detection while stealing sensitive information from infected systems.
In the latest campaign, victims received a ZIP archive containing malicious scripts. Once opened, the scripts triggered a complex infection sequence. The malware executed multiple hidden components that worked together to maintain access, collect system details, and exfiltrate data to servers controlled by the attackers. The campaign focused heavily on stealing cryptocurrency wallet data, browser credentials, and logging keystrokes across the system.
Researchers at K7 Security Labs uncovered the attack after analyzing threat indicators shared within cybersecurity communities. Their investigation showed that Kimsuky had improved its malware with better anti-analysis methods, more advanced data exfiltration processes, and a clear focus on cryptocurrency theft. These developments point to a marked evolution in the group's attack strategies.
The infection process begins with a Visual Basic script that uses complex obfuscation methods to avoid detection. It leverages functions like chr() and CLng() to build PowerShell commands on the fly, making it harder for security software to identify the script as malicious.
This script ultimately runs a PowerShell command that decodes and executes Base64-encoded payloads hidden in nearby log files.
The PowerShell script first collects the BIOS serial number of the infected machine to create a unique ID. It also performs checks to see if it is running in a virtual environment, halting its execution if it detects a sandbox. This step helps the malware avoid being analyzed by researchers.
The payload decoded by the PowerShell script contains eleven specialized functions that collect sensitive information from the system. These functions allow the malware to upload stolen data, extract browser content, access cryptocurrency wallets, and establish persistence using scheduled tasks.
Major web browsers such as Microsoft Edge, Firefox, Chrome, and Naver Whale are targeted. The malware extracts saved passwords, cookies, and browsing history from these browsers.
In particular, it scans for over 30 popular cryptocurrency wallet browser extensions, including MetaMask, Trust Wallet, and Tron. For each wallet found, the malware retrieves key database files that may contain private keys or transaction records.
Once all the data is collected, the malware compresses it into a ZIP file, renames the file to "init.dat" to make it look harmless, and sends it to a remote server located at “http://srvdown[.]ddns[.]net/service3/”. This server can also send additional commands to the infected machine, giving attackers continuous remote access.
This advanced attack highlights Kimsuky’s growing investment in malware development and underscores the rising threat to individuals and organizations holding cryptocurrency or sensitive information. Cybersecurity experts are advised to adopt modern threat detection tools and train users to recognize sophisticated phishing attempts, which remain the entry point for these elaborate attacks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
