← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Malicious LNKs distributing Python-based backdoors and changes in distribution methods (Kimsuky Group)
WHITE PetrP.73 2026-04-04 Modified: 2026-05-04
17
IOCs
MEDIUM VOLUME
The Kimsuky Group has recently modified its tactics for distributing malicious LNK files, which are designed to execute a Python-based backdoor or downloader. While the overall attack flow remains consistent, a notable structural change in the intermediate execution phase has occurred. The new workflow involves a sequence where a PowerShell script executed from the LNK file downloads a BAT file, which subsequently triggers the download of a ZIP file containing a Python script, an interpreter, and an XML task scheduler.
kimsukypythonpowershelldropboxtempahnlab securitycenterasecbat lnkxmlps1vbsinfostealer
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Kimsuky
Indicators of Compromise (17)
All FileHash-MD5 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 059bb6c439ffedc61d9168c23552202c 2026-04-04
FileHash-MD5 0633d5f93a5f08a909c039a3f7e90830 2026-04-04
FileHash-MD5 063faa06c63e4091ff8df4acffeb10be 2026-04-04
FileHash-MD5 130ce31e1fe7c0aa5fae32d96afff4c6 2026-04-04
FileHash-MD5 2052261efb1e9d486997fc1795d7d489 2026-04-04
URL http://45.95.186.232:8080 2026-04-04
URL https://qugesr.online/dwparts_view/view.php?in=comm.part000 2026-04-04
URL https://qugesr.online/dwparts_view/view.php?in=comm.part001 2026-04-04
URL https://qugesr.online/dwparts_view/view.php?in=normal 2026-04-04
URL https://qugesr.online/m/bDw 2026-04-04
URL https://quickcon.store/man/logo.php?au=beauty.part000 2026-04-04
URL https://quickcon.store/man/logo.php?au=beauty.part001 2026-04-04
domain qugesr.online 2026-04-04
domain quickcon.store 2026-04-04
domain racswera.online 2026-04-04
domain whaincloud.store 2026-04-04
domain zoommet.site 2026-04-04
References (1)
↗ https://asec.ahnlab.com/ko/93150/