Once a user executed the LNK file, a complex, scripted infection process was triggered to bypass security software:
: Inside the ZIP file were LNK (Windows Shortcut) files disguised as harmless documents (e.g., "Meeting_Minutes.pdf.lnk"). 2. The Infection Chain Ghost Clients.zip
The attack typically began with emails directed at high-value targets in South Korea, including government officials, academics, and defense contractors. Once a user executed the LNK file, a
: Extracting saved passwords and cookies from Chrome, Edge, and Whale (a popular Korean browser). 4. Attribution: The Kimsuky Connection including government officials
Security researchers attributed this campaign to based on several "fingerprints" found in the code: