: The PowerShell scripts used in Ghost Clients.zip shared significant code blocks with previously documented Kimsuky malware like AppleSeed and Alphabat .
: Searching for and uploading documents with specific extensions (e.g., .hwp—a common Korean word processor format, .doc, .pdf). Ghost Clients.zip
It serves as a reminder of the persistent threat posed to the Korean Peninsula's digital infrastructure and the continued refinement of social engineering techniques used by APT (Advanced Persistent Threat) groups. : The PowerShell scripts used in Ghost Clients
The operation is named after the specific archive file, Ghost Clients.zip , which served as a central delivery vehicle for a sophisticated multi-stage malware infection chain. 1. Delivery and Initial Access The operation is named after the specific archive
: Inside the ZIP file were LNK (Windows Shortcut) files disguised as harmless documents (e.g., "Meeting_Minutes.pdf.lnk"). 2. The Infection Chain
: Extracting saved passwords and cookies from Chrome, Edge, and Whale (a popular Korean browser). 4. Attribution: The Kimsuky Connection