Kimsuky, a North Korean advanced persistent threat (APT) group, has been using custom malware called RandomQuery as part of its reconnaissance and information exfiltration operation.
The group’s ongoing targeted campaign, primarily geared towards information services and organizations supporting human rights activists and North Korean defectors, uses phishing emails that purport to be from a prominent Seoul-based online publication to entice targets into opening a Microsoft Compiled HTML Help (CHM) file.
The malware, including RandomQuery, enables Kimsuky to harvest system metadata, running processes, installed applications, and files from different folders, all of which are transmitted back to the command-and-control (C2) server.
Kimsuky has also been linked to attacks that weaponize vulnerable Windows Internet Information Services (IIS) servers to drop the Metasploit Meterpreter post-exploitation framework and deploy a Go-based proxy malware.
The group has exhibited targeting patterns that align with North Korea’s operational mandates and priorities since 2012.