The North Korean threat actor Kimsuky has launched a new campaign that distributes a fresh variant of Android malware known as DocSwap. The attackers deliver the malware through QR codes embedded on phishing sites that impersonate Seoul-based logistics firm CJ Logistics (formerly CJ Korea Express).
“The threat actor leveraged QR codes and notification pop-ups to lure victims into installing and executing the malware on their mobile devices,” ENKI said. “The malicious app decrypts an embedded encrypted APK and launches a malicious service that provides RAT capabilities.”
Social Engineering Tactics to Bypass Android Protections
To overcome Android’s built-in safeguards, the attackers rely heavily on deception. “Since Android blocks apps from unknown sources and displays security warnings by default, the threat actor claims the app is a safe, official release to trick victims into ignoring the warning and installing the malware.”
Meanwhile, ENKI observed that several malicious artifacts masquerade as legitimate package delivery service applications. Based on this activity, researchers assess that the threat actors actively use smishing messages or phishing emails that impersonate delivery companies to push recipients toward booby-trapped URLs hosting the malicious apps.
Notably, the campaign introduces a QR code–based redirection mechanism designed to bridge desktop and mobile devices. When users access the phishing URLs from a desktop browser, the page prompts them to scan a displayed QR code using their Android device. The attackers then direct victims to install what appears to be a shipment tracking application and check delivery status.
The QR code redirects users to a “tracking.php” script that executes server-side logic to inspect the browser’s User-Agent string. Afterward, the page displays a message instructing users to install a so-called security module, which it presents as an identity verification requirement tied to fabricated “international customs security policies.”
Malware Installation and Permission Abuse
If the victim proceeds, the server downloads an APK file named “SecDelivery.apk” from the IP address “27.102.137[.]181.” Once installed, the APK decrypts and loads a second encrypted APK embedded within its resources, thereby launching the latest version of DocSwap. Before execution, however, the app verifies that it has obtained permissions to read and manage external storage, access the internet, and install additional packages.
“Once it confirms all permissions, it immediately registers the MainService of the newly loaded APK as ‘com.delivery.security.MainService,'” ENKI said. “Simultaneously with service registration, the base application launches AuthActivity. This activity masquerades as an OTP authentication screen and verifies the user’s identity using a delivery number.”
The application hard-codes the shipment number “742938128549” directly into the APK, and attackers likely deliver it alongside the malicious URL during the initial lure stage. After the user enters the delivery number, the app generates a random six-digit verification code and displays it as a notification. The interface then prompts the user to re-enter the generated code.
Once the user submits the code, the app opens a WebView that loads the legitimate CJ Logistics tracking page at “www.cjlogistics[.]com/ko/tool/parcel/tracking.” At the same time, the trojan silently connects to an attacker-controlled server at “27.102.137[.]181:50005” and retrieves up to 57 commands. These commands enable extensive surveillance, including keystroke logging, audio capture, camera control, file operations, command execution, file transfers, and the collection of location data, SMS messages, contacts, call logs, and installed application lists.
Additional Trojanized Apps and Infrastructure Overlap
Beyond DocSwap, ENKI identified two additional malicious samples. One disguises itself as a P2B Airdrop application, while the other repackages a legitimate VPN app named BYCOM VPN (“com.bycomsolutions.bycomvpn”). Developers distribute the original VPN through the Google Play Store, and Bycom Solutions maintains it.
“This indicates that the threat actor injected malicious functionality into the legitimate APK and repackaged it for use in the attack,” the security company added.
Further infrastructure analysis revealed phishing sites that mimic South Korean platforms such as Naver and Kakao. These sites aim to harvest user credentials and share infrastructure overlaps with earlier Kimsuky credential theft campaigns targeting Naver users.
“The executed malware launches a RAT service, similarly to past cases but demonstrates evolved capabilities, such as using a new native function to decrypt the internal APK and incorporating diverse decoy behaviors,” ENKI said.
At the same time, researchers have attributed another phishing campaign to Kimsuky that uses tax-themed lures to deliver a Windows remote access trojan named KimJongRAT. The attackers distribute the malware through ZIP attachments that contain Windows shortcut (LNK) files.
The LNK file masquerades as a PDF document and executes an HTML Application payload using “mshta.exe” once opened. The HTA loader displays a decoy PDF while dropping the RAT payload, which then periodically collects and exfiltrates user data.
This data includes system metadata, browser information, details from dozens of cryptocurrency wallet extensions, Telegram and Discord data, and NPKI/GPKI certificates used for online banking in South Korea.
Strategic Coordination Between Kimsuky and Lazarus
According to an assessment released by DTEX, Kimsuky operates under North Korea’s Reconnaissance General Bureau (RGB), which also oversees multiple threat clusters involved in cyber Espionage and Cryptocurrency theft. Analysts commonly refer to this broader collective as the Lazarus Group.
Kimsuky and Lazarus demonstrate a high degree of Operational Coordination and routinely share infrastructure and intelligence despite their distinct mission profiles. In one incident involving a South Korean Blockchain company, Kimsuky reportedly gained initial access through Phishing and Conducted Reconnaissance using tools such as KLogEXE and FPSpy.
Subsequently, Lazarus Escalated the attack by Exploiting CVE-2024-38193, a Now-patched privilege Escalation flaw in the Windows Ancillary Function Driver (AFD.sys). The group then Deployed additional Payloads, including FudModule, InvisibleFerret, and BeaverTail, to extract private keys and transaction data from Blockchain wallets. Within 48 hours, the Attackers Siphoned digital assets worth millions of dollars.
“Although Kimsuky and Lazarus have different tactical focuses, they both possess ‘killer weapons’ capable of breaching top-tier defenses, and their technical characteristics are ‘precise and ruthless,'” Purple Team Security Research said, describing the groups as a coordinated “dual-engine” model for espionage and financial theft.
“The two organizations do not operate in isolation. Kimsuky’s stolen corporate network maps and access information are synchronized in real-time to Lazarus’s attack platform.”
Source: TheHackerNews
Read more at Impreza News
