The STR Team was presented with the following questions:
- What are the most recent toolchain improvements that you see **Kimsuky** developing and deploying?
- What are the most recent toolchain improvements that you see **Lazarus** developing and deploying?
- Overall, what weaknesses are APT attackers trying to overcome in their toolsets with their latest developments?
- Will these updates make it more likely that the attackers can bypass reasonable antivirus defenses? What should defenders make sure they are doing to protect against these variants and future variants of these tools?
Our response to these questions were sited by Dark Reading here:
https://www.darkreading.com/vulnerabilities-threats/kimsuky-httptroy-backdoor-south-korea-users
However, I wanted to share our full commentary since many of the details in our answers were left out but very relevant to the threat landscape as a whole.
Let’s start with how to approach the defensive side before digging into the offensive tooling. Organizations get so caught up in 'purchasing a solution' that will solve all their problems when the actual problem is the same problem all of us have right now with our perception of the advent of AI - AI is a force multiplier not a replacement. Understanding attack chains and the 'how and where' infections start is critical when setting up your defense in depth strategy. Also, over-reliance on EDRs is a critical issue I have observed over the years which is denying the need for defense in depth on endpoints. Which means the decision makers who are purchasing 'silver bullet' tools are not considering, or are even aware of, the capabilities of Nation State backed adversaries. Yes, EDRs will block the vast majority of commodity malware and less skilled adversaries, but if you are the target of teams that are trained, focused, and well funded you better believe it they will employ one of the largest categories of the MITRE framework - Defense Evasion.
Here's some stats on Defense Evasion:
Defense Evasion is one of the largest and most commonly used tactics by adversaries. Based on the official MITRE page, Defense Evasion contains 46 main techniques (with many having multiple sub-techniques), making it the largest single tactic in the Enterprise matrix - representing approximately 21% of all Enterprise techniques. This is significant because four of the top six most widely used ATT&CK techniques in 2020 were categorized under Defense Evasion, and this tactic continues to prevail as adversaries increasingly focus on evading detection. Of the Enterprise techniques, approximately 52% (106 techniques) are considered "network-addressable" meaning they can be detected via the network, while the remaining 48% are primarily endpoint-based.
~48% are endpoint-based - requiring host telemetry (EDR, sysmon, process monitoring, file system monitoring)
~52% are network-addressable - detectable via network traffic analysis (NDR, network logs, flow data)
So then, what do organizations do about this? It's up to the CISOs to understand this first and not get complacent or bogged down in compliance hell. Then those CISOs need to educate their Board with just how dangerous Nation State Adversaries are. Then we go back to my statement on how AI is a force multiplier and not a replacement. I'm talking about the actual skilled Analysts and Threat Hunters - not MSSP teams that are bound by SLAs which allows them to only go an inch deep in a hunt. I'm talking about in house Hunting teams that are equipped with AI agents and solid endpoint telemetry to be able to track Nation State Adversaries from the beginning to end of the kill chain - from Initial Access to Impact. It's embarrassing when a CISO asks the security team, "what happened?" and the understaffed overworked ticket driven security team answers with, "Our EDR didn't see anything and our MSSP didn't email us so we don't know what happened to that user's laptop...". This is where I always push organizations to deploy Sysmon, Sysmon for Linux, and Powershell logging (with script block logging enabled) EVERYWHERE to give hunting teams the best possible chance at defending against these hyper advanced adversaries we see today. For reference, even I have built Cobaltstrike payloads that can bypass Crowdstrike and I'm not even a professional red teamer. I understand that the source of truth is on the endpoint and network telemetry confirms / supports the hypothesis made during hunting. To help myself, and others, I co-maintain a pair of github repos with solid malware hunting Sysmon configs and have wrote a blog on this subject as well.
https://www.securonix.com/blog/improving-blue-team-threat-detection-with-enhanced-siem-telemetry/
https://github.com/bobby-tablez/FT-Sysmon-Config
https://github.com/msffluffybunnies/FT-Linux-Sysmon-Config
Our DEEP#DRIVE Campaign (February 2025) highlighted an ongoing campaign attributed to Kimsuky targeting South Korean business and government sectors, representing a sophisticated multi-stage operation leveraging tailored phishing lures written in Korean.
Key findings of the attack chain began with .lnk files disguised as legitimate documents, creating scheduled tasks named ChromeUpdateTaskMachine to ensure periodic execution of malicious scripts. Scripts like system_first.ps1 gathered detailed system information including IP address, OS details, antivirus products and running processes, exfiltrating data to Dropbox. TTPs aligned closely with Kimsuky's known use of Dropbox-based methods in prior campaigns.
From my perspective, the new tooling from both groups is an evolution of Defense Evasion I have observed consistently by threat actors in general. Not pentesters or red teams to be clear. Those two groups don't need to, or have the time to, develop and use this level of sophistication in their toolkits. Both Kimsuky and Lazarus tooling have a heavy reliance on legitimate services/processes (regsvr32, scheduled tasks, service enumeration), multi-stage infection chains with each stage encrypted differently, memory-resident execution to avoid disk-based detection, dynamic API resolution to evade signature-based detection, file attribute mimicking (win32k.sys, cmd.exe) to appear legitimate, and encrypted C2 over standard protocols (HTTP/HTTPS) blending with normal traffic. These techniques allow for the utmost sophistication in Defense Evasion demanding the utmost skilled Threat Hunters to detect them. Our most recent blog CHAMELEON#NET highlights a technique where reversed XOR bytes at even indices are used to build an embedded payload. This is not specifically Kimsuky or Lazarus, but advanced techniques in malware today to evade defenses are becoming more commonplace - and even expected. Geo-political agendas aside, adversaries are always going to be searching for new ways to blend in and adapt to the defensive tooling employed by their targets. The most nefarious I've seen to date has been defense evasion in the actual hiring process of a company. Dozens of Fortune 100 organizations have unknowingly hired IT workers from North Korea, according to Mandiant Consulting CTO Charles Carmakal in September 2024. Even CrowdStrike reported North Korean IT workers (tracked as Famous Chollima) were behind 304 incidents in 2024, with activities ramping up during the latter half of the year. And Microsoft reported on January 3, 2025, the Justice Department released an indictment identifying two North Korean nationals and three facilitators responsible for conducting fraudulent work between 2018 and 2024, generating revenue of at least $866,255 from only ten of the at least 64 infiltrated US companies.
My final thoughts on the big picture here: focusing on Initial Access and Defense Evasion is key. Hiring good Threat Hunters and force multiplying their effectiveness with AI and solid endpoint telemetry beyond EDRs is critical. Layer your defenses without relying on a single 'turn-key' solution to save the day. Stop bogging down your security teams with ticket tracking to 'show their value'. Let them hunt and they will do what they do best... keep you safe.