In August 2025, cybersecurity experts identified a sophisticated attack targeting South Korean academic and government institutions. The attackers employed a deceptive strategy, distributing an archive containing a legitimate-looking PDF newsletter titled 국가정보연구회 소식지 (52호) alongside a malicious Windows shortcut (LNK) file. This combination was designed to exploit user trust and bypass traditional security measures.
Attack Methodology
The attack begins when a user opens the archive and clicks on the LNK file, believing it to be the newsletter. Unbeknownst to the user, this action triggers a multi-stage PowerShell script embedded within the LNK file. This script extracts and executes additional payloads directly in the system’s memory, effectively evading detection by conventional antivirus programs that monitor disk-based activities.
Technical Breakdown
Upon execution, the LNK file accesses three embedded binary payloads at specific offsets:
– A decoy PDF at offset 0x0000102C
– A loader binary at 0x0007EDC1
– A final executable at 0x0015AED2
The PowerShell script within the LNK file reads these offsets and writes the binaries to the system’s temporary directory as `aio0.dat`, `aio1.dat`, and `aio1+3.b+la+t`. It then initiates a batch script (`aio03.bat`) to decode and execute the loader. This fileless approach allows the malware to operate without leaving traces on the disk, making it challenging for traditional security solutions to detect.
Advanced Evasion Techniques
Further analysis revealed that the final payload is decrypted using a single-byte XOR key (`0x35`) and injected directly into memory through Windows API calls such as `GlobalAlloc`, `VirtualProtect`, and `CreateThread`. This reflective DLL injection technique ensures that the malicious code runs stealthily, leaving minimal forensic evidence. Additionally, the malware includes checks for virtualized environments and sandbox evasion routines, preventing execution in analysis settings and indicating a high level of sophistication.
Infection Chain
The infection process is as follows:
1. User Interaction: The user double-clicks the LNK file, initiating the PowerShell script.
2. Payload Extraction: The script parses its own binary content to extract the decoy PDF and displays it to the user, maintaining the illusion of legitimacy.
3. Payload Execution: Simultaneously, the script stages the real payloads and executes a batch loader that orchestrates the decryption and reflective injection of the malicious code.
By leveraging in-memory execution, the attackers effectively bypass endpoint protection platforms that rely on disk-based scanning. This layered infection chain, combining decoy documents, embedded payloads, and fileless techniques, underscores the evolving sophistication of state-sponsored cyber espionage campaigns.
Implications and Recommendations
This attack highlights the increasing complexity of cyber threats and the need for robust security measures. Organizations should implement advanced endpoint detection and response (EDR) solutions capable of identifying and mitigating fileless attacks. Regular security awareness training for employees is also crucial to recognize and avoid such deceptive tactics.
