Spear-phishing emails containing a password-protected .7z archive to bypass automated email security scanners. Malware Type: Infostealer / Backdoor. Infection Chain
: Do not open the archive. Submit the sample to a secure sandbox environment for further detonation and analysis.
This archive typically serves as a delivery mechanism for malware designed to steal sensitive information from targeted individuals, particularly those involved in North Korean affairs, human rights, or diplomatic policy. Kimsuky (APT43). Tails and Pines.7z
: Often utilize legitimate-looking but compromised domains or dynamic DNS services.
: Immediately disconnect the affected machine from the network. Spear-phishing emails containing a password-protected
: Look for unusual entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Run designed to maintain persistence. Recommended Actions
: Inside the archive is usually a malicious executable or a shortcut file ( .lnk ) disguised as a PDF or Word document. Submit the sample to a secure sandbox environment
: Once opened, the malware executes a script (often PowerShell or VBScript) that establishes persistence on the host.