Cybersecurity researchers have discovered that threat actors tied to North Korea, specifically the group known as Kimsuky, are leveraging two new malware strains named KLogEXE and FPSpy.
Kimsuky, also referred to as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, and Velvet Chollima, has been active since at least 2012. This group is notorious for its highly effective spear-phishing campaigns, which trick victims into downloading malware through emails that appear to come from trusted sources.
According to Palo Alto Networks' Unit 42, Kimsuky has enhanced its arsenal with the introduction of KLogEXE and FPSpy, further demonstrating the group’s evolving capabilities.
"These samples enhance Sparkling Pisces' already extensive arsenal and demonstrate the group's continuous evolution and increasing capabilities," said Palo Alto Networks Unit 42 researchers Daniel Frank and Lior Rochberger.
Delivery via Spear-Phishing Attacks
Assaf Dahan, Director of Threat Research at Palo Alto Networks' Unit 42, told The Hacker News that the two malware strains are delivered primarily through spear-phishing attacks. In these campaigns, targets receive carefully crafted emails designed to lure them into downloading a malicious ZIP file. Once extracted and executed, these files initiate the infection chain, ultimately delivering KLogEXE and FPSpy onto the victim's system.
"The targets are often encouraged to extract malicious files, which upon execution invoke the infection chain – eventually delivering these malware strains," Dahan explained.
KLogEXE and FPSpy Capabilities
KLogEXE is a C++ version of the PowerShell-based keylogger InfoKey, which was previously linked to a Kimsuky campaign targeting Japanese organizations. The malware collects and exfiltrates keystrokes, mouse clicks, and information about currently running applications on the compromised workstation.
FPSpy, on the other hand, is a variant of a backdoor previously exposed by AhnLab in 2022. It bears similarities to malware documented by Cyberseason in 2020 under the name KGH_SPY. In addition to keylogging, FPSpy can collect system information, download and execute additional payloads, run arbitrary commands, and enumerate files and directories on the infected device.
Unit 42’s analysis revealed striking similarities in the source code of both KLogEXE and FPSpy, suggesting that they were likely authored by the same individual or group.
Targeting Japan and South Korea
While Kimsuky has previously conducted cyberattacks across multiple regions and industries, Unit 42 noted that the primary targets in this campaign appear to be organizations in Japan and South Korea.
"Due to the nature of these campaigns, which is considered to be targeted and handpicked, we assess that it is not likely vastly widespread, but rather contained to a few select countries (mainly Japan and South Korea) and a handful of industries," Dahan stated.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067