“Stealth Malware Campaign Exploits Dropbox API in Suspected Kimsuky Operation, Targets Systems via Malicious LNK Files”

CyberDefender 8 mins0

In March 2026, security researchers discovered a malicious LNK file that triggered a multi-stage infection process. After a detailed review, the malware showed strong overlaps in behavior, techniques, and structure with tools previously associated with the Kimsuky campaign.

The malware focuses on gathering system-level information from infected machines and transmitting it to attacker-controlled infrastructure using the Dropbox API. It also supports downloading and executing additional payloads, allowing attackers to expand their control depending on the target.

Initial Infection Vector

The malicious LNK file was uploaded from South Korea to a public malware-sharing platform. When a user opens this shortcut file, it silently executes a hidden command.

This command extracts embedded data from within the LNK file itself, applies XOR decoding, and writes the result into the directory:

C:\PerfLog\

Dropped Components

After extraction, three primary files are created:

  • www.ps1 → Main payload (PowerShell script)
  • 17.vbs → Script responsible for launching the PowerShell file
  • sch_ha.db → Task Scheduler XML configuration for persistence

Additionally, a decoy document is dropped in the same location as the LNK file. This document is created using a format associated with Hancom Office, suggesting targeting of Korean users.

Persistence Mechanism

To maintain access, the malware uses Windows Task Scheduler. It registers a scheduled task using the XML configuration file (sch_ha.db).

Once this task is created, the system automatically executes the malicious script at regular intervals.

After setting up persistence, the malware removes traces by deleting:

  • The original LNK file
  • Temporary setup artifacts

Payload Execution (www.ps1)

When the PowerShell script runs, it begins by generating a unique identifier for the infected system. This ID is derived from the device’s MAC address, ensuring each victim can be tracked individually.

System Information Collection

The malware gathers detailed information about the host, including:

  • Domain details
  • Username
  • Operating system version
  • Running processes
  • Network-related data

To identify the external IP address, it uses the following command:

nslookup myip.opendns.com 208.67.222[.]220

All collected data is stored temporarily using a system-generated file path.

Data Exfiltration via Dropbox

The malware uses hardcoded Dropbox API credentials to communicate with attacker-controlled storage.

The process works as follows:

  1. It checks for a folder named: Zzz02_[ClientID] If it doesn’t exist, the malware creates it.
  2. It uploads the collected system information into this folder using a structured filename.
  3. After uploading, the malware attempts to download a secondary payload (typically a batch file).
  4. If successful, the file is executed and then renamed within Dropbox to mark completion.

This workflow suggests that attackers manually review victim data before deploying additional payloads.

Second-Stage Infection Behavior

The design indicates a controlled attack approach rather than full automation.

Attackers likely:

  • First verify whether a target is valuable
  • Then upload a secondary payload (such as a Remote Access Trojan)
  • Trigger execution through the existing infection channel

This staged deployment reduces exposure and helps avoid detection.

Broader Threat Context

Since early 2026, multiple campaigns linked to a North Korean APT group have been observed abusing legitimate cloud services like GitHub and Dropbox.

This approach allows attackers to blend malicious activity with normal traffic, making detection significantly harder for traditional security systems.

Indicators of Compromise (IoCs)

File Hashes

  • LNK File: afe9a0298d945105ee69e84bdd7c41f35dad869a44098cb7e65a6a32a01cc617
  • sch_ha.db: 29afb88a2bbff600799a42ae033e8b49101998e238a1eb568bbb88bd8242cad5
  • www.ps1: 5aca578dd7894ca29c51ce911fbb78ebaf6b522c71a565be8525111e9a8b515f
  • 17.vbs: bedc8bd676a84df2e82f15a42ecec2a001a24725ee269334d46bde2983ea5f6b

File Paths

C:\PerfLog\www.ps1  
C:\PerfLog\17.vbs  
C:\PerfLog\sch_ha.db

CyberP1 Analysis and Opinion

This case highlights a shift toward quieter and more controlled attack strategies. Instead of deploying aggressive malware immediately, the attackers collect intelligence first and then decide how to proceed.

The use of trusted platforms like Dropbox is particularly concerning. Since these services are widely used in enterprise environments, blocking them entirely is not practical. This gives attackers a reliable communication channel that blends into normal traffic.

Another important observation is the use of simple but effective techniques. The malware does not rely on highly complex exploits. Instead, it combines basic scripting, scheduled tasks, and API abuse in a well-organized way. This makes it both flexible and harder to detect through signature-based defenses.

From a defensive standpoint, organizations should focus more on behavior monitoring rather than just file-based detection. Activities like unusual task scheduling, PowerShell execution from uncommon directories, and external API communication should be treated as high-risk signals.

Overall, this campaign reflects a mature threat actor that prioritizes stealth, persistence, and adaptability over noisy attacks.

CyberDefender