This article details a Kimsuky APT campaign employing a multi-stage kill chain initiated by a CHM file dropper, which executes a VBScript stager to ultimately deploy a PowerShell-based keylogger. The analysis was conducted by recovering a live command and control (C2) server, providing full visibility into the attack sequence. No CVSS score, specific affected software versions, fixed versions, or workarounds are provided in the source material.
2026-04-11 (Back to Inventory) We Dumped a Live Kimsuky C2 and Recovered Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger Author(s): Breakglass Intelligence Organization: Breakglass Intelligence ps1.randomquery vbs.randomquery Open article directly