Beware: Weaponized Research Papers Spreading Malware via Password-Protected Documents

A recent incident confirmed by the AhnLab Security Intelligence Center (ASEC) has highlighted the evolving tactics of the North Korean APT group Kimsuky.

This group has been implicated in a series of phishing campaigns that weaponize academic themes, leveraging the trusted context of research and scholarly communication to deliver sophisticated malware payloads.

How the Attack Unfolds: From Email to Remote Access

In the documented case, targeted victims received phishing emails masquerading as legitimate requests for academic paper reviews from professors.

The emails enticed recipients to open a password-protected HWP (Hangul Word Processor) file, with the document’s password conveniently provided in the message body.

This level of social engineering exploits the recipient’s trust and curiosity especially when the document’s subject matter, such as an analysis of the Russo-Ukraine war, matches their professional interests.

Upon opening the document and entering the password, six files were surreptitiously extracted to the system’s temporary directory.

The attack chain was triggered further by a “More…” hyperlink within the document. Clicking this link executed a batch script (“peice.bat”), setting in motion a multi-stage infection process.

This script deleted the initial malicious document, renamed a benign bait file to a relevant academic title, and scheduled malicious scripts to run at regular intervals ultimately copying key payloads, including a maliciously signed executable (“cool.exe”), configuration files, and PowerShell scripts to the user’s public music directory.

Kimsuky Group Exploits Academic Trust

The scheduler XML established by these scripts ensured that “cool.exe” would be executed every 12 minutes.

This binary, in turn, decoded and ran a VBScript hidden within its configuration file, which then executed a PowerShell script (“template.ps1”).

This PowerShell malware enumerated running processes, gathered antivirus product information, and exfiltrated this data to a Dropbox address controlled by the attackers.

Subsequent phases of the attack saw additional scripts (such as “1.bat”) downloading further malicious payloads from command-and-control (C2) servers.

According to ASEC Report, these included a mix of VBS, PowerShell, and EXE files mimicking or directly using AnyDesk, a legitimate remote access tool.

The attackers replaced AnyDesk’s configuration files with their own, pre-configured for stealth remote access, while scripts ensured the AnyDesk interface and tray icon were hidden from the victim.

This attack exemplifies a growing trend among threat actors: repurposing legitimate tools like AnyDesk for remote control and leveraging widely used cloud services such as Dropbox for C2 communication and data exfiltration.

Notably, the entire process is engineered for maximum stealth, exploiting both technical and psychological blind spots.

Phishing attacks of this nature disguised as credible work-related requests pose an enhanced risk to professionals in academia and research.

Security experts advise extreme caution when handling unexpected files, especially those requiring passwords or originating from unknown contacts.

Users should always verify file extensions, scrutinize sender details, and, where possible, open suspicious documents in a sandboxed environment.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates