Cybersecurity researchers from ESTsecurity’s Security Response Center (ESRC) have identified a watering hole attack by the North Korean threat actor Kimsuky. The attack exploits a South Korean university website hosting a reunification education program, using malicious Hangul Word Processor (HWP) files to infect visitors.

The attack involves HWP documents disguised as application forms for the education program, luring victims to download them. These documents contain embedded OLE objects that drop a batch script (document.bat) to establish persistence and download additional payloads from a command-and-control (C2) server.

Key malware components include:

0304.exe – A launcher using Adersoft’s VbsEdit to execute scripts.

get.db / 0304.bat – Batch script for contacting the C2 server.

wis.db – A file suspected of executing further malicious commands.

The attackers use Base64-encoded VBScript in .manifest files, a technique previously linked to Kimsuky. The attack infrastructure includes C2 domains similar to past Kimsuky campaigns. South Korean organizations involved in reunification efforts are advised to be cautious when downloading online documents.

‍