Kimsuky Pharmaceutical Spear-Phishing Campaign
May 13th, 2026
High
Our Cyber Threat Intelligence Unit is monitoring an ongoing cyber campaign attributed to the Kimsuky group (also tracked as APT43 and Emerald Sleet), targeting pharmaceutical organizations. The activity involves spear-phishing emails that deliver weaponized Excel-themed files, including a file named “White Life Science ERP Specification,” which initiates a multi-stage execution chain involving LNK, XML, JavaScript, and PowerShell. The campaign, reported by Wezard4u analysts, focuses on collecting sensitive system information from compromised systems. The attack uses trusted file formats and scripting techniques to execute malicious code and evade detection.
Technical Details
Threat Type: Malware-based spear-phishing campaign
Severity: High
Affected Component: Windows systems executing script-based payloads (LNK, PowerShell, JavaScript, Task Scheduler)
Affected Sector: Pharmaceutical and life sciences organizations
Exploit Status: Actively observed campaign targeting organizations through phishing emails
Attack Chain Overview:
Initial Access
The campaign begins with targeted spear-phishing emails directed at employees of drug manufacturing and life sciences companies.
Messages reference credible operational topics such as ERP specifications, production planning documents, and research or regulatory files.
Each email includes a compressed archive attachment containing a Windows shortcut (.LNK) file named to resemble an Excel spreadsheet, such as White Life Science ERP Specification.xlsx.
Execution Chain:
LNK File Structure and Self-Validation
The malicious .LNK file has a fixed size of 23,079 bytes (0x5A27) and uses this value to locate and validate itself during execution. It searches for a .lnk file with this exact size in the current directory.
If standard system paths (e.g., System32, Program Files) are not found, execution continues from the %TEMP% directory.
The file acts as a container for multiple embedded payloads stored at specific byte offsets:
Decoy Excel file → offset 0x11CA (9,584 bytes)
Task Scheduler XML → offset 0x373A (3,430 bytes)
PowerShell payload (XOR encoded) → offset 0x44A0 (5,105 bytes)
JavaScript payload (XOR encoded) → offset 0x5891 (406 bytes)
End marker → 0x5A27 (used for integrity validation)
User Execution and Initial Trigger
When the user opens the fake Excel file, the .LNK file executes cmd.exe instead of Excel.
A PowerShell command is launched from the SysWOW64 path, forcing execution of the 32-bit version on a 64-bit system to reduce visibility in security tools.
Embedded payloads are decoded using XOR (0xC7) and written to a hidden directory: C:\sysconfigs, named to appear like a legitimate system folder.
To evade detection:
The PowerShell script name is split into parts (opakib.p + s1), reassembled at runtime as opakib.ps1, avoiding static detection.
A decoy Excel document is opened to make the activity appear legitimate while malware runs in the background.
Payload Execution and Data Collection
The PowerShell payload gathers the following system information from the compromised host:
Domain name and username (transmitted in plaintext)
Operating system version (transmitted in plaintext)
Public IP address (RC4 encrypted with key pw093oKbG, then Base64 encoded)
Running process list (RC4 encrypted with key pw093oKbG, then Base64 encoded)
Command-and-Control Communication (Dropbox Abuse)
The malware communicates with attacker infrastructure using Dropbox API endpoints, blending with legitimate cloud traffic:
Data upload (exfiltration): hxxps://content[.]dropboxapi[.]com/2/files/upload
Command retrieval: hxxps://content[.]dropboxapi[.]com/2/files/download
File rename/acknowledgment: hxxps://api[.]dropboxapi[.]com/2/files/move_v2
Persistence:
Payload Storage in Hidden Directory
The malware drops its components into a hidden directory: C:\sysconfigs, named to resemble a legitimate system folder.
Key files include:
copa08o.js (JavaScript launcher)
opakib.ps1 (PowerShell payload)
Scheduled Task Creation
A scheduled task is created using an XML configuration file stored at C:\sysconfigs\sop0ef903r, registered with the following command:
schtasks /create /tn "Avast Secure Browser VPS Differential Update Ex" /xml C:\sysconfigs\sop0ef903r /f
The task name impersonates a legitimate browser update process, reducing the likelihood of detection.
Automated Execution via Script Chain
The JavaScript file (copa08o.js) acts as a launcher, executing the PowerShell payload (opakib.ps1) via wscript.exe.
The scheduled task ensures this execution occurs periodically, maintaining continuous access.
Use of Cloud Services for Resilient Control
The malware uses Dropbox APIs for command-and-control communication.
A unique victim ID is generated using the system's MAC address, and a Dropbox OAuth access token is generated programmatically.
This approach allows attackers to maintain persistent communication over a trusted cloud service.
Command Execution Tracking:
Commands received from Dropbox are downloaded and executed as BAT files.
After execution, the malware renames the file in Dropbox by appending _call, confirming execution to the attacker and preventing repeated execution of the same command.
This multi-stage design makes detection at any single point difficult and supports long-term access to compromised environments.
Impact
Unauthorized Access to Systems: Successful exploitation can allow attackers to execute malicious code on victim systems through phishing-delivered LNK-based payloads.
Theft of Sensitive Research Data: Compromised systems may lead to exposure of confidential drug research, clinical trial information, and proprietary pharmaceutical data.
Espionage and Long-Term Access: Attackers can maintain persistent access through multi-stage execution chains, enabling ongoing monitoring of internal systems and communications.
Lateral Movement Risk: Initial compromise of user endpoints can be leveraged to expand access across internal pharmaceutical and life-science networks.
Operational and Organizational Impact: Exposure of sensitive information and prolonged unauthorized access can disrupt internal operations and affect organizational security posture.
Detection Method
Network-based detection:
Monitor for unusual outbound connections from endpoints following execution of email attachments, especially to external or cloud-based services.
Monitor for outbound HTTPS requests to content.dropboxapi[.]com and api.dropboxapi[.]com originating from endpoints that do not normally use Dropbox, particularly calls to the /2/files/upload, /2/files/download, and /2/files/move_v2 API endpoints used by this malware for exfiltration, command retrieval, and execution acknowledgment respectively.
Flag DNS queries to OpenDNS resolvers (resolver1.opendns[.]com) initiated by non-browser processes, as the malware uses this mechanism to collect the victim's public IP address prior to exfiltration.
Host-based detection:
Add file hashes to EDR/SIEM platforms to detect known malicious attachments.
Detect execution of suspicious LNK files delivered via email attachments disguised as business documents.
Monitor for unexpected PowerShell execution initiated from user interaction with email attachments, particularly via the SysWOW64 path on 64-bit systems.
Behavioral detection:
Identify execution chains involving LNK files triggering script-based activity (PowerShell, JavaScript, and XML-based tasks).
Detect decoy document behavior where a legitimate file opens while malicious activity continues in the background.
Log analysis:
Review endpoint and security logs for execution of scripts originating from email attachments or compressed archives.
Correlate LNK file execution with subsequent PowerShell activity and outbound network connections.
Monitor for creation of scheduled tasks following suspicious file execution, particularly tasks with names impersonating legitimate software such as "Avast Secure Browser VPS Differential Update Ex."
Indicators of Compromise
Indicator Type | Indicator | Description |
File Name | White Life Science ERP Specification.lnk | Malicious LNK file disguised as Excel document |
File Name | copa08o.js | JavaScript launcher dropped to C:\sysconfigs |
File Name | opakib.ps1 | PowerShell C2 payload dropped to C:\sysconfigs |
File Name | sop0ef903r | Scheduled Task XML definition file |
MD5 | 5c3bf036ab8aadddb2428d27f3917b86 | Hash of malicious LNK file |
SHA-1 | e9c16aa2e322a65fc2621679ca8e7414ebcf89c0 | Hash of malicious LNK file |
SHA-256 | d4c184f4389d710c8aefe296486d4d3e430da609d86fa6289a8cea9fde4a1166 | Hash of malicious LNK file |
Scheduled Task | Avast Secure Browser VPS Differential Update Ex | Persistence mechanism impersonating browser updater |
URL | hxxps://content[.]dropboxapi[.]com/2/files/upload | C2 data exfiltration endpoint |
URL | hxxps://content[.]dropboxapi[.]com/2/files/download | C2 command retrieval endpoint |
URL | hxxps://api[.]dropboxapi[.]com/2/files/move_v2 | C2 execution acknowledgment endpoint |
Directory Path | C:\sysconfigs | Hidden malware staging directory |
File Path | C:\sysconfigs\sop0ef903r | Scheduled Task XML file path |
Recommendations
Immediate Actions:
Disconnect potentially affected systems from the internet or VPN.
Apply security patches and upgrades before restoring connectivity.
Rotate administrative and service credentials.
Add known malicious file hashes to endpoint protection tools.
Block or restrict execution of shortcut (.LNK) files originating from compressed archives or email attachments.
Prevention and Hardening:
Enable file extension visibility to prevent LNK files being disguised as documents.
Block execution of .LNK files from email attachments and downloads.
Restrict PowerShell execution and apply Constrained Language Mode where possible.
Block or restrict wscript.exe from executing JavaScript files originating from non-standard directories.
Limit and monitor outbound traffic to cloud services such as Dropbox.
Monitoring and Detection:
Monitor Windows Scheduled Tasks for unknown or suspicious entries.
Strengthen detection of LNK-based execution chains using PowerShell.
Ensure endpoint tools alert on known malicious file hashes.
Security Readiness
Treat phishing-based document malware as a high-risk threat.
Include LNK-based attacks in SOC training and threat-hunting activities.
Strengthen user awareness on malicious email attachments.
Conclusion
The Kimsuky (APT43 / Emerald Sleet) campaign targeting pharmaceutical organizations demonstrates a sophisticated use of LNK-based social engineering, multi-stage script execution, and abuse of legitimate cloud services for command-and-control. The use of obfuscation techniques and trusted platforms such as Dropbox increases the likelihood of evading traditional security controls. Organizations should prioritize rapid detection by integrating the provided IOCs, enabling visibility into file extensions, monitoring PowerShell activity, auditing scheduled tasks, and restricting suspicious outbound connections. Continuous monitoring and proactive security controls are essential to mitigate the risk of compromise and data exfiltration.