Executive Summary

A highly targeted and technically advanced campaign orchestrated by the North Korean threat actor Kimsuky has been identified, leveraging QR code phishing to distribute the DocSwap Android malware. This operation primarily impersonates the reputable South Korean logistics provider CJ Logistics, tricking users into installing a trojanized delivery tracking application. The attack chain is distinguished by its seamless integration of social engineering, QR code redirection, and a multi-stage Android Remote Access Trojan (RAT) with extensive surveillance and data exfiltration capabilities. The campaign is ongoing, with confirmed exploitation in the wild, and demonstrates a significant evolution in mobile malware delivery and credential harvesting tactics.

Threat Actor Profile

Kimsuky (also known as Velvet Chollima and Black Banshee) is a North Korean Advanced Persistent Threat (APT) group with a well-documented history of cyber espionage, credential theft, and information operations. The group is known for targeting South Korean government entities, think tanks, and critical infrastructure, as well as individuals and organizations in the private sector. Kimsuky is characterized by its rapid adaptation to new attack vectors, use of social engineering, and deployment of custom malware families. The group’s infrastructure and tactics, techniques, and procedures (TTPs) have been consistently linked to credential harvesting, spear-phishing, and the use of malicious mobile applications to gain persistent access to sensitive data.

Technical Analysis of Malware/TTPs

The DocSwap campaign employs a multi-stage infection process, beginning with the delivery of phishing messages via SMS (smishing) or email, which impersonate CJ Logistics and other trusted brands. When a victim accesses the phishing site from a desktop, a QR code is displayed, prompting the user to scan it with their Android device. This QR code redirects to a fake app download page, presenting a malicious APK, typically named SecDelivery.apk, hosted on attacker-controlled infrastructure such as 27.102.137[.]181.

Upon installation, the APK decrypts and loads an embedded, encrypted payload, activating the DocSwap RAT. The app requests a broad set of permissions, including access to external storage, internet, SMS, phone state, and package installation, enabling deep device surveillance. The user is presented with a fake One-Time Password (OTP) authentication screen, requiring a hardcoded shipment number (742938128549). After entering the number, a random six-digit code is generated, and the app subsequently opens a legitimate CJ Logistics tracking page within a WebView to reinforce its legitimacy.

In the background, the malware establishes a persistent connection to its command-and-control (C2) server at 27.102.137[.]181:50005, registering the service com.delivery.security.MainService. The RAT is capable of executing up to 57 distinct commands, including keystroke logging, audio and camera recording, file upload and download, remote command execution, and the collection of sensitive data such as location, SMS, contacts, call logs, and installed applications. Additional variants of the malware have been observed masquerading as a P2B Airdrop app and a trojanized version of the legitimate BYCOM VPN app (com.bycomsolutions.bycomvpn).

The campaign’s infrastructure also supports credential harvesting through phishing sites mimicking popular South Korean platforms such as Naver and Kakao, further expanding the threat surface.

Exploitation in the Wild

The Kimsuky DocSwap campaign is actively exploiting users in South Korea, with a focus on individuals and organizations involved in logistics, cryptocurrency, and VPN usage. The attack leverages QR code redirection as a primary infection vector, capitalizing on the widespread use of mobile devices for package tracking and delivery notifications. The campaign is notable for its use of both newly developed and repackaged legitimate applications to evade detection by security solutions.

Attribution to Kimsuky is supported by overlaps in infrastructure, TTPs, and unique indicators such as Korean-language comments and the “Million OK !!!!” string found on C2 servers. The campaign’s sophistication and targeting suggest a well-resourced and persistent adversary with a clear focus on espionage and credential theft.

Victimology and Targeting

The primary targets of this campaign are South Korean individuals and organizations, particularly those interacting with logistics and delivery services. The use of CJ Logistics branding and the focus on mobile device infection indicate a strategy designed to exploit the high trust placed in established service providers and the ubiquity of mobile package tracking. Secondary targeting includes users of cryptocurrency and VPN services, as evidenced by the discovery of trojanized P2B Airdrop and BYCOM VPN apps. The campaign also seeks to harvest credentials from users of Naver and Kakao, two of South Korea’s most popular online platforms.

Mitigation and Countermeasures

Organizations and individuals are advised to implement a multi-layered defense strategy to mitigate the risks posed by the Kimsuky DocSwap campaign. Blocking access to known malicious IP addresses and domains associated with the campaign, such as 27.102.137[.]181 and related infrastructure, is essential. User education is critical; employees and customers should be made aware of the dangers of QR code phishing and the risks associated with sideloading applications from unknown sources. Mobile device management (MDM) policies should be reviewed and updated to restrict the installation of unauthorized APKs and enforce the principle of least privilege for app permissions.

Continuous monitoring for the installation of suspicious applications, especially those requesting excessive permissions, is recommended. Security teams should proactively hunt for C2 traffic to 27.102.137[.]181:50005 and similar endpoints. Additionally, organizations should monitor for signs of credential harvesting and unauthorized access to sensitive accounts, particularly those associated with Naver, Kakao, and other high-value platforms.

References

ENKI: Kimsuky Distributing Malicious Mobile App via QR Code – https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code

MITRE Kimsuky Profile – https://attack.mitre.org/groups/G0094/

The Hacker News: Kimsuky Spreads DocSwap Android Malware via QR Phishing – https://thehackernews.com/2025/12/kimsuky-spreads-docswap-android-malware.html

AlienVault OTX Pulse: Kimsuky Distributing Malicious Mobile App via QR Code – https://otx.alienvault.com/pulse/694173582a3c2e9751091e7b

Virus Bulletin: DocSwap - Security App That Steals Your Security – https://www.virusbulletin.com/conference/vb2025/abstracts/docswap-security-app-steals-your-security/

Alyac Blog: Kimsuky Phishing – https://blog.alyac.co.kr/5519

Hunt.io: Million OK Naver Facade Kimsuky Tracking – https://hunt.io/blog/million-ok-naver-facade-kimsuky-tracking

About Rescana

Rescana is a leader in Third-Party Risk Management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and vendor ecosystem. Our advanced threat intelligence and risk analytics empower security teams to proactively identify and address emerging threats, ensuring robust protection for critical assets and business operations. For more information or to discuss how Rescana can support your organization’s cybersecurity strategy, we are happy to answer questions at ops@rescana.com.