top of page
Buscar

Kimsuky and the Poisoned Parcel: When a QR Code Delivers a Trojan

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 18 dic 2025
  • 4 Min. de lectura

Every delivery promises convenience. A package is on the way, a notification appears, and the user does what millions do every day: checks the status.

Kimsuky understood that routine perfectly.

In its latest campaign, the North Korean threat actor turned delivery notifications into a weapon, disguising Android malware as a shipment tracking app. By abusing QR codes, phishing websites, and the trust placed in logistics brands like CJ Logistics, the group delivered DocSwap, a fully-featured Android RAT, straight into victims’ pockets.

This was not a technical exploit. It was a carefully wrapped package.


Phase 1: The Lure — A Package You Didn’t Expect


The attack begins with social engineering, not malware.

Victims receive:

  • Smishing text messages or phishing emails

  • Notifications claiming a delivery issue or pending shipment

  • Links posing as logistics updates from trusted South Korean brands

The message urges urgency: a package requires verification, customs approval, or security confirmation. Nothing unusual in a world of constant deliveries.

The bait is familiar. The victim clicks.


Phase 2: The QR Detour — Moving the Attack to Mobile


A distinctive feature of this campaign is its QR-based redirection.

When the phishing URL is opened on a desktop device, the site:

  • Detects the User-Agent

  • Displays a QR code

  • Instructs the user to scan it with an Android phone to “track the shipment”

This step cleverly bridges desktop and mobile, bypassing some traditional email and web defenses. The QR code leads to a phishing page impersonating CJ Logistics, complete with branding and delivery language.

At this point, the package has reached the phone.


Phase 3: The Fake App — Sideloading the Trojan


The phishing page claims that, due to “international customs security policies,” the user must install a security or verification module to proceed.

This module is not from Google Play.

Instead, the victim is instructed to manually install (sideload) an APK named “SecDelivery.apk”, hosted on an attacker-controlled server. The attackers explicitly reassure users that the app is safe and official, encouraging them to ignore Android’s security warnings about unknown sources.

Once installed, the base APK:

  • Requests permissions to manage external storage

  • Access the internet

  • Install additional packages

This is the moment the poisoned parcel is opened.


Phase 4: The Swap — From Delivery App to DocSwap


After confirming permissions, the app decrypts and loads an encrypted APK embedded inside its resources.

This second-stage payload is a new variant of DocSwap, which:

  • Registers a background RAT service (com.delivery.security.MainService)

  • Launches a fake authentication activity mimicking OTP verification

  • Uses a hard-coded shipment number to appear legitimate

The user is guided through a fake verification flow, including a randomly generated six-digit code. Once completed, the app opens the real CJ Logistics tracking webpage inside a WebView.

The delivery looks real.

The infection is already complete.


Phase 5: The Takeover — Full RAT Capabilities


While the legitimate tracking page is shown as a decoy, DocSwap connects in the background to an attacker-controlled C2 server.

From that moment, the malware can receive up to 57 remote commands, enabling:

  • Keystroke logging

  • Audio recording

  • Camera access

  • File browsing and manipulation

  • Command execution

  • Upload and download of files

  • Collection of location data

  • Access to SMS messages

  • Theft of contacts and call logs

  • Enumeration of installed applications

The phone is no longer a phone. It is a surveillance device.


Phase 6: Beyond Deliveries — Repackaging Legitimate Apps


Further analysis revealed that the campaign was not limited to fake delivery apps.

ENKI identified additional samples:

  • A trojanized P2B Airdrop app

  • A repackaged version of a legitimate VPN, BYCOM VPN, originally available on Google Play

In these cases, Kimsuky injected malicious functionality into legitimate APKs and redistributed them through phishing infrastructure, reinforcing a pattern of APK tampering and repackaging rather than relying solely on fake apps.


Phase 7: Expanding the Net — Credential Harvesting


The infrastructure used in the campaign also hosted phishing sites impersonating major South Korean platforms such as Naver and Kakao.

These sites were designed to:

  • Capture user credentials

  • Reuse infrastructure from previous Kimsuky credential-harvesting operations

This confirms that the campaign is part of a broader ecosystem combining:

  • Mobile RAT deployment

  • Credential theft

  • Long-term surveillance

The poisoned parcel is only one delivery method among many.


Defensive Measures: Rejecting the Package


Defending against this campaign requires breaking the chain at multiple points.

Key measures include:

  • Treating QR codes in unsolicited messages as high-risk entry vectors

  • Blocking APK sideloading on corporate and personal devices

  • Restricting Android permissions and monitoring background services

  • Educating users that logistics apps should only be installed from official app stores

  • Monitoring network connections from mobile devices to unknown servers

In mobile attacks, trust is the real vulnerability.


Kimsuky’s DocSwap campaign shows how modern threats no longer rely on exploits or zero-days. They rely on routine behavior.


People expect deliveries.

They trust logistics brands.

They scan QR codes without thinking.

By wrapping a RAT inside the illusion of a shipment update, Kimsuky turned everyday convenience into an espionage channel. The lesson is simple but critical:

Not every package is meant to be opened — especially the digital ones.



The Hacker News


 
 
 

Comentarios

bottom of page