Ghost Clients.zip Apr 2026

Once a user executed the LNK file, a complex, scripted infection process was triggered to bypass security software:

: The C2 servers used domains that followed Kimsuky’s historical naming conventions. Ghost Clients.zip

: Inside the ZIP file were LNK (Windows Shortcut) files disguised as harmless documents (e.g., "Meeting_Minutes.pdf.lnk"). 2. The Infection Chain Once a user executed the LNK file, a

: The initial script collected basic system information (OS version, running processes, and network configuration) to verify if the victim was a high-value target or a security researcher's "sandbox." Ghost Clients.zip

Security researchers attributed this campaign to based on several "fingerprints" found in the code:

: The email contained a link to a cloud storage service (like Google Drive or OneDrive) or an attachment titled Ghost Clients.zip .