top of page
perceptive_background_267k.jpg

Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

Published:

18 December 2025 at 07:43:00

Alert date:

18 December 2025 at 09:01:17

Source:

thehackernews.com

Click to open the original link from this advisory

Mobile & IoT, Ransomware & Malware

North Korean threat actor Kimsuky has launched a new campaign distributing DocSwap Android malware through QR code phishing attacks. The campaign impersonates Seoul-based logistics firm CJ Logistics (formerly CJ Korea Express) to trick victims into downloading malicious apps. Attackers use QR codes and notification pop-ups hosted on phishing websites to lure users into installing and executing the malware on their mobile devices. This represents an evolution in Kimsuky's tactics, incorporating mobile malware distribution through QR code-based social engineering techniques targeting logistics customers.

Technical details

Kimsuky distributes DocSwap Android malware via QR codes on phishing sites impersonating CJ Logistics. The attack uses User-Agent string detection to display QR codes for mobile users or security module installation prompts for desktop users. The malicious APK (SecDelivery.apk) decrypts and loads an encrypted APK to launch DocSwap malware. The malware registers MainService as 'com.delivery.security.MainService' and displays fake OTP authentication using hardcoded delivery number '742938128549'. Once authenticated, it connects to C2 server and supports 57 commands including keylogging, audio capture, camera recording, file operations, and data exfiltration of SMS, contacts, call logs, and installed apps. The malware also uses WebView to display legitimate CJ Logistics tracking page as cover.

Mitigation steps:

Avoid installing apps from unknown sources and ignore security warnings. Be cautious of delivery-themed phishing emails and SMS messages. Verify legitimacy of apps before installation. Monitor for suspicious network connections to the identified IP addresses. Implement mobile device management solutions to prevent installation of unauthorized applications.

Affected products:

Android devices
CJ Logistics (impersonated)
BYCOM VPN (trojanized version)

Related links:

https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code
https://blog.alyac.co.kr/5035
https://play.google.com/store/apps/details?id=com.bycomsolutions.bycomvpn
https://hunt.io/blog/million-ok-naver-facade-kimsuky-tracking

Related CVE's:

Related threat actors:

IOC's:

27.102.137[.]181, 27.102.137[.]181:50005, SecDelivery.apk, com.delivery.security.MainService, com.bycomsolutions.bycomvpn, 742938128549, www.cjlogistics[.]com/ko/tool/parcel/tracking

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page