North Korean state-backed hackers are using weaponized Excel-themed files to infect pharmaceutical and life science companies with malware, abusing Windows shortcut files, PowerShell, and cloud storage for stealthy data theft.
The campaign begins with highly tailored spear‑phishing emails sent to drug manufacturers and related life science organizations.
Messages typically reference legitimate‑sounding topics such as ERP specifications, production plans, or research documentation to appear relevant to corporate recipients.
Attached to these emails is a compressed archive containing a Windows shortcut (LNK) file that visually masquerades as an Excel document, for example “White Life Science ERP Specification.xlsx.”
Security researchers link the activity to the Kimsuky advanced persistent threat (APT), a group known for espionage against research and healthcare organizations worldwide.
The icon and filename are chosen so that busy staff believe they are opening a spreadsheet, but in reality they are executing a shortcut that launches a hidden command sequence.
Excel chain and PowerShell stage
When the victim double‑clicks the fake Excel file, the LNK file silently starts cmd.exe and a heavily obfuscated PowerShell command instead of Microsoft Excel.
Files created when malware is executed (Source : Kimsuky).
The command locates and executes a PowerShell script (often using the SysWOW64 binary to blend in with normal Windows activity), then decodes additional payloads using simple XOR‑based obfuscation to evade static detection.
To maintain the illusion of legitimacy, the malware also creates and opens a decoy Excel workbook while the infection proceeds in the background.
This decoy can contain plausible‑looking tables related to pharmaceutical operations or ERP data, reducing the chances that the user will suspect anything unusual.
Part for ensuring sustainability (Source : Kimsuky).
The script collects system information from the compromised host, uploads it to Dropbox, and then retrieves additional commands or batch files to execute.
Subsequent payloads include JavaScript and scheduled‑task components that ensure persistence, often saved into system‑like folders and registered to run periodically via schtasks.
In other Kimsuky operations, similar chains have delivered information‑stealing malware and custom backdoors to exfiltrate documents, credentials, and internal research data.
Kimsuky’s focus on pharma and research
Kimsuky, also known as APT43 or Emerald Sleet, is a North Korean state‑sponsored group specializing in long‑term espionage against government, research, and critical industry targets.
The next stage is a PowerShell downloader, such as a script similar to “opakib.ps1,” which uses the Dropbox API as a covert command‑and‑control (C2) channel.
opakib.ps1 content (Source : Kimsuky).
Past reporting shows North Korean operators repeatedly targeting pharmaceutical companies, particularly those involved in high‑value drug or vaccine development.
The use of Excel‑themed lures fits the group’s broader pattern of abusing everyday business formats Office documents, PDFs, and now shortcut files to steal sensitive intellectual property and strategic information.
By combining multi‑stage malware, living‑off‑the‑land binaries, and cloud services such as Dropbox, the attackers make detection and incident response significantly more difficult for defenders.
Security teams in pharmaceutical and life‑science organizations should treat unsolicited Excel or ERP‑related attachments as high‑risk, especially when delivered inside ZIP archives.
Enforcing display of full file extensions, blocking shortcut attachments at the email gateway, and monitoring for suspicious PowerShell executions from LNK files can disrupt this attack chain early.
Network defenders should also watch for abnormal Dropbox traffic from endpoints that do not normally use the service, as well as unexpected scheduled tasks or scripts created in temporary or masquerading system folders.
Combined with user awareness training for researchers and operations staff, these controls can help reduce the likelihood that North Korean operators successfully weaponize Excel‑style files to compromise drug companies’ critical data.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
