Kimsuky themes.js JavaScript dropper activity
Malware Activity
Summary
Hide ▲
Show ▼
Kimsuky deployed a new JavaScript-based malware dropper in recent operations, extending its ability to execute commands, exfiltrate data, and persist through scheduled tasks. The initial payload is themes.js, which pulls additional code from attacker infrastructure before later stages run. The chain also uses an empty Word document as a decoy, indicating a covert delivery flow.
Related Happenings
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
Campaign
First: 29.04.2026 17:43
Last: 29.04.2026 17:43
Sources 1
About this happening:
The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
CampaignAbout this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
Plain-crypto-js remote-access Trojan delivery
Malware Activity
First: 31.03.2026 23:55
Last: 31.03.2026 23:55
Sources 1
About this happening:
The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...
Plain-crypto-js remote-access Trojan delivery
Malware ActivityAbout this happening: The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...
Latest development: 04.04.2026 23:30
Google Threat Intelligence Group linked the Axios npm compromise to UNC1069, a financially motivated North Korea-nexus threat actor, based on the use of WAVESHAPER.V2 and overlaps with infrastructure artifacts used by UNC1069 in past activity. The Axios maintainers also wiped affected systems, reset all credentials, and are implementing changes to prevent similar incidents.
EtherHiding JADESNOW downloader malware activity
Malware Activity
First: 16.10.2025 17:00
Last: 16.10.2025 17:00
Sources 1
About this happening:
**North Korean** threat actor **UNC5342** is using **EtherHiding** to deliver malware for **cryptocurrency theft** in the **Contagious Interview** campaign. Google Threat Intellig...
EtherHiding JADESNOW downloader malware activity
Malware ActivityAbout this happening: **North Korean** threat actor **UNC5342** is using **EtherHiding** to deliver malware for **cryptocurrency theft** in the **Contagious Interview** campaign. Google Threat Intellig...
Timeline
-
10.11.2025 22:29 2 articles · 6mo ago
Kimsuky deploys a new JavaScript dropper in Windows operations
Initial DisclosureKimsuky used a new JavaScript-based malware dropper in recent operations against Windows systems. The initial JavaScript file fetched additional code from attacker-controlled infrastructure, enabling command execution and data exfiltration, while later stages created a scheduled task to rerun the script every minute and opened an empty Word document as a decoy; the initial access path for this malware remained unknown.
Show sources
- Konni Hackers Turn Google’s Find Hub into a Remote Data-Wiping Weapon — thehackernews.com — 10.11.2025 22:29
- Konni Hackers Turn Google’s Find Hub into a Remote Data-Wiping Weapon — thehackernews.com — 10.11.2025 22:29