In September 2025, the ENKI WhiteHat Threat Research Team detected a malicious mobile application distributed via phishing websites. The threat actor leveraged QR codes and notification pop-ups to lure victims into installing and executing the malware on their mobile devices.Our analysis confirms this sample as the latest iteration of "DOCSWAP," a malware strain originally named by S2W in March 2025. While this version retains the behavioral patterns of earlier variants, it implements a distinct internal APK decryption mechanism. Additionally, we uncovered multiple indicators connecting this activity to the DPRK-nexus threat actor, Kimsuky.Leveraging APK metadata and infrastructure overlaps, we identified three additional malicious applications and seven C&C servers. The threat actor designed each application with distinct decoy themes to deceive victims and evade suspicion.

Before diving into the React2Shell vulnerability, a light understanding of the concept of React Server Component, which may be somewhat unfamiliar to security personnel, and Prototype Pollution, which may be unfamiliar to developers, is needed.React Server Component & Flight ProtocolWhen providing web services, processing the web pages displayed to users entirely on the server side and providing the completed DOM is called Server-Side Rendering (SSR). In contrast, delivering only data in an API format and processing the actual DOM composition on the user's web browser (Client-side) is called Client-Side Rendering (CSR).CSR enables a richer web service experience and interaction by providing the skeletal structure of the page to the user, while all actual DOM composition is performed on the user's web browser. However, as frontend functionalities become increasingly complex, the amount of computations that the browser needs to handle has increased, leading to greater consumption of the user's device resources and decreased user experience due to performance degradation.To address these issues, React introduced React Server Components (RSC), which handle significant portions of rendering on the server rather than the client. RSC is a technology where the execution of React components occurs on the server side, and the execution results are rendered on the client. It is a concept that combines the existing SSR and CSR, rendering the state of the new page only up to the React Component form on the server, and allowing clients to render the components, thereby reducing client-side load.Although JSON is an excellent serialization format for handling data, it is unsuitable for dealing with complex React Components. To handle React Components appropriately, it must be able to process complex types and references such as Promise, Blob, and Map, beyond simple strings, dictionaries, and arrays. Therefore, RSC uses a unique protocol and serialization format called the Flight Protocol.ExpressionTypeExampleDescription$$Escaped $"$$hello" → "$hello"Literal string starting with $$@Promise/Chunk"$@0"Reference to chunk ID 0$FServer Reference"$F0"Server function reference$TTemporary Ref"$T"Opaque temporary reference$QMap"$Q0"Map object at chunk 0$WSet"$W0"Set object at chunk 0$KFormData"$K0"FormData at chunk 0FormData object$BBlob"$B0"Blob at chunk 0Blob object$nBigInt"$n123"BigInt value$DDate"$D2024-01-01"Date object$NNaN"$N"NaN value$IInfinity"$I"Infinity$--Infinity/-0"$-I" or "$-0"Negative infinity or negative zero$uundefined"$u"Undefined value$RReadableStream"$R0"ReadableStream$0-9a-fChunk Reference"$1", "$a"Reference to chunk by hex IDPrototype PollutionObjects in Javascript are quite distinct from the object style commonly known as 'object-oriented' in Java or C++. In Javascript, when objects are created, they are not inherited from a class but from another object. In other words, new objects do not clone from a specific template (Class) but expand their functionality based on another object they reference.In this inheritance structure, a Prototype is the parent object referred to by an object, and it is the target where a lookup continues for properties or methods not directly possessed by the object. For example, in Javascript, an array uses Array.prototype as its prototype, where methods like toString and push are implemented, allowing them to be used through the prototype.Due to this characteristic of Javascript, if a property can be set on a prototype object through any means, it can seem as if newly created objects have that property set. This act of polluting the prototype or accessing it inappropriately is called Prototype Pollution. It might be a somewhat unfamiliar concept at first, but it can be easily understood through the example code below, and we'll explore Prototype Pollution in more detail later.

Since the 2010s, KimJongRAT has continued to surface in the wild. First designated in 2013, KimJongRAT has been consistently attributed to DPRK-nexus threat actor Kimsuky.Recently, the attacker employed KimJongRAT variants that contain only data‑theft logic while omitting C&C communication logic, distributing two branches of malware: a PE executable and a PowerShell script. ENKI WhiteHat Threat Research Team has continuously tracked this activity, identifying new infrastructure and related campaigns by the same actor.During tracking, we obtained multiple phishing emails, confirming the use of social engineering to prompt execution. The attacker abused GitHub to distribute malware, selecting either a PE executable or a PowerShell script based on predefined criteria.caption - Overview of attacker activity