{ "id": "f4e741d6-19ae-483f-8487-707ae97ee53a", "created_at": "2026-04-06T00:08:37.029685Z", "updated_at": "2026-04-10T03:37:40.813715Z", "deleted_at": null, "sha1_hash": "01228cb87ab39e3423f08332803aba9c4bd1816f", "title": "Kimsuky Threat Group Uses RDP to Control Infected Systems - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 928591, "plain_text": "Kimsuky Threat Group Uses RDP to Control Infected Systems -\r\nASEC\r\nBy ATCP\r\nPublished: 2023-10-15 · Archived: 2026-04-05 14:04:14 UTC\r\nKimsuky, a threat group known to be supported by North Korea, has been active since 2013. At first, they attacked\r\nNorth Korea-related research institutes in South Korea before attacking a South Korean energy agency in 2014.\r\nOther countries have also become targets of their attack since 2017. [1] The group usually launches spear phishing\r\nattacks on the national defense, diplomatic, and academic sectors, defense and media industries, as well as\r\nnational organizations. Their goal is to exfiltrate internal information and technology from the targets. [2]\r\nAfter initial access, the Kimsuky threat group usually installs backdoors to control the infected systems or\r\nInfostealers to exfiltrate sensitive information within the infected systems. While open-source-based malware such\r\nas xRAT (Quasar RAT) or malware developed by the group itself are used in attacks, the group also uses\r\nlegitimate tools to control the infected system.\r\nIt is a characteristic of the Kimsuky group to use these malware alongside various tools that support remote\r\ncontrol in their attack process. The most commonly used method for remote control is Remote Desktop Protocol\r\n(RDP). In environments without RDP, the open-source tool RDP Wrapper is installed. Once RDP is installed, a\r\nuser account is added for RDP access, or additional pieces of malware are used to conceal the added account and\r\nconfigure multiple RDP sessions. [3] [4]\r\nAside from RDP, there have been cases where TinyNuke (public malware) or TightVNC (open-source VNC tool)\r\nwere customized and used in attacks. VNC, also known as Virtual Network Computing, is a screen-sharing system\r\nthat remotely controls other computers like RDP. [5] Besides these, there are also cases where Chrome Remote\r\nDesktop, supported by the Google Chrome web browser, was used to control the infected system. [6]\r\nIn this post, we will cover the latest cases where the Kimsuky group installed BabyShark through presumed spear\r\nphishing attacks before installing various RDP-related malware strains. Tools used in the attacks have similar\r\nfeatures to those in past cases, but from their PDB information, it is deemed that they have been created recently\r\nto be used in attacks.\r\nhttps://asec.ahnlab.com/en/57873/\r\nPage 1 of 12\n\nBesides these, another new malware was discovered; the name used by the threat actor upon creating the malware\r\nwas “RevClient”. This malware operates by receiving commands from the threat actor through the C\u0026C server.\r\nDepending on the command, it can add user accounts or enable the port forwarding feature.\r\n1. Initial Access\r\nWhile the initial distribution method has not been confirmed, it is presumed that spear phishing attacks would\r\nhave been used. There was a history of the file “hwp.bat” being used in the infected system, like the case covered\r\nin the ASEC Blog post, “Malicious Batch File (*.bat) Disguised as a Document Viewer Being Distributed\r\n(Kimsuky)”. [7] The BAT malware checks for antivirus products using WMIC commands and additionally installs\r\nscript-type malware.\r\nAfter the initial infection, the threat actor continuously exfiltrated information from the infected system by\r\nchanging malware and the C\u0026C server address. Main examples of the malware that were installed include\r\n“k.ps1”, a keylogger, and the file “OneNote.vbs” which executes “k.ps1”. The file “k.ps1” saves the logged data in\r\nthe file “%APPDATA%\\k.log”.\r\nhttps://asec.ahnlab.com/en/57873/\r\nPage 2 of 12\n\nBesides these, “pow.ps1”, a loader malware, and “desktop.r7u”, an encoded data file, were also identified.\r\n“pow.ps1” decrypts the file in the path “%APPDATA%\\Microsoft\\desktop.r7u” and executes it in the memory\r\narea. The decrypted file “desktop.r7u” is an injector. If the file “desktop.r3u” exists in the same path, the injector\r\nis responsible for decrypting this file and injecting it into “MSBuild.exe”, a legitimate program. While the file\r\ncould not be procured, in similar attack cases in the past, a decrypted “desktop.r3u” file was xRAT, and the report\r\nby Huntress stated that KimJongRAT was used. [8]\r\n2. Installing Additional Payloads\r\nSeeing from the fact that the BabyShark C\u0026C server address has been changed after a certain period of time, it\r\ncould be seen that the threat actor continuously updated BabyShark even after its initial installation. Although\r\ninformation can be collected from the infected system using BabyShark alone, the threat actor additionally\r\ninstalled RDP-related malware afterward.\r\n2.1. Injector\r\nAmong the installed malware, “process.exe” is almost identical to the decrypted “desktop.r7u” covered above,\r\nwhich is the injector. Similarities can be seen when comparing the PDB information of the two malware strains.\r\nPDB information of the decrypted desktop.r7u: H:\\Hollow\\csharp process\r\nhollowing_complete_offset\\csharp process\r\nhollowing_complete_offset\\process\\process\\obj\\x86\\Release\\process.pdb\r\nPDB information of process.exe: G:\\0726_Rev_hollowing\\csharp process\r\nhollowing_complete_offset\\process\\process\\obj\\x86\\Release\\process.pdb\r\nhttps://asec.ahnlab.com/en/57873/\r\nPage 3 of 12\n\nA difference is that the decryption target is the file “CustomVerification.DIC” in the %APPDATA% path and that\r\nthe target process for injection is “powershell_ise.exe”. Although the file “CustomVerification.DIC” could not be\r\nidentified, it is likely one of the malware that the Kimsuky group frequently uses because there are cases where\r\nxRAT was used in attacks around the same time period.\r\n2.2. Changing the RDP Service\r\nAside from these, the threat actor installed a piece of malware with the name “multiple.exe”. This malware adds\r\nuser accounts, enables RDP, and also supports multiple sessions. The malware first terminates the RDP service\r\nand grants permission to modify “termsrv.dll” which manages said service. Afterward, it changes the file name of\r\n“termsrv.dll” to “termsrv.pdb” and then copies the file “termsrv.dll” which already exists in the %APPDATA%\r\npath into %SystemDirectory%.\r\nOrdinarily in Windows desktop environments, only one session is supported when connecting via RDP, unlike\r\nservers. As only one session is supported for one system, even if the user accounts are different, when the threat\r\nactor remotely connects to a system, the existing user’s session is terminated. Mimikatz and other malware of the\r\nKimsuky group patch the memory of the currently running RDP service process to bypass this phenomenon.\r\nHowever, the malware currently being used in attacks used the method of directly swapping out the legitimate\r\n“termsrv.dll” file for the patched “termsrv.dll” file. Comparing the “termsrv.dll” file that the threat actor created in\r\nadvance in the %APPDATA% path with the legitimate “termsrv.dll” file shows that the CDefPolicy::Query()\r\nfunction has been patched.\r\nCDefPolicy::Query() function routine of the legitimate termsrv.dll file: 39 81 3C 06 00 00 0F 84 E7 43\r\n01 00\r\nCDefPolicy::Query() function routine of the patched termsrv.dll file: B8 00 01 00 00 89 81 38 06 00 00\r\n90\r\nhttps://asec.ahnlab.com/en/57873/\r\nPage 4 of 12\n\nAt this stage, an account named “IIS_USER” is created and added to the admin group to be used as the account to\r\ncontrol the infected system. Additionally, when an account is added, it is visible when the user logs in; so, the\r\nsystem user can be aware of the new account. To prevent this, the malware registers the newly created\r\n“IIS_USER” to SpecialAccounts, preventing it from being visible even when the user logs in.\r\nPDB information of multiple.exe – 1: Z:\\5-\r\nprogram\\multiple\\multisession_complete\\multisession_complete\\Release\\x64\\Multisession.pdb\r\nPDB information of multiple.exe – 2:\r\nG:\\0711_uac_multiple_work\\multisession_complete\\multisession_complete\\x64\\Release\\Multisession.pdb\r\n2.3. RevClient\r\nRevClient is an RDP-related malware that runs by receiving commands from the C\u0026C server. Depending on the\r\ncommand, it can perform user account-related tasks or port forwarding. The following is the configuration data of\r\nRevClient used in attacks. It can be seen that the malware version is “1.0”. Characteristically, it uses the string\r\n“ZhengReversePC” as the mutex name. The actual configuration data is included in the string “AllSettings”\r\nencrypted in Base64.\r\nhttps://asec.ahnlab.com/en/57873/\r\nPage 5 of 12\n\nIt is possible to check other configuration data by decrypting the Base64 string.\r\nSettings Data\r\nVersion “1.0”\r\nMutex “ZhengReversePC”\r\nHost IP 5.61.59[.]53\r\nHost port 0\r\nMSTSC (RDP) IP 127.0.0.2\r\nMSTSC (RDP) port 3389\r\nMain (C\u0026C) port 2086\r\nTable 1. Configuration data of RevClient\r\nThe C\u0026C address is made by combining the host IP address and the main port, then a connection is made.\r\nAfterward, basic information on the infected system is collected and transferred. Then, settings or commands are\r\nreceived as a response.\r\nC\u0026C address: 5.61.59[.]53:2086\r\nhttps://asec.ahnlab.com/en/57873/\r\nPage 6 of 12\n\nItem Data\r\nSignature string “NAT”\r\nInformation about the infected\r\nsystem\r\nString obtained by encrypting [User Name]@[PC\r\nName] in Base64\r\nOS information OS information\r\nVersion “1.0”\r\nHost port\r\nFirst, the value is 0, then this can be received from the\r\nC\u0026C server.\r\nTable 2. Data transferred to C\u0026C server\r\nThe response is separated into four with “;” as the separator, and set items are used for each command. It is\r\nestimated that the first response will be the host port number, which is the fourth item, and in subsequent\r\nresponses, the command number, which is the third item, will be transmitted along with additional data.\r\nResponse Data\r\nUser account name Used for adding or deleting user accounts (encrypted in Base64)\r\nUser account password Used for adding user accounts (encrypted in Base64)\r\nCommand Command number\r\nHost port Port number for port forwarding\r\nTable 3. Command structure\r\nhttps://asec.ahnlab.com/en/57873/\r\nPage 7 of 12\n\nCommand Data\r\n100 Start port forwarding\r\n200 Delete user account\r\n300 Add and conceal user account\r\n400 Terminate port forwarding and initialize host port\r\n500 Terminate port forwarding\r\nTable 4. List of commands\r\nWhen the command “100” is transmitted, the previously received host port numbers are combined. A connection\r\nis made to the address 5.61.59[.]53:(Host Port), then this and 127.0.0.2:3389 are linked. Generally, RDP-related\r\nport forwarding tools are used to overcome the fact that threat actors cannot directly access NAT environments\r\nfrom the outside. Thus, a connection is first established to the threat actor’s address through the reverse connection\r\nmethod. Then, a connection is made to the RDP port of the infected system, relaying the two communication lines.\r\nhttps://asec.ahnlab.com/en/57873/\r\nPage 8 of 12\n\nAdditionally, RevClient has the NewConcurrentRDPatcher() function implemented, which has features similar to\r\n“multiple.exe” above. The difference is that unlike “multiple.exe” which changes the previously patched\r\n“termsrv.dll” file, the NewConcurrentRDPatcher() function directly patches and modifies said file according to the\r\nWindows version. While there is no routine to execute the NewConcurrentRDPatcher() function, it is deemed that\r\nother versions of RevClient would perform this task through a command from the C\u0026C server or in the\r\ninitialization routine.\r\n3. Conclusion\r\nThe Kimsuky threat group is continuously abusing RDP to obtain control over infected systems and exfiltrate\r\ninformation. RDP can also be used in the initial access process using brute force and dictionary attacks, or during\r\nlateral movement. Because RDP is one of the services that come pre-installed in Windows systems, adequate\r\nmanagement is needed to detect or prevent such incidents.\r\nUsers must refrain from opening attachments on suspicious emails, and when installing external software, it is\r\nrecommended to purchase or download them from their official websites. Additionally, users must set complex\r\npasswords for their accounts and change them periodically.\r\nhttps://asec.ahnlab.com/en/57873/\r\nPage 9 of 12\n\nAlso, V3 must be updated to the latest version to block malware infection in advance. In addition to endpoint\r\nsecurity products (V3), sandbox-based APT solutions such as MDS must be implemented to prevent harm from\r\ncyberattacks.\r\nAhnLab MDS sandbox detects the malware that patches RDP and activates multiple sessions under the detection\r\nname “Execution/MDP.Command.M10645”.\r\nFile Detection\r\n– Trojan/Win.Agent.C5502241 (2023.10.08.03)\r\n– Trojan/Win.Injector.C5502245 (2023.10.08.03)\r\n– Backdoor/Win.RevClient.R609964 (2023.10.08.03)\r\n– Trojan/Win.Agent.R5502241 (2023.10.08.03)\r\n– Backdoor/PowerShell.XRatLoader.SC192386 (2023.09.13.00)\r\n– Trojan/VBS.KeylogLoader.SC192383 (2023.09.13.00)\r\n– Keylogger/PowerShell.Agent (2023.09.13.00)\r\n– Data/BIN.Encoded (2023.09.13.00)\r\nBehavior Detection\r\n– Execution/MDP.Command.M10645\r\nAMSI Detection\r\n– Trojan/Win.Injector.C5485760\r\nhttps://asec.ahnlab.com/en/57873/\r\nPage 10 of 12\n\nMD5\r\n02804d632675b2a3711e19ef217a2877\r\n0d6717c3fa713c5f5f5cb0539b94b84f\r\n0d691673af913dc0942e55548f6e2e4e\r\n116a71365b83cc38211ccfc8059b363e\r\n2dbe8e89310b42e295bfdf3aad955ba9\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//5[.]61[.]59[.]53[:]2086/\r\nhttps[:]//onessearth[.]online/up/upload_dotm[.]php\r\nhttps[:]//powsecme[.]co/up/upload_dotm[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nTo learn more about AhnLab MDS's sandbox-based behavioral analysis, please click the banner below.\r\nhttps://asec.ahnlab.com/en/57873/\r\nPage 11 of 12\n\nSource: https://asec.ahnlab.com/en/57873/\r\nhttps://asec.ahnlab.com/en/57873/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY" ], "references": [ "https://asec.ahnlab.com/en/57873/" ], "report_names": [ "57873" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434117, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/01228cb87ab39e3423f08332803aba9c4bd1816f.pdf", "text": "https://archive.orkl.eu/01228cb87ab39e3423f08332803aba9c4bd1816f.txt", "img": "https://archive.orkl.eu/01228cb87ab39e3423f08332803aba9c4bd1816f.jpg" } }