{
	"id": "80b2eea8-9b4f-44f1-87e7-e729d31abd9e",
	"created_at": "2026-04-06T00:21:15.23816Z",
	"updated_at": "2026-04-10T03:37:41.21443Z",
	"deleted_at": null,
	"sha1_hash": "0ee14bd188922afd7aa56b2bced2e8ce344ecd61",
	"title": "DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5090148,
	"plain_text": "DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New\r\nBLINDINGCAN Variant\r\nBy Alexandru-Cristian BardașThreat Analysis Engineer\r\nArchived: 2026-04-05 19:05:02 UTC\r\nIn recent weeks, our Threat Labs researchers have uncovered two new toolsets that show just how adaptive the\r\nDPRK’s operations have become. Kimsuky, known for its espionage-style campaigns, deployed a new backdoor\r\nwe’ve named HttpTroy, while Lazarus introduced an upgraded version of its BLINDINGCAN remote access\r\ntool. \r\nBoth attacks reveal the same underlying pattern: stealthy code and layered obfuscation. In this post, we’ll break\r\ndown how these tools work, what they target and what defenders can learn from the latest moves inside the DPRK\r\nplaybook. \r\nInside DPRK’s Latest Campaigns: How Kimsuky and Lazarus Refine Their\r\nPlaybook \r\nThe Kimsuky attack targeted a single victim in KR and started with a ZIP file that looked like a VPN invoice, then\r\nquietly installed tools that let attackers move files, take screenshots and run commands. The chain has three steps:\r\na small dropper, a loader called MemLoad, and the final backdoor, named “HttpTroy”. We see several signs that\r\npossibly tie this activity to Kimsuky: the Korean language lure, an AhnLab-style scheduled task name and\r\ncommand patterns seen in past Kimsuky work.  \r\nThe Lazarus attack targeted two victims in CA and was caught in the middle of the attack chain, where we\r\nobserved a new version of the Comebacker malware leading to a new variant of their BLINDINGCAN remote\r\naccess tool.  \r\nWe’ll explain how these attacks work in plain terms, why North Korea-aligned groups use these tricks, and simple\r\nsteps you can take to avoid similar threats. \r\nQuick takeaways for readers: do not open any attachments you did not expect, treat .scr files as programs not\r\ndocuments and keep your security software on and updated. \r\nDiving into the Kimsuky attack: MemLoad and HttpTroy \r\nThe Initial dropper \r\nWhile the exact delivery mechanism remains unknown, telemetry indicates that the samples was obtained via an\r\ninternet download, packaged within a ZIP archive named “250908_A_HK이노션_SecuwaySSL VPN Manager\r\nU100S 100user_견적서”. Given the nature of the filename, it is highly probable that the archive was distributed\r\nthrough a phishing email. \r\nhttps://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis\r\nPage 1 of 15\n\nContained within the archive is a “.scr” file bearing the same name. Execution of this file initiates the entire\r\ninfection chain. \r\nThis initial sample is a lightweight GO binary containing 3 embedded files. These files are decrypted using a\r\nsimple XOR operation with the key “0x39”, then written to disk and executed. To maintain user deception, the\r\nbinary displays a PDF document as a decoy, displaying a fake bill for VPN services, while simultaneously\r\nregistering the next stage backdoor as a COM server using “regsvr32.exe”. See below an image of the decoy PDF\r\nand the decompiled code that decrypts it. \r\nStage 1 backdoor: Memload_V3 \r\nThe first backdoor, internally identified as Memload_V3 (“Memload_V3.dll”), performs 2 primary functions: \r\nhttps://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis\r\nPage 2 of 15\n\n1. Re-registering the “AhnlabUpdate” scheduled task \r\nUsing COM interfaces instantiated via the Windows API “CoCreateInstance”, the backdoor re-creates a scheduled\r\ntask named “AhnlabUpdate”, targeting one of the more prevalent anti-virus software in the Korean region to avoid\r\nsuspicions. This task is configured to execute the current DLL silently using the command “regsvr32.exe /s\r\n\u003cCURRENT_FILENAME\u003e”. The task is then set to repeat every minute, using the “PT1M” repetition pattern. \r\n2. Decrypting and executing the final payload \r\nAfter establishing persistence, Memload_V3 proceeds to decrypt the third file dropped by the initial sample. The\r\ndecryption algorithm used is RC4, and once decrypted, the payload is loaded directly into memory. Execution is\r\nthen triggered via its exported function named “hello”.\r\nhttps://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis\r\nPage 3 of 15\n\nFinal payload: HttpTroy backdoor \r\nThe final stage of the attack chain is a highly obfuscated backdoor, internally named HttpTroy\r\n(“httptroy_dll.dll”). This component grants the attackers full control over the compromised system, offering a\r\nwide range of capabilities: \r\nFile upload and download\r\nScreenshot capture and exfiltration\r\nCommand execution with elevated privileges\r\nLoading an executable in memory\r\nReverse shell\r\nProcess termination and trace removal \r\nHttpTroy employs multiple layers of obfuscation to hinder analysis and detection. API calls are concealed using\r\ncustom hashing techniques, while strings are obfuscated through a combination of XOR operations and SIMD\r\ninstructions. \r\nNotably, the backdoor avoids reusing API hashes and strings. Instead, it dynamically reconstructs them during\r\nruntime using varied combinations of arithmetic and logical operations, further complicating static analysis. \r\nThe HttpTroy backdoor communicates with its command-and-control server exclusively via HTTP POST\r\nrequests. All transmitted data (both commands and responses) is obfuscated using a two-step process: XOR\r\nencryption with the key 0x56, followed by Base64 encoding. Each query to the C2 has a specific ID and is\r\nfollowed by buffers of interest, all formatted in a single special string. Commands received from the server follow\r\na simple structure: “\u003ccommand\u003e \u003cparameters\u003e”. \r\nhttps://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis\r\nPage 4 of 15\n\nAfter executing a command, the backdoor reports the result to the C2 using ID 2: \r\nok - Successful execution\r\nfail - Execution failed\r\nconnect ok - Successful reverse shell connection \r\nTo request a new command from the C2, the backdoor sends a query with ID 1. \r\nBelow, you can see an example flow of a command in decompiled code, together with the decryption flow of a\r\nresponse from the server for the “down” command: \r\nIndicators of compromise \r\nhttps://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis\r\nPage 5 of 15\n\nSCR file: e19ce3bd1cbd980082d3c55a4ac1eb3af4d9e7adf108afb1861372f9c7fe0b76 \r\nMemload_V3: 20e0db1d2ad90bc46c7074c2cc116c2c08a8183f3ac6f357e7ebee0c7cc02596 \r\nHttpTroy: 10c3b3ab2e9cb618fc938028c9295ad5bdb1d836b8f07d65c0d3036dbc18bbb4 \r\nC2: hxxp[://]load[.]auraria[.]org/index[.]php \r\nUser-agent (wide-string): Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like\r\nGecko) Chrome/79.0.3945.130 Safari/537.36 \r\nMutexes: \r\na:fnjiuygredfgbbgfcvhutrv \r\nu:fnjiuygredfgbbgfcvhutrv \r\nAnalysis of the Lazarus Attack: the comeback of Comebacker and the new\r\nBLINDINGCAN variant \r\nComebacker, yet again \r\nDuring routine threat monitoring, our team identified a sample indicative of a new variant of the previously\r\ndocumented Comebacker malware, which is attributed to the Lazarus APT group. While our telemetry captures\r\nthe infection chain from this stage onward, the initial access vector remains unclear. However, based on the\r\nabsence of any exploited vulnerabilities, we assess with moderate confidence that the initial compromise likely\r\noriginated from a phishing email. \r\nWe observed two closely related instances of the Comebacker malware: \r\nA DLL variant located at “C:\\ProgramData\\comms.bin” (internally named\r\n“NetSvcInst_v1_Rundll32.dll”, using the exported function “InfoHook”)\r\nAn EXE variant located at “C:\\ProgramData\\Comms\\ssh.bin” \r\nThe DLL sample appears to have been executed via a Windows service, whereas the EXE variant was launched\r\nthrough cmd.exe, suggesting a different execution context. \r\nDespite their differing formats, both variants share identical functionality. Their primary objectives include: \r\nValidating execution via a specific command-line parameter\r\nDecrypting embedded payloads\r\nConfiguring registry entries\r\nDeploying the next-stage payload as a service \r\nThe dropper's behavior can be summarized in the following stages: \r\n1. Dynamic function resolution \r\nhttps://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis\r\nPage 6 of 15\n\nPrior to payload execution, the malware dynamically resolves API functions from system DLLs. This is achieved\r\nby XOR-decrypting hardcoded strings using a PRNG-like stream.\r\n2. Parameter validation \r\nExecution is gated by the presence of specific command-line arguments. The DLL variant expects\r\n\"up45V3FR9ee9\", while the EXE variant requires \"760H33ls9L5S\". If the parameters are incorrect, the malware\r\nterminates. \r\n3. Service name selection \r\nThe malware enumerates the “REG_MULTI_SZ” entries under “HKLM\\ SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Svchost\\netsvcs”, identifying service names that are listed but not yet registered under\r\n“HKLM\\ SYSTEM\\CurrentControlSet\\Services”. A random candidate is then selected and reused as both the\r\nservice name and the name of the service DLL. \r\nFor some of the string decryption processes, it uses the HC256 stream cipher, while for others it uses RC4. \r\n4. Timestamp logging \r\nThe malware writes the current local time to “C:\\Windows\\system32\\AppxProvision.xml” using the format\r\n“[%04d-%02d-%02d %02d:%02d:%02d] %s\\n”, appending the chosen service name. It then modifies the\r\nhttps://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis\r\nPage 7 of 15\n\nfile’s attributes to mimic those of win32k.sys.\r\n5. Payload deployment and configuration \r\nThe embedded PE file is decrypted using HC256, then decompressed via zlib, and written into a decoy file in the\r\ncurrent directory named “kjepl.xml”. To obfuscate its true size, random data is appended at the end. The file is\r\nthen moved via “cmd.exe” to “C:\\Windows\\system32\\\u003cSERVICE_NAME\u003e.dll”, and its attributes are altered\r\nsimilarly to the timestamp file, but this time it mimics “cmd.exe”. \r\nSubsequently, the embedded configuration is decrypted using HC256, re-encrypted using RC4 and stored as a\r\nbinary blob in the registry under  “HKLM\\SYSTEM\\ControlSet001\\Services\\kbddes\\GUID”. The\r\nconfiguration includes potential C2 addresses, the path to cmd.exe, the path to the dropped DLL, %TEMP%, and\r\na special integrity-check value. \r\n6. Service execution \r\nFinally, the malware registers and starts a service using the randomly selected name, thereby initiating the next\r\nstage of the attack. \r\nhttps://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis\r\nPage 8 of 15\n\nSecond stage: Compcat_v1.dll \r\nBoth observed variants of the Comebacker dropper deploy the same service binary, internally named\r\n“Compcat_v1.dll”. This component serves a singular purpose: it acts as a wrapper for the final payload. \r\nUpon execution, it decrypts an embedded PE file using the HC256 stream cipher. The decrypted data is then\r\ndecompressed using the miniz library, a lightweight zlib-compatible implementation. The resulting PE is loaded\r\ndirectly into memory, employing a technique similar to that used by the aforementioned MemLoad sample. \r\nOnce the payload is successfully mapped into memory, the malware invokes the exported function\r\n“OPENSLL_NONPIC”, thereby initiating the execution of the final stage. \r\nFinal payload: new variant of BLINDINGCAN \r\nAs the final payload, the attackers employed a new variant of their BLINDINGCAN remote access tool, improved\r\nwith additional cryptographic elements and more capabilities. Internally named “T_DLL64.dll”, it acts as a\r\ncomplete suite for attackers, offering them the possibility to perform any action they desire. \r\nThe backdoor has 2 operating modes, which are dictated by the parameter passed to the main function: \r\n13398 – config stored in a file\r\n13399 – config stored in registry \r\nApart from the “OPENSSL_NONPIC” export, this sample exports another function, called “MemLoad”, which\r\nuses the other operating mode (13398). \r\nThe malware’s execution begins by dynamically loading APIs, using the same techniques as in the previous cases.\r\nIt then moves on to loading the configuration, picking a C2 at random and attempting to connect to it. \r\nhttps://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis\r\nPage 9 of 15\n\nNext, it attempts to authenticate itself within the chosen C2 by sending a “GET” request with the integrity-check\r\nvalue from the config, followed by 4 random uppercase letters. This newly obtained value is then shifted with a\r\nrandom offset between 0 and 9 (which is appended at the end of the buffer), XOR-encrypted with 0xC6 and\r\nBase64-encoded before being sent. To add to the authenticity of the request, the malware also sends additional\r\nbuffers of key-value pairs filled with random values. \r\nIf the authentication succeeds, it proceeds to generate RSA-2048 keys for encryption. The public key is then sent\r\nto the C2 in a similar fashion. The same operations regarding the config integrity-check value are performed, and\r\ntheir value represents the beginning of the data. Following that, the values 23, 0, and the size of the public key are\r\nappended before the public key (separated by spaces), then encrypted with HC256 and the same XOR + Base64\r\ncombo as before. Similar randomness is added after, and the request is sent as such. \r\nFrom the response, the malware obtains some RSA-encrypted values, that are then decrypted and will serve in\r\nfuture communications as key and IV for encryption via the EVP interface. \r\nDue to the functions used in the structure that contains the “evp_cipher_st” struct for the encryption functions, we\r\nconclude that the encryption used is AES-128-CBC. \r\nhttps://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis\r\nPage 10 of 15\n\nSubsequently, the malware enters its main command loop, constantly communicating with the C2 and executing\r\nthe commands of the attackers. \r\nThe communication pattern to the C2 is now as follows: \r\n1. Join by space 2 per-command specific values and the size of the data to be sent\r\n2. First parameter is the command ID\r\n3. Second parameter represents the status of the command\r\n1 – Success sending regular chunk (for streamed buffers – typically 100KB chunks)\r\n2 – Error\r\n3 – Success sending end chunk (if the buffers are not streamed, this value is used)\r\n4. Append the data and AES-128-CBC encrypt everything\r\n5. String-shift the same config token + 4 random letters by a random value (0-9) appended at the end, then\r\nXOR+Base64 encode it\r\n6. Compute MD5 of the encrypted payload and append the encrypted data after the hash, then XOR+Base64\r\nencode it\r\n7. Build the base request data as “\u003cRANDOM_2_LETTERS\u003e=\u003cXOR+BASE64(SHIFTED_TOKEN ||\r\n4_RANDOM_LETTERS) || SHIFT_OFFSET\u003e\u0026\u003cRANDOM_4_LETTERS\u003e=\r\n\u003cRANDOM_4_OR_5_LETTERS\u003e\u0026\u003cRANDOM_5_LETTERS\u003e=\u003cXOR+BASE64(MD5 ||\r\nENCRYPTED_DATA)\u003e”\r\n8. Append a random amount of random key-value pairs after the base data \r\nIn similar fashion, responses are XOR + Base64 decoded, integrity-checked using MD5, and AES-128-CBC\r\ndecrypted in case of a match. \r\nContinuing, we will describe the functionalities of the RAT: \r\nhttps://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis\r\nPage 11 of 15\n\nCommand ID 1\r\nExfiltrate file, starting from an offset and compressing it\r\nInput: \u003cSRC_PATH\u003e|\u003cOFFSET\u003e\r\nChunked\r\nCommand ID 2\r\nDownloads a file from the C2\r\nInput: \u003cDEST_PATH\u003e|\u003cSIZE_OF_DATA_BLOCK\u003e|\u003cBYTES_TO_WRITE\r\nChunked\r\nCommand ID 3\r\nCopies a file to %TEMP% and exfiltrates it from there\r\nInput: \u003cSRC_PATH\u003e|\u003cOFFSET\u003e\r\nChunked\r\nCommand ID 4\r\nSecurely delete a file by overwriting it and renaming it multiple times\r\nInput: \u003cFILE_PATH\u003e\r\nNot chunked\r\nCommand ID 5\r\nChanges a file’s attributes to mimic another file\r\n\u003cDEST_PATH\u003e|\u003cSRC_PATH\u003e\r\nNot chunked\r\nCommand ID 6\r\nRecursively traverses all sub-directories and files from a given path, also reporting their size\r\nInput: \u003cSRC_DIR_PATH\u003e\r\nNot chunked\r\nCommand ID 7\r\nTraverses the entire file system, listing the empty space from drives, files and their attributes\r\nChunked\r\nCommand ID 8\r\nGathers data from the victim computer, such as locale info, computer name, OS version, MAC\r\naddress, network adapters, CPU architecture, OEM code page\r\nNot chunked\r\nCommand ID 9\r\nRuns a command-line via CreateProcessW\r\nInput: \u003cCMDLINE\u003e\r\nNot chunked\r\nCommand ID 10\r\nRuns a command-line in a given session via CreateProcessAsUserW\r\nInput: \u003cCMDLINE\u003e|\u003cSESSION_ID\u003e\r\nNot chunked\r\nCommand ID 11\r\nLists active processes (provides EXE name, full image path, PID, PPID, SID, user and creation\r\ntime)\r\nhttps://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis\r\nPage 12 of 15\n\nChunked\r\nCommand ID 12\r\nKills a process\r\nInput: \u003cPROCESS_ID\u003e\r\nNot chunked\r\nCommand ID 13\r\nKeep alive request\r\nNot chunked\r\nCommand ID 14\r\nSleeps for a given period, checking for early wake conditions such as new drives or sessions every 5\r\nseconds\r\nInput: \u003cSLEEP_DURATION\u003e\r\nNot chunked\r\nCommand ID 15\r\nHibernate for a given period, checking for early wake conditions every minute\r\nInput: \u003cHIBERNATION_DURATION\u003e\r\nNot chunked\r\nCommand ID 16\r\nUpdates the config from the binary’s current config\r\nNot chunked\r\nCommand ID 17\r\nSend the current config from the binary to the C2\r\nNot chunked\r\nCommand ID 18\r\nRemoves traces, securely deletes itself and terminates itself\r\nNot chunked\r\nCommand ID 19\r\nTest TCP connection to a given IP address\r\nInput: \u003cIP\u003e:\u003cPORT\u003e \u003cTIMEOUT\u003e\r\nNot chunked\r\nCommand ID 20\r\nRuns cmd.exe with the provided command line and reports back the output\r\nInput: \u003cCOMMAND_LINE\u003e\r\nChunked\r\nCommand ID 21\r\nChanges the current working directory\r\nInput: \u003cDIR_PATH\u003e\r\nNot chunked\r\nCommand ID 22\r\nObtains the current working directory\r\nNot chunked\r\nCommand ID 23\r\nhttps://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis\r\nPage 13 of 15\n\nUpdates encryption keys with new values\r\nNot chunked\r\nCommand ID 24\r\nTakes a screenshot and sends it to the C2\r\nChunked\r\nCommand ID 25\r\nEnumerate or take a photo from the available video capture devices using COM interfaces; in the\r\ncase of GETPIC, the resulting buffer is compressed\r\nInput: \u003cGETLIST\u003e or \u003cGETPIC\u003e \u003cINDEX\u003e\r\nNot chunked\r\nCommand ID 26\r\nRuns a PE file in memory\r\nInput: \u003cSIZE\u003e|\u003cEXPORT_NAME\u003e|\u003cARGUMENT\u003e|\u003cMD5_OF_PE\u003e\r\nChunked\r\nCommand ID 27\r\nUpdates the config with data from the C2\r\nInput: \u003cNEW_CONFIG_BYTES\u003e\r\nNot chunked \r\nIndicators of compromise \r\nnew Comebacker variants: 509fb00b9d6eaa74f54a3d1f092a161a095e5132d80cc9cc95c184d4e258525b  \r\nb5eae8de6f5445e06b99eb8b0927f9abb9031519d772969bd13a7a0fb43ec067   \r\nService binary: 368769df7d319371073f33c29ad0097fbe48e805630cf961b6f00ab2ccddbb4c  \r\nnew BLINDINGCAN: c60587964a93b650f3442589b05e9010a262b927d9b60065afd8091ada7799fe \r\nC2s:  \r\nhxxp[://]166[.]88[.]11[.]10/upload/check.asp \r\nhxxps[://]tronracing[.]com/upload/check.asp \r\nhxxp[://]23[.]27[.]140[.]49/Onenote/index.asp \r\nConclusion \r\nKimsuky and Lazarus continue to sharpen their tools, showing that DPRK-linked actors aren’t just maintaining\r\ntheir arsenals, they’re reinventing them. These campaigns demonstrate a well-structured and multi-stage infection\r\nchain, leveraging obfuscated payloads and stealthy persistence mechanisms. From the initial stages to the final\r\nbackdoors, each component is designed to evade detection, maintain access and provide extensive control over the\r\ncompromised system. The use of custom encryption, dynamic API resolution and COM-based task\r\nregistration/services exploitation highlights the groups’ continued evolution and technical sophistication.\r\nMonitoring for these indicators and behaviors is essential for early detection and mitigation of such threats. \r\nhttps://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis\r\nPage 14 of 15\n\nBy tracking every line of code and every new variant, we help surface the patterns that keep defenders one step\r\nahead. Awareness, collaboration, and constant vigilance are what turn technical insights into real-world protection\r\n— and that’s where Gen Threat Labs and our global intelligence network can make a difference. \r\nAlexandru-Cristian Bardaș\r\nSource: https://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis\r\nhttps://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis\r\nPage 15 of 15\n\nand the decompiled Stage 1 backdoor: code that Memload_V3 decrypts it.    \nThe first backdoor, internally identified as Memload_V3 (“Memload_V3.dll”), performs 2 primary functions:\n   Page 2 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis"
	],
	"report_names": [
		"dprk-kimsuky-lazarus-analysis"
	],
	"threat_actors": [
		{
			"id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2",
			"created_at": "2022-10-25T15:50:23.280374Z",
			"updated_at": "2026-04-10T02:00:05.305572Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"Kimsuky",
				"Black Banshee",
				"Velvet Chollima",
				"Emerald Sleet",
				"THALLIUM",
				"APT43",
				"TA427",
				"Springtail"
			],
			"source_name": "MITRE:Kimsuky",
			"tools": [
				"Troll Stealer",
				"schtasks",
				"Amadey",
				"GoBear",
				"Brave Prince",
				"CSPY Downloader",
				"gh0st RAT",
				"AppleSeed",
				"Gomir",
				"NOKKI",
				"QuasarRAT",
				"Gold Dragon",
				"PsExec",
				"KGH_SPY",
				"Mimikatz",
				"BabyShark",
				"TRANSLATEXT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "760f2827-1718-4eed-8234-4027c1346145",
			"created_at": "2023-01-06T13:46:38.670947Z",
			"updated_at": "2026-04-10T02:00:03.062424Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"G0086",
				"Emerald Sleet",
				"THALLIUM",
				"Springtail",
				"Sparkling Pisces",
				"Thallium",
				"Operation Stolen Pencil",
				"APT43",
				"Velvet Chollima",
				"Black Banshee"
			],
			"source_name": "MISPGALAXY:Kimsuky",
			"tools": [
				"xrat",
				"QUASARRAT",
				"RDP Wrapper",
				"TightVNC",
				"BabyShark",
				"RevClient"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d",
			"created_at": "2025-08-07T02:03:25.101147Z",
			"updated_at": "2026-04-10T02:00:03.846812Z",
			"deleted_at": null,
			"main_name": "NICKEL KIMBALL",
			"aliases": [
				"APT43 ",
				"ARCHIPELAGO ",
				"Black Banshee ",
				"Crooked Pisces ",
				"Emerald Sleet ",
				"ITG16 ",
				"Kimsuky ",
				"Larva-24005 ",
				"Opal Sleet ",
				"Ruby Sleet ",
				"SharpTongue ",
				"Sparking Pisces ",
				"Springtail ",
				"TA406 ",
				"TA427 ",
				"THALLIUM ",
				"UAT-5394 ",
				"Velvet Chollima "
			],
			"source_name": "Secureworks:NICKEL KIMBALL",
			"tools": [
				"BabyShark",
				"FastFire",
				"FastSpy",
				"FireViewer",
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "71a1e16c-3ba6-4193-be62-be53527817bc",
			"created_at": "2022-10-25T16:07:23.753455Z",
			"updated_at": "2026-04-10T02:00:04.73769Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"APT 43",
				"Black Banshee",
				"Emerald Sleet",
				"G0086",
				"G0094",
				"ITG16",
				"KTA082",
				"Kimsuky",
				"Larva-24005",
				"Larva-25004",
				"Operation Baby Coin",
				"Operation Covert Stalker",
				"Operation DEEP#DRIVE",
				"Operation DEEP#GOSU",
				"Operation Kabar Cobra",
				"Operation Mystery Baby",
				"Operation Red Salt",
				"Operation Smoke Screen",
				"Operation Stealth Power",
				"Operation Stolen Pencil",
				"SharpTongue",
				"Sparkling Pisces",
				"Springtail",
				"TA406",
				"TA427",
				"Thallium",
				"UAT-5394",
				"Velvet Chollima"
			],
			"source_name": "ETDA:Kimsuky",
			"tools": [
				"AngryRebel",
				"AppleSeed",
				"BITTERSWEET",
				"BabyShark",
				"BoBoStealer",
				"CSPY Downloader",
				"Farfli",
				"FlowerPower",
				"Gh0st RAT",
				"Ghost RAT",
				"Gold Dragon",
				"GoldDragon",
				"GoldStamp",
				"JamBog",
				"KGH Spyware Suite",
				"KGH_SPY",
				"KPortScan",
				"KimJongRAT",
				"Kimsuky",
				"LATEOP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Lovexxx",
				"MailPassView",
				"Mechanical",
				"Mimikatz",
				"MoonPeak",
				"Moudour",
				"MyDogs",
				"Mydoor",
				"Network Password Recovery",
				"PCRat",
				"ProcDump",
				"PsExec",
				"ReconShark",
				"Remote Desktop PassView",
				"SHARPEXT",
				"SWEETDROP",
				"SmallTiger",
				"SniffPass",
				"TODDLERSHARK",
				"TRANSLATEXT",
				"Troll Stealer",
				"TrollAgent",
				"VENOMBITE",
				"WebBrowserPassView",
				"xRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434875,
	"ts_updated_at": 1775792261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0ee14bd188922afd7aa56b2bced2e8ce344ecd61.pdf",
		"text": "https://archive.orkl.eu/0ee14bd188922afd7aa56b2bced2e8ce344ecd61.txt",
		"img": "https://archive.orkl.eu/0ee14bd188922afd7aa56b2bced2e8ce344ecd61.jpg"
	}
}