{ "id": "94f96bb7-c191-4f6e-b0a4-58ac39836b22", "created_at": "2026-04-06T00:07:22.87465Z", "updated_at": "2026-04-10T03:37:41.000625Z", "deleted_at": null, "sha1_hash": "0f21a5b2466bb133651b7524820cf3bf0f968de5", "title": "Appleseed Being Distributed to Nuclear Power Plant-Related Companies - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1371069, "plain_text": "Appleseed Being Distributed to Nuclear Power Plant-Related\r\nCompanies - ASEC\r\nBy ATCP\r\nPublished: 2022-10-26 · Archived: 2026-04-05 16:03:21 UTC\r\nThe ASEC analysis team has recently discovered a case of AppleSeed being distributed to nuclear power plant-related companies. AppleSeed is a backdoor malware used by Kimsuky, one of the organizations affiliated with\r\nNorth Korea, and this malware is being actively distributed to many companies.\r\nThe filenames of the AppleSeed dropper were identified by the ASEC analysis team as follows, and a double file\r\nextension was used to deceive users.\r\n노**.xls.vbs (Noh**.xls.vbs)\r\n배치도_고리2호기ISI.pdf.vbs (Layout_KoriNo2ISI.pdf.vbs)\r\nhttps://asec.ahnlab.com/en/41015/\r\nPage 1 of 4\n\nWhen the file is executed, the encoded data inside is decoded and each file is created in the paths below.\r\n[The same path as the vbs file]\\Noh**.xls (Normal Excel bait file)\r\n%ProgramData%\\qijWq.rSCKPC.b64 (Malicious PE file encoded in a certain format)\r\n%ProgramData%\\qijWq.rSCKPC.bat (Batch file that decodes the qijWq.rSCKPC.b64 file)\r\nThe printed Excel file is automatically opened, making it seem as if the user has opened a normal Excel document.\r\nThe Excel bait file contains texts related to nuclear power plants (See Figure 2).\r\nIn the background, the qijWq.rSCKPC.bat file in the %ProgramData% path is executed, which decodes\r\nqijWq.rSCKPC.b64, ultimately creating the qijWq.rSCKPC file (DLL PE).\r\nAfterward, the dropped malware is executed via regsvr32, a program that executes DLL files. The exact execution\r\nargument is as follows.\r\nhttps://asec.ahnlab.com/en/41015/\r\nPage 2 of 4\n\nregsvr32 /s /i:123579ASDFG C:\\ProgramData\\qijWq.rSCKPC\r\nAfter the file is executed, the malware accesses the C2 below to receive and carry out the commands. Then, it\r\nencodes the results in a certain format to transmit to C2.\r\nC2 : hxxp://ndt.info[.]gf/index.php\r\nCommands\r\ndie: Terminate\r\ngetinfo: PC information\r\nwhere: Currently running path\r\nrun: Executes certain files or commands\r\nThe attacker can use the run command to execute desired behaviors, as well as download and execute additional\r\nmalware files such as AppleSeed.\r\nBecause the bait file is also run, users normally cannot recognize that their systems are infected by malware. As\r\nthe files mentioned above mainly target certain companies, users should refrain from running attachments in\r\nemails sent from unknown sources.\r\nAhnLab’s anti-malware software, V3, is currently detecting and blocking the files using the following aliases.\r\n[File Detection]\r\nDropper/VBS.Generic.SC183898\r\nDropper/Win.AppleSeed.R531012\r\nDropper/VBS.VBS\r\nMD5\r\nhttps://asec.ahnlab.com/en/41015/\r\nPage 3 of 4\n\n55a9a935b36da90fb5a7ab814d567a40\r\nba83312ea92c284c710bcc0906a29fb1\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//ndt[.]info[.]gf/index[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/41015/\r\nhttps://asec.ahnlab.com/en/41015/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/41015/" ], "report_names": [ "41015" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434042, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0f21a5b2466bb133651b7524820cf3bf0f968de5.pdf", "text": "https://archive.orkl.eu/0f21a5b2466bb133651b7524820cf3bf0f968de5.txt", "img": "https://archive.orkl.eu/0f21a5b2466bb133651b7524820cf3bf0f968de5.jpg" } }