{ "id": "8b1cf563-4645-4df3-98ee-2a1afea3b2b2", "created_at": "2026-04-06T00:13:21.935511Z", "updated_at": "2026-04-10T13:12:49.373684Z", "deleted_at": null, "sha1_hash": "12b60d2b609ddf272cdb833f2492d40c20b0ec90", "title": "Persistent Threats from the Kimsuky Group Using RDP Wrapper - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 786913, "plain_text": "Persistent Threats from the Kimsuky Group Using RDP Wrapper -\r\nASEC\r\nBy ATCP\r\nPublished: 2025-02-03 · Archived: 2026-04-05 19:49:05 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) has previously analyzed cases of attacks by the Kimsuky group,\r\nwhich utilized the PebbleDash backdoor and their custom-made RDP Wrapper. The Kimsuky group has been\r\ncontinuously launching attacks of the same type, and this post will cover additional malware that have been\r\nidentified.\r\n1. Overview\r\nThreat actors are distributing a shortcut file (*.LNK) containing a malicious command through spear-phishing\r\nattacks. The fact that the file names include names and company names suggests that the threat actors may be\r\ngathering information on specific targets.\r\nThe shortcut malware is disguised as a document file with an Office document icon such as PDF, Excel, or Word.\r\nWhen this file is executed, PowerShell or Mshta is run to download and execute additional payloads from external\r\nsources. The malware that is ultimately executed to control the infected system are PebbleDash and RDP Wrapper.\r\nThe threat actor has recently created and distributed PebbleDash and RDP Wrapper, but there are no significant\r\ndifferences from previous attack cases.\r\nFigure 1. A PowerShell process installing the PebbleDash dropper\r\nFor reference, RDP Wrapper is an open-source utility that supports the remote desktop feature. Since Windows\r\noperating systems do not support remote desktop in all versions, RDP Wrapper can be installed in such\r\nenvironments to activate remote desktop. The threat actor is using RDP Wrapper that they created themselves. It is\r\nsuspected that they are creating Export functions in various ways to bypass file detection.\r\nhttps://asec.ahnlab.com/en/86098/\r\nPage 1 of 6\n\nFigure 2. Export functions of the self-developed RDP Wrapper\r\nThreat actors can control the infected system using PebbleDash and RDP Wrapper, but they also utilize a variety\r\nof other malware, such as Proxy, KeyLogger, and information-stealing malware. This post will cover the types\r\nidentified since the last post.\r\n2. Proxy\r\nEven if the RDP service is activated and a user account is added, external access to the infected system is not\r\npossible if it is located in a private network. To address this issue, threat actors install proxy malware that serves\r\nas an intermediary between the infected system and an external network, allowing them to access the system via\r\nRDP.\r\nIn the previous attacks, three main types of proxy tools were used. The first type is characterized by creating a\r\nmutex named “MYLPROJECT” and was identified along with a launcher. The launcher reads a configuration file\r\nlocated in a hard-coded path such as “C:\\Programdata\\USOShared2\\version.ini” and uses this information to\r\nexecute the proxy tool located in a specific path. The second type of proxy tool is characterized by creating a\r\nmutex named “LPROXYMUTEX” and is otherwise the same as a typical proxy. The last type is a Go language-based revsocks tool that is publicly available on GitHub.\r\nThe recently identified proxy tools use the following mutexes and receive addresses as arguments to operate. \r\nhttps://asec.ahnlab.com/en/86098/\r\nPage 2 of 6\n\nFigure 3. A proxy tool similar to the previous type\r\n3. KeyLogger\r\nThe Kimsuky group uses a PowerShell script to perform keylogging and also installs keyloggers in executable file\r\nformat. In previous cases, the group mainly stored user keystrokes in the\r\n“%LOCALAPPDATA%\\CursorCach.tmp” and “%LOCALAPPDATA%\\CursorCache.db” paths. However, the\r\nrecently identified types are characterized by storing the data in the “C:\\Programdata\\joeLog.txt” and\r\n“C:\\Programdata\\jLog.txt” paths.\r\nFigure 4. Keylogging file\r\n4. Theft of Web Browser Information (forceCopy)\r\nIn the previous cases, Infostealer malware were used to steal user credentials stored in Chromium-based web\r\nbrowsers and Internet Explorer. Recently, additional cases of the same type of malware have been identified.\r\nhttps://asec.ahnlab.com/en/86098/\r\nPage 3 of 6\n\nThe Kimsuky group used a tool that extracts only the key value from the “Local State” file instead of directly\r\nstealing credentials stored in the web browser. This is presumed to be for bypassing security products, and the\r\nextracted key is used later in the process of stealing credentials stored in the web browser.\r\nThe recently discovered type is installed under the name “forceCopy” and is used to copy files. It receives the path\r\nof the file to be copied as the first argument and the path where the file will be saved as the second argument. A\r\ncharacteristic of this malware is that it uses the NTFS Parser library to read files instead of APIs like ReadFile().\r\nFigure 5. NTFS Parser library included in the malware\r\nAll of the paths where the malware is installed are web browser installation paths. It is assumed that the threat\r\nactor is attempting to bypass restrictions in a specific environment and steal the configuration files of the web\r\nbrowsers where credentials are stored. This may also be to bypass security products, similar to past cases.\r\n5. Loader, Injector\r\nThe difference from previous cases is the identification of Injector and Loader malware. While the malware that\r\nultimately operates in the memory has not been identified, the Loader loads a file from the\r\n“%SystemDirectory%\\wbemback.dat” path into the memory, and the Injector receives information such as the\r\ntarget process for injection as an argument to operate.\r\nIn addition to malware in the form of executable files, ReflectiveLoader has also been identified among\r\nPowerShell scripts. It is obfuscated, but it is an open-source PowerShell script called “Invoke-ReflectivePEInjection.ps1”. It is installed along with other PowerShell script malware in the\r\n“%ALLUSERSPROFILE%\\USOShared\\Prosd\\” directory.\r\nhttps://asec.ahnlab.com/en/86098/\r\nPage 4 of 6\n\nFigure 6. ReflectiveLoader PowerShell script\r\n6. Conclusion\r\nIn 2024, the attack methods of the Kimsuky group changed. While the use of LNK malware in spear-phishing\r\nattacks during the initial breach remained the same, the group began to increasingly use tools such as RDP\r\nWrapper and Proxy to remotely control the infected systems instead of installing backdoors.\r\nThe Kimsuky threat group is continuously launching spear phishing attacks against Korean users. They mainly\r\ndistribute malware disguised as a document file attached to an email, and if a user executes this file, threat actors\r\ncan take control of the system. Users must carefully check the sender of the email and refrain from opening files\r\nfrom unknown sources. Users should also apply the latest patches for programs such as their OS and web\r\nbrowsers, and update AhnLab V3 to the latest version so that malware infection can be prevented.\r\nFile Detection\r\nBackdoor/Win.PebbleDash.C5719351 (2025.01.20.02)\r\nTrojan/Win.Rdpwrap.C5704469 (2024.12.10.02)\r\nTrojan/Win.Rdpwrap.C5708551 (2024.12.21.00)\r\nTrojan/Win.Rdpwrap.C5710893 (2024.12.27.00)\r\nTrojan/Win.Rdpwrap.C5716647 (2025.01.12.03)\r\nTrojan/Win.Rdpwrap.C5719870 (2025.01.21.03)\r\nTrojan/Win.Rdpwrap.C5720371 (2025.01.23.00)\r\nTrojan/Win.KeyLogger.C5687683 (2024.10.27.03)\r\nTrojan/Win.KeyLogger.C5705213 (2024.12.12.01)\r\nTrojan/Win.KeyLogger.C5705571 (2024.12.13.00)\r\nTrojan/Win.Injecter.C5705214 (2024.12.12.01)\r\nTrojan/Win.UACMe.C5705215 (2024.12.12.01)\r\nTrojan/Win.Loader.C5716648 (2025.01.12.03)\r\nhttps://asec.ahnlab.com/en/86098/\r\nPage 5 of 6\n\nInfostealer/Win.Browser.R641029 (2024.03.23.00)\r\nMalware/Gen.Generic.C2950389 (2019.01.22.01)\r\nTrojan/Win.Agent.C5687684 (2024.10.27.03)\r\nTrojan/PowerShell.Loader (2025.01.31.02)\r\nTrojan/PowerShell.Launcher (2025.01.31.02)\r\nTrojan/PowerShell.KeyLogger (2025.01.31.02)\r\nMD5\r\n04e5f813da28b5975d0b6445f687bc48\r\n26d96d40e4c8aed03d80740e1d5a4559\r\n2ea71ff410088bbe79f28e7588a6fb47\r\n3211ef223177310021e174c928f96bab\r\n5565b337bfba78970b73ae65b95f2c4f\r\nAdditional IOCs are available on AhnLab TIP.\r\nIP\r\n216[.]219[.]87[.]41\r\n74[.]50[.]94[.]175\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/86098/\r\nhttps://asec.ahnlab.com/en/86098/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/86098/" ], "report_names": [ "86098" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434401, "ts_updated_at": 1775826769, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/12b60d2b609ddf272cdb833f2492d40c20b0ec90.pdf", "text": "https://archive.orkl.eu/12b60d2b609ddf272cdb833f2492d40c20b0ec90.txt", "img": "https://archive.orkl.eu/12b60d2b609ddf272cdb833f2492d40c20b0ec90.jpg" } }