{ "id": "7500d1bd-67bc-40bf-8a47-b845b06b2342", "created_at": "2026-04-06T00:06:19.953413Z", "updated_at": "2026-04-10T13:12:32.686177Z", "deleted_at": null, "sha1_hash": "1936e910e230f3531a0088bda6dd5b8cb768b9af", "title": "Phishing Email Attacks by the Larva-24005 Group Targeting Japan - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1462309, "plain_text": "Phishing Email Attacks by the Larva-24005 Group Targeting\r\nJapan - ASEC\r\nBy ATCP\r\nPublished: 2025-02-26 · Archived: 2026-04-02 11:41:00 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) has identified the behavior of Larva-24005 breaching servers in\r\nKorea and then establishing a web server, database, and PHP environment for sending phishing emails.\r\nLarva-24005 is using the attack base to target not only South Korea but also Japan. The main targets are those who\r\nare involved in North Korea and university professors who are researching the North Korean regime. They have\r\nset up a C2 server for their phishing email attacks and are disguising the email body as a ZOOM meeting link or a\r\nweb portal login page to prompt users to click on them.\r\nThis blog post describes the process of Larva-24005 threat actor securing their attack infrastructure and a phishing\r\nemail attack case that targeted Japan.\r\nLarva-24005 is a sub-group of the Kimsuky threat group known to receive support from North Korea. The name\r\nwas newly given according to AhnLab’s threat actor naming system. The group is believed to exploit the RDP\r\nvulnerability of poorly protected Windows systems for initial access. After gaining access, they install RDPWrap,\r\nan open-source utility that activates RDP connections in Windows operating systems, and a keylogger developed\r\nby the group.\r\n2. Actions Taken by Threat Actor Before Sending Phishing Emails\r\nhttps://asec.ahnlab.com/en/86535/\r\nPage 1 of 8\n\n2.1 Securitng Attack Infrastructure\r\nThe threat actor breached South Korean systems using the Remote Desktop Protocol (RDP) to establish an\r\ninfrastructure for sending phishing emails. While the exact method used to obtain the credentials used in the\r\nbreach is unknown, it is believed that they either used brute force attacks or exploited previously obtained\r\ncredentials.\r\nIt was confirmed that Larva-24005 is exploiting the BlueKeep vulnerability when securing certain infrastructures.\r\nThe BlueKeep vulnerability (CVE-2019-0708) is a remote code execution (RCE) vulnerability found in the\r\nRemote Desktop Protocol (RDP). This vulnerability allows sending malicious packets to the RDP service to\r\nexecute remote commands. The Kimsuky threat group has been exploiting the BlueKeep vulnerability for a long\r\ntime, and more details can be found in the AhnLab SEcurity intelligence Center (ASEC) Blog post, “[Kimsuky]\r\nOperation Covert Stalker.” The BlueKeep vulnerability can only be exploited against operating systems that are\r\nvulnerable, which are versions below Windows 2008 R2. It does not affect the systems that use the latest OS.\r\n2.2. Installing XAMPP\r\nAfter the threat actor secured the attack infrastructure, they installed XAMPP, an integration package that includes\r\nApache, MariaDB, PHP, and Perl, all of which are required to run a web server. The threat actor uses XAMPP to\r\nmanage the entire C2 environment and stores the keylogger’s result files and the victim’s information from the\r\nphishing emails in text file format. Additionally, the threat actor installs PHPMailer to implement the phishing\r\nemail sending feature. PHPMailer is a library that allows users to easily send emails using PHP code. The\r\nmailer.lib.php file in the configuration components specifies the sender’s email address for the phishing emails.\r\nThe account used in the attack was originally created for a web portal, but all of these accounts are currently\r\nsuspended.\r\n“invoice_nerolpy@kakao.com”\r\n“naver-no-reply@kakao.com”\r\n“www.invoice@kakao.com”\r\n“www.navercorp@kakao.com”\r\n“www.naver.reply@kakao.com”\r\n“invoice_hometax@kakao.com”\r\n“navercorp-rep1y@daum.net”\r\n“invoice.norep1y@daum.net”\r\n“nonghyupcorp@daum.net”\r\n“f****07@knd.biglobe.ne.jp”\r\nTable 1. List of email addresses used by the threat actor in phishing\r\n2.3 Installing Japanese Input Method Editor\r\nThe threat actor installed a Japanese Input Method Editor (IME) in their attack infrastructure. An IME is a\r\nsoftware that allows users to enter characters and symbols that are not on their keyboard. Generally, Korean\r\nWindows systems do not have Japanese IMEs installed. It is likely that the threat actor installed a Japanese IME in\r\ntheir attack infrastructure to send phishing emails targeting Japan or to perform searches in Japanese.\r\nhttps://asec.ahnlab.com/en/86535/\r\nPage 2 of 8\n\nFigure 1. Japanese input system installed by the threat actor\r\n2.4 Setting Up the Phishing Page\r\nThe threat actor saved the phishing pages they had prepared in the download folder of the IIS_USER account and\r\nthe XAMPP home folder. The IIS_USER account is created by Larva-24005 after securing the attack\r\ninfrastructure. These phishing pages are disguised as legitimate services such as iCloud, OneDrive, Outlook,\r\nNaver, and Google, and are used to steal user credentials. However, only traces of the phishing pages were found\r\nin the attack infrastructure, and the files had already been deleted and could not be recovered.\r\nFigure 2. List of phishing pages used by the threat actor\r\n3. Methods Attackers Use to Choose Phishing Targets\r\nThe threat actor uses the web browser of their attack infrastructure (Chrome, MS Edge) to perform Google\r\nsearches, add relevant keywords, and collect information on their targets through repeated searches. They also\r\nutilize the account credentials obtained through phishing emails to directly log into web portals and email\r\nplatforms (Outlook, etc.) and search for additional targets and relevant information in the victim’s email inbox.\r\nTheir main targets are university professors and non-profit organizations in Japan that are involved in activities\r\nrelated to North Korea.\r\nOsaka High Court (Osaka High Court ruling)\r\nKisida’s Speech at the National Assembly\r\nSaeki Hiroaki\r\nSaeki Hiroaki, Group Protecting the Lives and Human Rights of Repatriated North Koreans\r\nNakamura Shoichi’s Abduction to North Korea\r\nhttps://asec.ahnlab.com/en/86535/\r\nPage 3 of 8\n\nJapan’s Rocket in Malaysia\r\nSankei Political Department Chief\r\nOsaka Ishin (Osaka Restoration Association)\r\nTokuno, Head of the Network for North Korean Human Rights in India\r\nJapan-Korea Local Autonomy Research Association\r\nDPRK-Japan Talks\r\nTable 2. Some of the keywords searched by the threat actor in the Chrome web browser\r\nThe threat actor also continuously collects news related to the political situation in Japan. They mainly read\r\narticles related to North Korea and Japan through the Nikkei newspaper. The following are some of the articles\r\nidentified through the Chrome web browser visit history: “North Korea Launches Ballistic Missile. Japan’s\r\nMinistry of Defense says ‘Lands outside Japan’s EEZ’,” “New Japanese demands could be key to getting North\r\nKorea to talk,” and “Nikkei Reaches Highest Price in 33 Years”.\r\nFigure 3. Article #1 (North Korea Launches Ballistic Missile. Japan’s Ministry of Defense says ‘Lands outside\r\nJapan’s EEZ’) opened by the threat actor\r\nFigure 4. The article that the threat actor read (New Japanese demands could be key to getting North Korea to\r\ntalk)\r\n4. Sending Phishing Emails\r\nAfter gathering enough information on their targets, the threat actor used PHPMailer installed in the attack\r\ninfrastructure or logged in to the victims’ accounts to send phishing emails.\r\nhttps://asec.ahnlab.com/en/86535/\r\nPage 4 of 8\n\nThe phishing emails sent by Larva-24005 can be categorized into two main types: attaching a compressed\r\nmalicious file or inserting a malicious URL in the email body. In this case, the latter method was used. The\r\nphishing email contains topics that would be of interest to the recipient or is disguised as a message from someone\r\nthey know.\r\nThere is also a case where the threat actor translated Korean into Japanese using Google Translate. As shown in\r\nthe figure below, the translated phrase is intended to be used in the phishing email body.\r\nFigure 5. The threat actor translating Korean to Japanese using Google Translate\r\n(English translation: “Since changes to the mail software settings affect critical security information, user\r\nauthentication is required”)\r\nThe cases introduced below are based on the logs of keyloggers installed by the threat actors in the victims’\r\nsystems.\r\n4.1 Case 1\r\nThe threat actor sent a phishing email disguised as a Zoom meeting invitation to a professor of international\r\ncommunications at a Japanese university. The professor had a history of writing papers about the North Korean\r\nregime, and their university email address was easily found online.\r\nFrom: FROM.teamzoom_reply@daum.net\r\nSubject: 0000 Invites You to a Scheduled Zoom Meeting\r\nThe email body contains a program guide for the security and foreign policy research group, including the\r\npresenters, topics, and schedule. It also includes a Zoom URL for the group’s meetings, but this URL is not\r\nlegitimate and connects to the threat actor’s C2 server.\r\nhttps://asec.ahnlab.com/en/86535/\r\nPage 5 of 8\n\nFigure 6. Phishing email content sent by the threat actor #1\r\nAfter sending the phishing email, the threat actor used the read receipt feature as well to check if the victim\r\nopened the email.\r\nFigure 7. Phishing email read receipt history\r\n4.2 Second Case\r\nThe threat actor sends emails with links disguised as Microsoft login pages to steal the account credentials of their\r\ntargets. If a victim unknowingly enters their account credentials on the fake page, the information is transmitted to\r\nthe threat actor’s C2 server. The following are the email addresses used by the threat actor.\r\nnoreply_microprotect@naver.com\r\noffice365_service@naver.com\r\nThe threat actor inserts a hyperlink in the email body to lure victims into a phishing page. The following image\r\nshows the content recorded by a keylogger installed by the threat actor in a victim’s system. The email body\r\nincludes Japanese. Additionally, the domain “polypheou.jp” used in the attack is related to a Japanese health\r\nassistance company, but the threat actor changed the subdomain and used it as the C2 address.\r\nhttps://asec.ahnlab.com/en/86535/\r\nPage 6 of 8\n\nFigure 8. The content of phishing email body #2\r\nUpon accessing the phishing page via the URL, users are presented with a login page that contains their email\r\naddress. Threat actors craft personalized phishing pages for each of their targets and send spear-phishing emails.\r\nFigure 9. Microsoft login phishing page\r\n5. Conclusion\r\nAs seen in the cases above, the Larva-24005 threat group has been continuously launching attacks using various\r\ntypes of phishing emails against targets in Korea and Japan.\r\nThe threat actor is attempting to continuously engage in malicious behavior, such as prompting recipients to click\r\non phishing emails and redirecting them to phishing sites disguised as legitimate websites.\r\nNot only do they disguise themselves as legitimate websites, but they also impersonate the interests or relevant\r\npeople of the targets when writing the email, so recipients must carefully check the senders’ information upon\r\nhttps://asec.ahnlab.com/en/86535/\r\nPage 7 of 8\n\nreceiving an email and pay special attention to opening attachments or clicking on links.\r\nIn particular, when clicking on links in emails, it is crucial to check if the URL matches the legitimate website. If\r\nthere is any suspicion, refrain from entering account credentials.\r\nMD5\r\nb500a8ffd4907a1dfda985683f1de1df\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//auth[.]portal[.]pikara[.]ne[.]polypheou[.]jp/\r\nhttp[:]//download[.]mail[.]naver[.]corn-file[.]kro[.]kr/\r\nhttp[:]//t[.]infomail[.]microsofit[.]com[.]polypheou[.]jp/\r\nhttp[:]//us06web[.]zoom[.]us[.]meet[.]polypheou[.]jp/\r\nhttp[:]//www3[.]icloud[.]vbox[.]l[.]up[.]tcmp[.]polypheou[.]jp/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/86535/\r\nhttps://asec.ahnlab.com/en/86535/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/86535/" ], "report_names": [ "86535" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "0ba8d5b9-9035-4f18-94bc-eb6c7f497382", "created_at": "2025-03-07T02:00:03.800683Z", "updated_at": "2026-04-10T02:00:03.828496Z", "deleted_at": null, "main_name": "Larva-24005", "aliases": [], "source_name": "MISPGALAXY:Larva-24005", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433979, "ts_updated_at": 1775826752, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1936e910e230f3531a0088bda6dd5b8cb768b9af.pdf", "text": "https://archive.orkl.eu/1936e910e230f3531a0088bda6dd5b8cb768b9af.txt", "img": "https://archive.orkl.eu/1936e910e230f3531a0088bda6dd5b8cb768b9af.jpg" } }