{ "id": "ece98659-6c83-4576-9c97-baccf3c71ca5", "created_at": "2026-04-06T00:15:59.130166Z", "updated_at": "2026-04-10T03:37:40.763427Z", "deleted_at": null, "sha1_hash": "1b5836c415d16a3f0538cec41ca39c11d0aed5e0", "title": "Analysis of APT Attack Cases Targeting Web Services of Korean Corporations - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3019799, "plain_text": "Analysis of APT Attack Cases Targeting Web Services of Korean\r\nCorporations - ASEC\r\nBy ATCP\r\nPublished: 2023-08-22 · Archived: 2026-04-02 11:11:34 UTC\r\nWeb servers are vulnerable to attacks because they are publicly accessible to a wide range of users for the purpose of\r\ndelivering web services. This accessibility makes them a prime target for threat actors. AhnLab Security Emergency\r\nresponse Center (ASEC) is monitoring attacks targeting vulnerable web servers that have not been patched or are poorly\r\nmanaged.\r\nIn this post, we have compiled APT attack cases where the web servers of Korean corporations were continuously targeted\r\nover the years. We have also provided the indicators of compromise (IoC) of the various malware and tools used in these\r\nattacks. The threat actor commonly uses an account named “tripod” on most of the compromised systems, and this serves as\r\none of the identifying characteristics of this threat actor.\r\nFigure 1. User account “tripod” that has been identified in most infected systems\r\n1. Overview\r\nAmong the web servers that provide web services on Windows servers, prominent examples include the Internet Information\r\nServices (IIS) web server, Apache Tomcat web server, JBoss, and Nginx. When these web servers have vulnerabilities that\r\nare not patched or are poorly managed, they continuously become the target of attack by various threat actors. ASEC has\r\npreviously shared a case involving vulnerable Apache Tomcat web servers [1] and another case where JBoss-based PACS\r\n(Picture Archiving and Communication System) servers were attacked, resulting in the installation of Metasploit\r\nMeterpreter. [2]\r\nAmong the Korean corporations using Windows servers, there is a notable prevalence of IIS web servers. Consequently,\r\nattacks targeting IIS servers have been frequently identified.  Even in the past attack case of Dalbit, a threat group based in\r\nChina, [3] and the case where a Chinese hacker group stole information from Korean corporations, [4] IIS web servers were\r\nthe targets of attacks in both cases. Besides these, there is also the case where the Kimsuky threat group [5] attacked IIS web\r\nservers, and the case where the Lazarus threat group used IIS web servers as their malware distribution servers after\r\ninfecting systems. [6]\r\nThe threat actor identified in this instance also targeted Windows IIS web servers. These attacks have been observed since\r\n2019 at the earliest. Additionally, the Korea Internet \u0026 Security Agency (KISA) published a report in 2021 on the topic of\r\n“Cases of Infiltration Involving the Insertion of Abnormal Advertisements and Response Measures”. [7] According to the\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 1 of 20\n\nabove report, the threat actor targeted specific company websites to illicitly insert an advertisement code. They exploited a\r\nfile upload vulnerability in neglected forums on the web server to install a web shell. Subsequently, they established an\r\ninfrastructure for ad insertion and exposed visitors to the advertisements. To evade detection, the threat actor would\r\nmeticulously switch to the page inserted with the ad code during specific times, such as in the evening or when the server’s\r\nadministrator had logged off. They would then switch it back to the normal page during the mornings or when the\r\nadministrator logged on to the server.\r\nASEC has confirmed that the threat actor has been continuously targeting Korean corporations since at least 2019 up to the\r\npresent time. The Korean corporations with confirmed attack cases include hotels, telecommunications equipment\r\nmanufacturers, online shopping malls, and international manufacturing companies, etc. Although identifying this specific\r\nthreat actor remains challenging due to the use of commonly known malware and tools, certain tools used in the attacks have\r\nbeen identified as being in Chinese, leading to the assumption that the threat actor is at least familiar with the Chinese\r\nlanguage.\r\nFurthermore, in the cases presented in the KISA report, the threat actor’s ultimate goal appeared to be inserting\r\nadvertisements into legitimate web services. However, in the cases identified by ASEC, no files or logs related to\r\nadvertisements were found. Instead, actions such as the deletion of Volume Shadow Copies were observed. This suggests\r\nthat the threat actor may have different objectives like installing ransomware on infected systems.\r\n2. Analysis of Threat Actor\r\nVulnerable systems fall prey to a variety of threat actors. Especially in the case of IIS web servers or MS-SQL servers, there\r\nis a trend of multiple threat actors targeting the same systems persistently. Therefore, there is a limit to extracting the\r\nbehavior of specific threat actors from the various malware and attack logs. In this post, attacks based on the unique\r\ncharacteristics of this threat actor have been organized from the malware and attack logs, compiling a brief overview of the\r\nattacks that took place over a short period. However, it is important to note that at the same point in time, another threat\r\nactor could have executed a similar attack. This means that the malware and attack logs of different threat actors could\r\npotentially be mixed together.\r\n2.1. Commonalities Among the Attack Cases\r\nCommonly, attack cases targeting IIS web servers involve the presence of common malware such as web shells, Potato,\r\nprivilege escalation vulnerability PoC, and Ladon. While these tools are often associated with threat actors who use the\r\nChinese language, they are publicly available online, making it challenging to attribute the attacks solely based on the files.\r\nHowever, there are cases where the threat actor packed malware with VMP to bypass file detection or developed custom\r\nmalware for their attacks. These are the unique characteristics of this threat actor, so the attack cases were classified based\r\non this information. Additionally, the threat actor also created their malware under the following directories.\r\n%ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\\r\n%SystemRoot%\\debug\\WIA\\\r\nFurthermore, the tool Sy_Runas is employed in the attacks. Sy_Runas is a tool used to execute commands with the\r\nprivileges of a specific user through a web shell. Currently, Sy_Runas is not commonly used in attacks. However, when\r\nused, it is often created with the following file name.\r\n%SystemRoot%\\debug\\WIA\\wiatrace.log\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 2 of 20\n\nFigure 2. Sy_Runas\r\nFurthermore, the web server of a specific Korean company is being used as a malware download server. The threat actor\r\nattacked this company to upload their malware, and they are presumed to be subsequently downloaded and utilized when\r\ntargeting other companies. It is worth noting that this address was also employed as a Command and Control (C\u0026C) server\r\nfor NetCat to maintain control.\r\nThe most significant aspect of this will be covered in the “5. Maintain Persistence” section, but to cover it briefly, the\r\npresence of malware that additionally installs web shells to maintain persistence has been identified. Consequently, the\r\ninfected systems have commands registered in their task scheduler to execute the batch file.\r\nAfter taking over a system, the threat actor either steals and uses the Administrator’s account credentials, or they assign\r\nAdministrator privileges to a Guest account using the UserClone technique. However, given the prevalence of the username\r\n“tripod” across various systems, it is suspected that the threat actor creates and utilizes the “tripod” account.\r\n2.2. Chinese Tools Used in Attacks\r\nMany of the tools used in the attack are already publicly available, and even the files presumed to be created by the threat\r\nactor lack additional information like a PDB. However, a relation to Chinese-speaking environments was found in the tools\r\nand the custom malware that the threat actor used in their attacks.\r\nIn the process of maintaining persistence, the threat actor installs web shells using WinRAR. In some cases, the regular\r\nEnglish version of WinRAR was used, but in attacks identified in 2019, instances of the Chinese version of WinRAR were\r\nfound to be used.\r\nFigure 3. Chinese version of WinRAR.exe\r\nThere is a case where the threat actor created and used programs during their attack process for testing purposes. The test\r\nprograms are in the form of WinRAR SFX executables. Some files simply create an empty file named “test.txt” in the same\r\ndirectory. Others go beyond this by including a command that executes a “sd2.bat” file located in a specific directory in\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 3 of 20\n\naddition to creating the empty file named “test” in the same directory. Additionally, this path is used in the attack process,\r\nand if a batch file exists in this path, it could act as a Launcher to execute the file.\r\n\u003e “C:\\Windows\\System32\\cmd.exe” /c C:\\WINDOWS\\System32\\spool\\drivers\\color\\sd2.bat\r\nFigure 4. WinRAR SFX executable assumed to be for testing purposes\r\nThe above WinRAR SFX executable was created in Chinese, and upon inspecting the resource section of the executable,\r\nChinese version-specific WinRAR strings can be observed.\r\nFigure 5. Chinese version of WinRAR SFX executable\r\n3. Initial Infiltration\r\nAccording to the KISA report, the threat actor exploited a file upload vulnerability on the affected corporation’s website to\r\nupload a web shell as an attachment. It is believed that the threat actor used the first uploaded web shell to additionally\r\nupload a second web shell (1.asp) to a different path than the initial upload path. The diagnostic log of AhnLab Smart\r\nDefense (ASD) shows a similar file name to the one mentioned in the KISA report, “1.aspx”.\r\nWeb Shell Path\r\nD:\\***Root_DB\\1.aspx\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 4 of 20\n\nWeb Shell Path\r\nD:\\**trust\\www\\photo_upload..1.aspx\r\nD:\\**trust\\www\\photo_upload\\1(0).aspx\r\nE:\\****Hotel\\upload\\thanks\\test.asp\r\nC:\\***Pay15\\source\\source.asp\r\nTable 1. Path names of the detected web shells\r\nAfterward, it is said that the threat actor used the secondary web shell to generate various malware such as the privilege\r\nescalation tool Potato, UserClone, and Mimikatz. A record can be observed on actual AhnLab ASD logs of various malware\r\nbeing uploaded after the web shell.\r\nThe following are types of web shells that have been collected among those identified in the attack processes. It is worth\r\nnoting that in actual attacks, there are likely to be many more types beyond the ones listed below.\r\nFigure 6. Web shells suspected to have been used in attacks\r\n4. Privilege Escalation\r\n4.1. Potatos\r\nThe Potato malware family consists of malware designed for privilege escalation, with various types such as JuicyPotato,\r\nRottenPotato, and SweetPotato existing based on different privilege escalation methods. Even if threat actors gain control\r\nover infected systems through web shells or dictionary attacks, they may not be able to perform their desired malicious\r\nactions due to the lack of appropriate privileges within the w3wp.exe process. This also applies to the sqlservr.exe process of\r\nthe MS-SQL server. To address this issue, threat actors tend to use privilege escalation malware in conjunction with their\r\nattack process.\r\nEspecially in attacks targeting IIS web servers or MS-SQL database servers, Potato privilege escalation malware are\r\ncommonly used. Potato leverages certain processes with elevated privileges to escalate permissions, allowing the threat\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 5 of 20\n\nactor to perform malicious actions with the elevated privileges.\r\nThe threat actor has utilized various types of Potato privilege escalation tools in their attacks, including BadPotato,\r\nEfsPotato, GodPotato, JuicyPotato, JuicyPotatoNG, PetitPotato, PrintNotifyPotato, SharpEfsPotato, SweetPotato, etc.\r\nRecently, the threat actor has been observed uploading malware to the web server of a specific Korean company and then\r\ndownloading and using these malware in the attack process against other systems. It appears that the threat actor is utilizing\r\ncompromised systems as malware distribution servers.\r\nFigure 7. Log showing Potato malware being installed with web shell\r\nAmong the Potato malware used in the attacks, there are files that have been known for several years as well as files that the\r\nthreat actor has packed using VMProtect. Recently, Potato malware that has been packed using the “go-shellcode” packing\r\ntool, which is available on GitHub, are being used in attacks. [8] “go-shellcode” is developed in GoLang and serves as a tool\r\nto execute shellcode using various techniques like the ones shown below.\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 6 of 20\n\nFigure 8. go-shellcode packer\r\nRecently, threat actors have shown a tendency to pack malware using the GoLang to evade file-based detection. “go-shellcode” is a tool that encrypts and holds the malware designated by the threat actor before decrypting and executing it in\r\nthe memory. The left side of the following image depicts the routine of executing shellcode using the\r\nEtwpCreateEtwThread() function in “go-shellcode”, while the right side demonstrates the routine of executing shellcode\r\nusing the CreateFiber() function. The threat actor packed the Potato malware using the codes in “go-shellcode”.\r\nFigure 9. Packed Potato malware\r\nThe threat actor used the Potato malware family to execute various commands. Logs also reveal that a command was used to\r\nbypass detection by Windows Defender.\r\ne:\\win64_*****_client\\client\\stage\\cmd.exe /c cd /d\r\nc:\\quarantine_mz\\\u0026\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 7 of 20\n\netwpcreateetwthread1.gif\r\n-t * -p c:\\windows\\system32\\cmd.exe -a\r\n“/c powershell set-mppreference -disablerealtimemonitoring $true” -l 1500\u0026\r\necho [s]\u0026cd\u0026echo+[e]\r\n4.2. Other Privilege Escalation Malware\r\nWhile the threat actor has predominantly used the Potato malware family for privilege escalation, there have been instances\r\nwhere other tools like PrintSpoofer or vulnerability PoC malware were also identified. Particularly, PrintSpoofer malware\r\nare prevalent across most compromised systems, suggesting that the threat actor often employs PrintSpoofer alongside the\r\nPotato malware family for privilege escalation purposes.\r\nFigure 10. PrintSpoofer privilege escalation tool\r\nIn addition to the above, various tools such as COMahawk (CVE-2019-1405, CVE-2019-1322) [9], CVE-2020-0787 [10],\r\nand IIS LPE (by k8gege) [11] are also being used in the attacks.\r\n5. Maintain Persistence\r\n5.1. Installation of Additional Web Shells\r\nAccording to the report from KISA, the threat actor registered tasks named “CredentialTask” and “CertificateTask” to\r\ndisplay an unauthorized advertisement page on the company’s website during the time when the administrator was off work.\r\nThe registered tasks execute a batch file, which installs a web shell and registers the advertisement page. The unauthorized\r\nadvertisement switches the website’s source code with a script containing the inserted advertisement code at specific time\r\nperiods, and then reverts it back to the original state.\r\nIn the case of the system currently being investigated, the batch file executed by the Task Scheduler is named “winrmr.cmd”,\r\nwhich reads the configuration file “SCFConfig.dat” to perform malicious behaviors. Additionally, it is presumed that the\r\nunauthorized advertisement display feature was not enabled by the threat actor on this system. This is indicated by the fact\r\nthat the configuration file only contains the first line responsible for the web shell, while other lines related to the inserted\r\nadvertisement on web page are absent. Furthermore, the compressed file “winrnr.cmd” specified in the configuration file\r\nonly has the web shell file, and the files related to the web pages with inserted advertisements are not present.\r\nSCF1.dat|”D:\\***demo\\www\\cscenter\\ajaxNoticefaq.asp”|AA3A20597084944FDCBE1C3894FD7AB5\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 8 of 20\n\nFigure 11. Configuration file containing the settings related to ad inserted page – Source: KISA report\r\nThe batch file calculates the MD5 hash of the web shell “SCF1.dat” stored within the compressed file “winrnr.cmd”. It then\r\ncompares this hash with the value present in the third field of the configuration file for verification. If the hash values match,\r\nthe web shell is copied to the path specified in the second field, and permissions are configured.\r\nFigure 12. Routine to set the permission of the copied web shell\r\nThrough this process, a web shell is periodically installed on the system, and the threat actor can use it to control the infected\r\nsystem. The web shell is inserted at the bottom of the annotation to appear like a normal script.\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 9 of 20\n\nFigure 13. Web shell created in a new path\r\nWeb Shell Installation Path\r\nC:\\Webservice\\****do\\board\\notice\\board_write.asp\r\nC:\\WebService\\****do\\products\\inquiry\\board_view.asp\r\nd:\\*****cokr\\www\\member\\login.asp\r\nd:\\*****shop\\www\\product\\product.asp\r\nd:\\style\\www\\assets\\fontawesome\\font\\font.asp\r\nd:\\*****bie\\www\\about\\index.asp\r\nd:\\*****allen\\www\\customer_service\\notice.asp\r\nD:\\***demo\\www\\cscenter\\ajaxNoticefaq.asp\r\nE:\\****Hotel\\include\\check8.asp\r\nE:\\****no\\www\\iprice\\iprice.asp\r\nTable 2. Installation path of web shells to maintain persistence\r\n5.2. Privilege Copying Malware\r\nThe threat actor granted administrator privileges to a Guest account using a privilege copying malware. This was\r\naccomplished by copying the F value of the SAM key stored in the registry. The F value of the SAM key contains\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 10 of 20\n\ninformation including the RID. By changing the Guest account’s RID value to that of the Administrator’s account, the threat\r\nactor can use the Guest account to perform malicious behaviors with administrator privileges.\r\nFigure 14. Privilege copying tool\r\n5.3. UserClone\r\nUserClone is a tool that provides functionality to create accounts in the Administrator group or copy the permissions of a\r\nspecific account to another account. When the /Clone option is used, the privilege of the account given as the second\r\nargument is copied to the account given as the first argument. This is the same as the privilege copying malware mentioned\r\nabove. The KISA report also contains details of a case where UserClone was used by the threat actor to change the privilege\r\nof a Guest account to that of an Administrator account.\r\nFigure 15. UserClone tool\r\n6. Collecting Credentials\r\n6.1. Mimikatz / ProcDump\r\nAfterward, the threat actor installed Mimikatz to collect credential information present in the currently infected system.\r\nWhile the threat actor employs methods like directly creating Administrator accounts or utilizing the UserClone tool to\r\nescalate privileges, seeing that there is evidence in the logs of the threat actor leveraging the Administrator account during\r\nthe attack process, this suggests that they are also using the stolen accounts.\r\nMimikatz is a tool that supports credential extraction features in Windows environments. It can not only extract plaintext\r\npasswords and hash information stored in Windows systems, but it also supports lateral movement attacks using the obtained\r\ncredentials. As a result, by gaining control over corporate internal networks, it is frequently employed as a means to seize\r\ninformation or install ransomware.\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 11 of 20\n\nAdditionally, in recent Windows environments, the extraction of plaintext passwords using the WDigest security package is\r\nnot possible by default. Instead, the UseLogonCredential registry key must be configured to acquire it. Accordingly, the\r\nattacker executed the following command to add the UseLogonCredential registry key.\r\n\u003e reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t\r\nREG_DWORD /d 1 /f\r\nTypically, Mimikatz reads and decrypts the memory of the currently running lsass.exe process to obtain credential\r\ninformation. However, if a memory dump file exists, it can be provided as an argument to retrieve credential information.\r\nRecently, threat actors have been using legitimate software such as Sysinternals’ ProcDump to evade detection by security\r\nproducts. In cases where malware like Mimikatz cannot directly access the lsass.exe process memory, threat actors instead\r\nutilize the ProcDump tool to create a memory dump file and then read and decrypt it using Mimikatz. Considering the\r\npresence of the following commands to dump the memory of the lsass.exe process using ProcDump, it is suspected that the\r\nthreat actor also used Mimikatz in this way.\r\nPath Name Argument\r\nE:\\****Hotel\\faq\\f.asp\r\n-accepteula -ma lsass.exe\r\ne:\\****hotel\\faq\\lsass.dmp\r\n%ALLUSERSPROFILE%\\microsoft\\devicesync\\procdump64.exe\r\n-accepteula -ma lsass\r\nc:\\programdata\\microsoft\\devicesync\\lsass.dmp\r\nTable 3. Credential theft using ProcDump\r\n6.2. Runas Malware\r\nThe Runas malware family is responsible for receiving the account credentials of a specific user as an argument to execute\r\ncommands with that account’s privileges. Such malware includes RunasCs and Sy_Runas, both of which are being used by\r\nthe threat actor in their attacks. While there is a higher presence of Sy_Runas in the logs, RunasCs, which is developed in\r\n.NET, is also frequently identified across many systems.\r\nFigure 16. RunasCs tool\r\nWhen the threat actor executes commands using a web shell, they employ privilege escalation tools like Potato or Runas\r\nmalware. In the case of using Runas, they leverage the credentials obtained through Mimikatz from previously collected\r\naccounts, or utilize the escalated privileges of a Guest account through UserClone. Additionally, it is presumed that they also\r\nuse accounts that they had directly added. Although such a variety of accounts are used in the attack process, the most\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 12 of 20\n\nprominent account is “tripod”. This account is a noticeable commonality across most infected systems and is assumed to\r\nhave been manually added by the threat actor.\r\nPath Name Argument\r\n%ALLUSERSPROFILE%\\oracle\\java\\java.txt tripod “c!!l)0w101” “whoami”\r\n%ALLUSERSPROFILE%\\oracle\\java\\java.txt tripod “c!!l)0w101” “query user”\r\n%SystemRoot%\\debug\\wia\\wiatrace.log tripod c!!l!0w111 “query user”\r\n%SystemRoot%\\debug\\wia\\wiatrace.log tripod ww28win “whoami”\r\n%SystemRoot%\\debug\\wia\\wiatrace.log tripod “c)!l(4w096” “query user”\r\n%SystemDrive%***pay50\\sample\\popup_img\\bg1.gif tripod “c)!l!2w011” “query user”\r\nTable 4. Command logs of Sy_Runas being used to check “tripod” account privilege\r\n7. Remote Control\r\n7.1. NetCat\r\nThe threat actor used web shells to create and execute additional malware. Aside from these, they also installed NetCat and\r\nused it as a reverse shell. The IP format C\u0026C address utilized in these attacks coincides with the download address that was\r\nmentioned above. Essentially, it is identical to the address of the company that had previously fallen victim to the malware\r\nbreach.\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 13 of 20\n\nFigure 17. NetCat execution log\r\n7.2. Ladon\r\nIn addition, the threat actor utilized the open-source hacking tool Ladon during their attack process. [12] Ladon, which can\r\nbe further explored through its GitHub page, is one of the tools primarily employed by Chinese-speaking threat actors. [13]\r\nDue to its capability to support a variety of essential features during the attack process, Ladon enables threat actors to carry\r\nout a range of malicious behaviors, including scanning, privilege escalation, and exfiltration of account credentials, after\r\ngaining control of the targeted system.\r\nFigure 18. Ladon GitHub page\r\nBesides the executable format Ladon, the PowerShell format PowerLadon was also used in the attacks. [14] The threat actor\r\nemployed a PowerShell command to retrieve PowerLadon from the website of a previously breached Korean company.\r\nFollowing this, they utilized the badpotato command to verify if privilege escalation was successful.\r\nFigure 19. PowerLadon installation command\r\n8. Post Attack\r\nAccording to the report from KISA, the threat actor registered tasks named “CredentialTask” and “CertificateTask” to\r\ndisplay an unauthorized advertisement page on the company’s website during the time when the administrator was off work.\r\nUp to at least the year 2021, it is suspected that the primary objective of the threat actor was to generate revenue through the\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 14 of 20\n\nexposure of their advertisement pages. This notion is supported by the ASD logs that also show these tasks being registered\r\nto the task scheduler and executed in the infected systems.\r\nFigure 20. CertificateTask registered to the scheduler\r\nHowever, in the system discussed in the “5. Maintain Persistence” section, there are instances where a feature to switch to an\r\nadvertisement web page is not included and only a web shell is installed. Furthermore, logs have been found on certain\r\nsystems showing that the threat actor used Sy_Runas to delete volume shadow copies in infected systems.\r\nFigure 21. Command log of volume shadow copy being deleted\r\nThis suggests that while the threat actor’s initial objective was profit through unauthorized ad exposure, recent developments\r\nalso open up the possibility of other motives such as ransomware attacks.\r\n9. Conclusion\r\nRecently, APT attacks targeting the web servers of Korean corporations continue to be detected. The threat actor has\r\ninitiated these attacks since at least 2019, primarily aiming to insert ads into corporate websites. However, recent\r\nexamination of attack logs suggests the potential addition of different objectives, such as ransomware installation.\r\nThe threat actor attacked poorly managed or unpatched web servers to install web shells. According to the report from\r\nKISA, the upload of web shells is mainly suspected to occur through file upload vulnerabilities. Subsequently, a series of\r\nactions, including privilege escalation, maintenance of persistence, and credentials extraction, are taken to gain control over\r\nthe infected systems.\r\nAdministrators should proactively check for file upload vulnerabilities on their web servers to prevent the upload of web\r\nshells as this is the initial penetration vector. Passwords must also be periodically changed and the implementation of access\r\ncontrols are also crucial to counter lateral movement attacks leveraging stolen account credentials. Also, V3 should be\r\nupdated to the latest version so that malware infection can be prevented.\r\nFile Detection\r\n– Dropper/Win32.Agent.C106924 (2011.10.12.00)\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 15 of 20\n\n– Exploit/Win.Agent.C5224192 (2022.08.17.01)\r\n– Exploit/Win.Agent.C5404633 (2023.04.04.00)\r\n– Exploit/Win.Agent.C5404635 (2023.04.04.00)\r\n– Exploit/Win.BadPotato.R508814 (2022.08.04.01)\r\n– Exploit/Win.DcomRpc.R554379 (2023.01.28.00)\r\n– Exploit/Win.JuicyPotato.C2724641 (2022.08.09.00)\r\n– Exploit/Win.JuicyPotato.C5417758 (2023.04.25.01)\r\n– Exploit/Win.JuicyPotato.C5417761 (2023.04.25.01)\r\n– Exploit/Win.JuicyPotato.C5445175 (2023.06.23.03)\r\n– Exploit/Win.JuicyPotato.R495502 (2022.06.03.01)\r\n– Exploit/Win.PetitPotato.C5418234 (2023.04.26.00)\r\n– Exploit/Win.PetitPotato.C5418237 (2023.04.26.00)\r\n– Exploit/Win.PetitPotato.R575177 (2023.04.26.00)\r\n– Exploit/Win.PetitPotato.R588349 (2023.06.23.03)\r\n– Exploit/Win.Potato.C5444398 (2023.07.29.00)\r\n– Exploit/Win.PrintNotifyPotato.C5418245 (2023.04.26.00)\r\n– Exploit/Win.PrintNotifyPotato.R561362 (2023.03.10.00)\r\n– Exploit/Win.PrintSpoofer.C5404637 (2023.04.04.00)\r\n– Exploit/Win.PrintSpoofer.C5445168 (2023.06.23.03)\r\n– Exploit/Win.PrintSpoofer.R346208 (2020.07.29.04)\r\n– Exploit/Win.PrintSpoofer.R358767 (2020.12.18.06)\r\n– Exploit/Win.PrintSpoofer.R456477 (2021.12.07.00)\r\n– Exploit/Win.SharpEfsPotato.C5418239 (2023.04.26.00)\r\n– Exploit/Win.SharpEfsPotato.C5418240 (2023.04.26.00)\r\n– Exploit/Win.SharpEfsPotato.C5418242 (2023.04.26.00)\r\n– Exploit/Win.SharpEfsPotato.C5418243 (2023.04.26.00)\r\n– Exploit/Win.SweetPotato.C5405993 (2023.04.06.02)\r\n– Exploit/Win.SweetPotato.C5418244 (2023.04.26.00)\r\n– HackTool/PowerShell.Ladon.SC187629 (2023.04.04.00)\r\n– HackTool/Win.Ladon.R442618 (2021.09.25.00)\r\n– HackTool/Win.Netcat.C5283500 (2022.10.18.03)\r\n– HackTool/Win.RunAs.C4406737 (2021.04.07.03)\r\n– HackTool/Win.RunAs.C5404638 (2023.04.04.00)\r\n– HackTool/Win.RunAs.C5417759 (2023.04.25.01)\r\n– HackTool/Win.RunAs.C5418233 (2023.04.26.00)\r\n– HackTool/Win.RunAs.C5445161 (2023.06.23.03)\r\n– Malware/Win.Generic.C4432989 (2021.04.22.01)\r\n– Trojan/BIN.Generic (2023.07.28.03)\r\n– Trojan/CMD.Agent.SC191319 (2023.07.28.03)\r\n– Trojan/Win.Agent.C5418231 (2023.04.26.00)\r\n– Trojan/Win.Agent.C5418232 (2023.04.26.00)\r\n– Trojan/Win.Escalation.R524707 (2022.10.04.02)\r\n– Trojan/Win.Generic.C4491018 (2021.05.26.01)\r\n– Trojan/Win.Generic.C5228587 (2022.08.27.01)\r\n– Trojan/Win.Generic.R529888 (2022.10.15.04)\r\n– Trojan/Win.Mimikatz.R563718 (2023.03.16.02)\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 16 of 20\n\n– Trojan/Win.MSILMamut.C5410538 (2023.04.13.01)\r\n– Trojan/Win.PrintSpoofer.R597367 (2023.08.12.03)\r\n– Trojan/Win.UserClone.C5192153 (2022.07.04.02)\r\n– Trojan/Win32.HDC.C111465 (2011.10.19.00)\r\n– Trojan/Win32.Mimikatz.R271640 (2019.05.21.05)\r\n– Unwanted/Win32.NTSniff_v110 (2005.03.08.00)\r\n– WebShell/ASP.Agent.SC191320 (2023.07.28.03)\r\n– WebShell/ASP.Generic (2023.01.27.03)\r\n– WebShell/ASP.Generic.S1855 (2022.06.22.03)\r\nBehavior Detection\r\n– Malware/MDP.SystemManipulation.M1471\r\n– Execution/MDP.Powershell.M2514\r\n– CredentialAccess/MDP.Mimikatz.M4367\r\nIOC\r\nMD5\r\nWebShell\r\n– 612585fa3ada349a02bc97d4c60de784: D:\\***Root_DB\\1.aspx\r\n– eb1c6004afd91d328c190cd30f32a3d1: D:\\**trust\\www\\photo_upload..1.aspx, D:\\**trust\\www\\photo_upload\\1(0).aspx,\r\nE:\\****Hotel\\upload\\thanks\\test.asp, C:\\***Pay15\\source\\source.asp\r\nPotato (BadPotato)\r\n– 9fe61c9538f2df492dff1aab0f90579f: %SystemRoot%\\debug\\wia\\badpotatonet2.exe,\r\n%ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\BadPotatoNet2.exe, %ALLUSERSPROFILE%\\BadPotatoNet2.exe\r\n– ab9091f25a5ad44bef898588764f1990: %ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\BadPotatoNet4.exe\r\nPotato (EfsPotato)\r\n– 9dc87e21769fb2b4a616a60a9aeecb03: E:\\app\\Administrator\\product\\EfsPotato2.0.exe,\r\n%ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\EfsPotato2.0.exe\r\nPotato (GodPotato)\r\n– 5f3dd0514c98bab7172a4ccb2f7a152d: C:\\Oracle\\GodPotato-NET2.exe\r\n– c7c0e7877388f18a771ec54d18ac56e6: E:\\app\\g.exe\r\nPotato (JuicyPotato)\r\n– 2331a96db7c7a3700eb1da4c730e8119: %SystemRoot%\\debug\\WIA\\jpms.log\r\n– 8e228104d545608e4d77178381324a0b: %SystemRoot%\\debug\\wia\\juicypotatomsmsmsmsms.exe\r\nPotato (JuicyPotatoNG)\r\n– 7756312d5da2cfb6a4212214b65b0d9a: %ALLUSERSPROFILE%\\microsoft\\devicesync\\createfiber.log\r\n– 15aa2aea896511500027c5b970454c10: %ALLUSERSPROFILE%\\usoshared\\etwpcreateetwthread1.gif\r\n– 72eee0b89c707968fb41083f47739acf: %ALLUSERSPROFILE%\\microsoft\\devicesync\\juicypotatong_ms.exe,\r\n%ALLUSERSPROFILE%\\USOShared\\jpng.exe,\r\n%ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\JuicyPotatoNG_ms.exe,\r\nC:\\Windows\\debug\\WIA\\JuicyPotatoNG_ms.exe\r\n– f530974b0cf773dc2efdff66c2b57e7f: %SystemDrive%\\quarantine_mz\\registries\\1.exe,\r\n%ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\JuicyPotatoNG_ms_ok.exe\r\n– 19c5eb467633efb48ceb49db2870de72: %ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\JuicyPotatoNG.exe,\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 17 of 20\n\nC:\\Windows\\debug\\WIA\\JuicyPotato_x64.exe\r\n– 0ea582880c53419c8b1a803e19b8ab1f: %ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\EtwpCreateEtwThread.log,\r\n%ALLUSERSPROFILE%\\USOShared\\EtwpCreateEtwThread.log\r\n– 8017f161b637cb707e3e667252c2235d: %ALLUSERSPROFILE%\\USOShared\\j.exe,\r\n%ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\JuicyPotatoNG.exe, %SystemRoot%\\debug\\WIA\\JuicyPotatoNG.exe\r\nPotato (PetitPotato)\r\n– 659d5c63ae9a1a3c5a33badc53007808: %SystemDrive%\\quarantine_mz\\sd2.gif\r\n– 9dc62c3a97269f780eb54ebcd43c77a8: %ALLUSERSPROFILE%\\microsoft\\devicesync\\test.gif\r\n– bffe140d2e2a7f44cbe3e3bf9b50f3b5: %ALLUSERSPROFILE%\\microsoft\\devicesync\\1.exe\r\n– d66dfce79df451f797775335fac67e9d: %ALLUSERSPROFILE%\\microsoft\\devicesync\\3.exe\r\n– 435351d097dcc253e48b89575a40427c: E:\\****check_ASP_N\\123.doc\r\n– 66379480d44ad92c07f6b5a9dfb3df3d: E:\\****check_ASP_N\\test.gif\r\n– 4875e5a46aec782f7e4cfb2028e6426a: E:\\****check_ASP_N\\p.gif\r\nPotato (PrintNotifyPotato)\r\n– fad4ea01a92d0ede3f75d13b1a96238b: %ALLUSERSPROFILE%\\PrinterNotifyPotato.exe\r\n– 7600f8875fb23a6057354c3426b1db79: %ALLUSERSPROFILE%\\ahnlab\\ais\\p.log,\r\n%ALLUSERSPROFILE%\\USOShared\\p.exe,\r\n%ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\PrintNotifyPotato2.0.vmp.exe\r\n– 98154aeaec8aba3c376c7c76e11a2828: %ALLUSERSPROFILE%\\USOShared\\pp.exe\r\nPotato (SharpEfsPotato)\r\n– 661126f645c5eb261b0651744a17e14b: %ALLUSERSPROFILE%\\microsoft\\devicesync\\20230404.log,\r\n%ALLUSERSPROFILE%\\ahnlab\\ais\\v3.log\r\n– 63294f453901077fcb62eeb5c84e53d1: %ALLUSERSPROFILE%\\ahnlab\\ais\\sep_vmp.sln\r\n– 69bde490dc173dbed98b2decacd586c4: %ALLUSERSPROFILE%\\ahnlab\\ais\\result.log\r\n– e8e00a5771cafa4fb9294fea549282de: E:\\****check_ASP_N\\NtQueueApcThreadEx.log\r\n– 227df13221db37ab9673ae1af4e6278a: E:\\****check_ASP_N\\HeapAlloc.jpg,\r\n%ALLUSERSPROFILE%\\USOShared\\h.gif\r\n– c9dc55872982efcadba4ce197ba34fbd: E:\\****check_ASP_N\\pp.gif\r\nPotato (SweetPotato)\r\n– 021924959a870354cc6c9a54fe7dcf83: C:\\Quarantine_MZ\\123.gif,\r\n%ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\SweetPotato_4.7.2.exe,\r\n%ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\SweetPotato_4.7.2_original.exe\r\n– bcb6dbd50b323ea9a6d8161a7e48f429: E:\\****check_ASP_N\\EtwpCreateEtwThread.jpg\r\n– a7db0665564b2519ef5eef6627c716db: %ALLUSERSPROFILE%\\USOShared\\Logs\\vmp1.log\r\nPrintSpoofer\r\n– 7e9125c89d7868f17813ed8c1af2e2c1: %ALLUSERSPROFILE%\\USOShared\\PrintSpoofer928.exe,\r\n%ALLUSERSPROFILE%\\microsoft\\devicesync\\printspoofer911.exe, %SystemRoot%\\debug\\wia\\printspoofer928.exe,\r\n%ALLUSERSPROFILE%\\usoshared\\logs\\vmp2.log, C:\\Windows\\debug\\WIA\\p.log\r\n– 96b3b2ccb2687a9e2a98ac87a788dda8: %SystemRoot%\\debug\\WIA\\PrintSpoofer.exe\r\n– 108da75de148145b8f056ec0827f1665: %ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\PrintSpoofer64.exe\r\n– 2a74db17b50025d13a63d947d8a8f828: %ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\PrintSpoofer32.exe\r\n– a9b21218f4d98f313a4195a388e3bfbb: C:\\Windows\\debug\\WIA\\PrintSpoofer928.exe, C:\\Windows\\debug\\WIA\\12.zxz,\r\nC:\\Windows\\debug\\WIA\\928.exe, %ALLUSERSPROFILE%\\AhnLab\\AIS\\2.log,\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 18 of 20\n\n%ALLUSERSPROFILE%\\USOShared\\Logs\\vmp2.log, %ALLUSERSPROFILE%\\USOShared\\2.exe,\r\n%ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\PrintSpoofer928.exe, E:\\****check_ASP_N\\p.log\r\nCOMahawk (CVE-2019-1405, CVE-2019-1322)\r\n– 6a60f718e1ecadd0e26893daa31c7120: %SystemRoot%\\debug\\WIA\\COMahawk64.exe\r\nCVE-2020-0787\r\n– d72412473d31ec655ea88833fe596902: %SystemRoot%\\debug\\wia\\cve-2020-0787-x64.exe\r\nIIS LPE (by k8gege)\r\n– 347742caff6fb0f8c397c0a772e29f3f: %SystemRoot%\\debug\\WIA\\716.logs\r\nPersistence\r\n– aa3a20597084944fdcbe1c3894fd7ab5: WebShell (SCF1.dat)\r\n– bff58f5b6e3229d11b6ffe5b5ea952b5: Config (SCFConfig.dat)\r\n– 9cea04db9defe9e4f723c39a0ca76fb3: Scheduled Batch (winrmr.cmd)\r\nPrivilege Copying Malware\r\n– 95a0ea8e58195d1de2e66ca70ab05fe5: %SystemDrive%\\quarantine_mz\\guest.exe\r\n– 47ea1e6b805ba9c3f26a39035b3d35a0: %SystemDrive%\\quarantine_mz\\folders\\guestreg.exe\r\nUser Clone\r\n– 0d341f48a589ef7d42283c0aa2575479: %ALLUSERSPROFILE%\\AhnLab\\AIS\\1.log,\r\n%ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\UserClone912.exe,\r\n%ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\UserClone.exe, C:\\Windows\\debug\\WIA\\UserClone.exe\r\n– 5fd57ab455c62373e2151f7b46b183d2: %ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\UserClone9111.exe\r\n– 29ad1b38046f5af2fb715c21741e6878: %ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\UserClone911.exe,\r\nC:\\Windows\\debug\\WIA\\UserClone911.exe\r\nMimikatz\r\n– 3c051e76ba3f940293038a166763a190: E:\\****Hotel\\mimikatz.exe, E:\\****Hotel\\m.gif, C:\\Oracle\\product\\m.exe\r\n– e387640e3f911b6b41aa669131fa55d4: C:\\Oracle\\product\\mz64_ms_all.log,\r\n%ALLUSERSPROFILE%\\Microsoft\\DeviceSync\\mz64_ms_all.log\r\n– 7353af8af2d7ce6c64018d9618161772: C:\\***\\****lus\\mz64_ms_all.exe, C:\\Windows\\debug\\WIA\\mz64_ms_all.exe\r\nRunasCs\r\n– 4d04fa35ed26b113bb13db90a7255352: E:\\****Hotel\\app\\runascs_net2.exe\r\n– 09ab2d87eb4d3d8ea752cbe6add18fd2: E:\\****Hotel\\app\\Runas.exe\r\n– 80f5d6191c8cc41864488e2d33962194: C:\\***pay50\\sample\\sample.html, C:\\**Update\\bin\\Upddater.dll,\r\nC:\\Windows\\debug\\WIA\\dllhost.exe, C:\\***das\\FreeLibs\\AspUpload\\Clash.exe, C:\\***\\****lus\\bin\\kcp.dll,\r\nC:\\***Pay40\\source\\Clash.exe, C\\Windows\\debug\\WIA\\wiatrace.log\r\nSy_Runas\r\n– 5a163a737e027dbaf60093714c3a021f: e:\\app\\sy_runas_.exe, %SystemRoot%\\system32\\spool\\drivers\\color\\d35.camp,\r\n%ALLUSERSPROFILE%\\microsoft\\devicesync\\1.exe\r\n– a49d10b6406a1d77a65aa0e0b05154c3: %ALLUSERSPROFILE%\\oracle\\java\\java.txt,\r\n%SystemRoot%\\debug\\wia\\wiatrace.log, C:\\Windows\\debug\\WIA\\Sy_Runas.exe\r\n– c7c00875da50df78c8c0efc5bedeaa87: E:\\****Hotel\\app\\sy_runasnew.exe,\r\n%ALLUSERSPROFILE%\\usoshared\\logs\\user\\notifyicon.000.etl, e:\\win64_*****_client\\client\\stage\\services.exe,\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 19 of 20\n\ne:\\win64_*****_client\\client\\stage\\setup.exe, e:\\****hotel\\app\\s.exe, e:\\****hotel\\app\\app.asp\r\n– e77093c71dc26d0771164cdaa9740e49: C:\\Windows\\debug\\WIA\\wiatrace.log\r\nNetCat\r\n– 5584853a1191ad601f1c86b461c171a7: %SystemRoot%\\debug\\wia\\nc1.exe, %SystemDrive%\\oracle\\product\\nc1.exe\r\n– e2b4163992da996ca063d329206a0309: %SystemRoot%\\debug\\wia\\nc.exe\r\n– 523613a7b9dfa398cbd5ebd2dd0f4f38: E:\\****check_ASP_N\\nc64.exe\r\nLadon (by k8gege)\r\n– 2b399abe28dbe11ca928032bea30444a: %SystemRoot%\\debug\\WIA\\Ladon911.exe\r\n– 734c96f4def9de44aa6629df285654d9: %SystemRoot%\\debug\\WIA\\Ladon.exe\r\n– 47d59e43e1485feb98ff9c84fc37dc3b: PowerLadon (memory)\r\nSubscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed\r\nanalysis information.\r\nSource: https://asec.ahnlab.com/en/56236/\r\nhttps://asec.ahnlab.com/en/56236/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/56236/" ], "report_names": [ "56236" ], "threat_actors": [ { "id": "bcf899bb-34bb-43e1-929d-02bc91974f2a", "created_at": "2023-02-18T02:04:24.050644Z", "updated_at": "2026-04-10T02:00:04.639142Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "ETDA:Dalbit", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "AntSword", "BadPotato", "BlueShell", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "EFSPotato", "FRP", "Fast Reverse Proxy", "Godzilla", "Godzilla Loader", "HTran", "HUC Packet Transmit Tool", "JuicyPotato", "LadonGo", "Metasploit", "Mimikatz", "NPS", "ProcDump", "PsExec", "Remcom", "RemoteCommandExecution", "RottenPotato", "SinoChopper", "SweetPotato", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "7cf4ec85-806f-4fd7-855a-6669ed381bf5", "created_at": "2023-11-08T02:00:07.176033Z", "updated_at": "2026-04-10T02:00:03.435082Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "MISPGALAXY:Dalbit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434559, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1b5836c415d16a3f0538cec41ca39c11d0aed5e0.pdf", "text": "https://archive.orkl.eu/1b5836c415d16a3f0538cec41ca39c11d0aed5e0.txt", "img": "https://archive.orkl.eu/1b5836c415d16a3f0538cec41ca39c11d0aed5e0.jpg" } }