{ "id": "240797a7-932f-45bd-8a36-0986302d3a93", "created_at": "2026-04-06T00:09:45.368563Z", "updated_at": "2026-04-10T13:12:16.491803Z", "deleted_at": null, "sha1_hash": "1fd4927f3c1a4f30b71b59adb0e80b1e0e0827ac", "title": "VNC Malware (TinyNuke, TightVNC) Used by Kimsuky Group - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1457364, "plain_text": "VNC Malware (TinyNuke, TightVNC) Used by Kimsuky Group -\r\nASEC\r\nBy ATCP\r\nPublished: 2021-09-26 · Archived: 2026-04-05 12:43:10 UTC\r\nWhile monitoring Kimsuky-related malware, the ASEC analysis team has recently discovered that VNC malware\r\nwas installed via AppleSeed remote control malware.\r\nVNC, also known as Virtual Network Computing, is a screen sharing system that remotely controls other\r\ncomputers. Similar to the commonly-used RDP, it is used to remotely access and control other systems.\r\nKimsuky group installs AppleSeed backdoor on the target system after the initial compromise, then additionally\r\ninstalls VNC malware via AppleSeed to ultimately control the target system in a graphical environment. One of\r\nthe VNC malware that is installed is TinyNuke.\r\n1. TinyNuke (HVNC)\r\nTinyNuke, also known as Nuclear Bot, is a banking malware discovered in 2016, and it includes features such as\r\nHVNC (HiddenDesktop/VNC), reverse SOCKS4 proxy, and form grabbing. Due to its source code revealed in\r\n2017, TinyNuke is used by various attackers, and the HVNC, Reverse SOCKS4 Proxy features are partially\r\nborrowed by other malware such as AveMaria and BitRAT.\r\nhttps://asec.ahnlab.com/en/27346/\r\nPage 1 of 6\n\nAmong the various features of TinyNuke that are being distributed, only the HVNC feature is enabled. A\r\ndifference between normal VNC and HVNC used by TinyNuke is that the user does not realize that the PC is\r\ninfected and its screen is being controlled. The following shows the process tree when HVNC is enabled.\r\nexplorer.exe (PID: 3140) is the child process of explorer.exe (PID: 2216), and is found in the process tree. The\r\nattacker is able to control the screen via the new explorer.exe (PID: 3140), and the GUI (Graphical user interface)\r\nof the process created while the attacker is controlling the target PC is not visible on the target PC screen. This\r\ntype of VNC remote access is called HVNC (Hidden Virtual Network Computing).\r\nAnother characteristic is that it uses the reverse VNC method. VNC consists of a server and a client. It installs the\r\nVNC server on the control target system, and the user who wishes to control the system remotely uses the VNC\r\nclient. It gains control of the VNC client by going through the VNC server installed on the remote control target\r\nsystem.\r\nIn a normal VNC environment, it attempts to access the remote control target (VNC server) via the VNC client.\r\nHowever, HVNC of TinyNuke attempts to access the client from the server with the reverse VNC feature. This\r\nmeans that when HVNC of the infected system is run, the awaiting attacker accesses the designated C\u0026C server\r\nand uses the VNC client (server for HVNC) on the C\u0026C server to gain remote control. It is assumed that this is to\r\nbypass firewalls such as Reverse Shell that blocks internal access from the outside and to support communication\r\nin a private IP environment.\r\nhttps://asec.ahnlab.com/en/27346/\r\nPage 2 of 6\n\nNote that TinyNuke uses “AVE_MARIA” string for verification when establishing HVNC communication\r\nbetween the server and the client. This means that when “AVE_MARIA” string is sent from the HVNC client to\r\nthe server, the server verifies the name, and HVNC communication can be enabled if “AVE_MARIA” is correct.\r\nThis is identical to that of HVNC used by Kimsuky group, however, recently there have been HVNCs using\r\n“LIGHT’s BOMB” string.\r\nhttps://asec.ahnlab.com/en/27346/\r\nPage 3 of 6\n\n2. TightVNC (VNC)\r\nAnother VNC malware distributed via AppleSeed backdoor is TightVNC. TightVNC is an open-source VNC\r\nutility, and the attacker customizes it to use it. TightVNC can be regarded as a normal VNC utility, but it is\r\ndifferent in that it supports the reverse VNC feature discussed earlier.\r\nTightVNC consists of tvnserver.exe, the server module, and tvnviewer.exe, the client module. In a normal\r\nenvironment, it installs tvnserver on the remote control target and accesses the target using tvnviewer in the user\r\nenvironment. In order to use the reverse VNC feature, it runs tvnviewer as a listening mode on the client, then\r\nuses tvnserver that is installed as a service on the access target system to set the client address using controlservice\r\nand connect commands for access gain.\r\nKimsuky group distributes tvnserver, and it is customized so that the reverse VNC feature can be used in the\r\ninfected environment without installing a service. Simply running tvnserver will allow the attacker to access\r\ntvnviewer that operates on the C\u0026C server and gain control of the screen of the infected system.\r\n3. Conclusion\r\nAs introduced in the previous blog post, Kimsuky group uses AppleSeed to install Meterpreter, a different\r\nbackdoor malware, and uses TinyNuke, TightVNC and RDP Wrapper for screen control. There is also evidence of\r\nthe use of Mimikatz for account info-stealing.\r\nFeature Tool Name\r\nRemote Control AppleSeed, Meterpreter\r\nScreen Control TinyNuke, TightVNC, RDP Wrapper\r\nAccount Info-stealing Powerkatz\r\nTable 1. Recently-found attack tools used by Kimsuky group\r\nKimsuky group’s malware trend is being monitored constantly, and users need to take extra caution when opening\r\nattachments in emails from unknown sources and refrain from visiting untrusted websites.\r\nhttps://asec.ahnlab.com/en/27346/\r\nPage 4 of 6\n\nAlias Information\r\nTrojan/Win.VNC (2021.09.16.00)\r\nTrojan/Win.TinyNuke (2021.09.16.03)\r\nTrojan/Win.HVNC (2021.09.18.01)\r\nMD5\r\n00ced88950283d32300eb32a5018dada\r\n088cb0d0628a82e896857de9013075f3\r\n16c0e70e63fcb6e60d6595eacbd8eeba\r\n26eaff22da15256f210762a817e6dec9\r\n4301a75d1fcd9752bd3006e6520f7e73\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//27[.]102[.]102[.]70[:]33890/\r\nhttp[:]//27[.]102[.]112[.]58[:]33890/\r\nhttp[:]//27[.]102[.]114[.]79[:]5500/\r\nhttp[:]//27[.]102[.]114[.]89[:]5500/\r\nhttp[:]//27[.]102[.]127[.]240[:]5500/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/27346/\r\nPage 5 of 6\n\nSource: https://asec.ahnlab.com/en/27346/\r\nhttps://asec.ahnlab.com/en/27346/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/27346/" ], "report_names": [ "27346" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434185, "ts_updated_at": 1775826736, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1fd4927f3c1a4f30b71b59adb0e80b1e0e0827ac.pdf", "text": "https://archive.orkl.eu/1fd4927f3c1a4f30b71b59adb0e80b1e0e0827ac.txt", "img": "https://archive.orkl.eu/1fd4927f3c1a4f30b71b59adb0e80b1e0e0827ac.jpg" } }