{ "id": "7282b26a-f90e-4d4a-bd67-76722304bbb8", "created_at": "2026-04-29T02:20:36.240941Z", "updated_at": "2026-04-29T08:22:10.531082Z", "deleted_at": null, "sha1_hash": "37114c033cf4dc4e27f0631d4af9be712dbea44b", "title": "Kimsuky Distributing Malicious Mobile App via QR Code | Enki White Hat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1642426, "plain_text": "Kimsuky Distributing Malicious Mobile App via QR Code | Enki White\r\nHat\r\nPublished: 2025-12-16 · Archived: 2026-04-29 02:12:13 UTC\r\nExecutive Summary\r\nENKI analyzed multiple recent “DOCSWAP” distribution channels and several newly identified APK variants.\r\nThe malicious app decrypts an embedded encrypted APK and launches a malicious service that provides RAT\r\ncapabilities.\r\nThe threat actor added a new native decryption function and diversified the decoy behavior.\r\nWe identified multiple indicators that attribute the activity to Kimsuky, including shared C\u0026C infrastructure and\r\nKorean-language comments.\r\n1. Overview\r\nIn September 2025, the ENKI WhiteHat Threat Research Team detected a malicious mobile application distributed via\r\nphishing websites. The threat actor leveraged QR codes and notification pop-ups to lure victims into installing and executing\r\nthe malware on their mobile devices.\r\nOur analysis confirms this sample as the latest iteration of \"DOCSWAP,\" a malware strain originally named by S2W in\r\nMarch 2025. While this version retains the behavioral patterns of earlier variants, it implements a distinct internal APK\r\ndecryption mechanism. Additionally, we uncovered multiple indicators connecting this activity to the DPRK-nexus threat\r\nactor, Kimsuky.\r\nLeveraging APK metadata and infrastructure overlaps, we identified three additional malicious applications and seven C\u0026C\r\nservers. The threat actor designed each application with distinct decoy themes to deceive victims and evade suspicion.\r\n2. Attack Analysis\r\nAttack Flow Diagram\r\nAttack Flow Diagram\r\n2.1. Malicious App Distribution Path\r\nWe confirmed that the malicious application was distributed from 27.102.137[.]181, leveraging a QR code that impersonated\r\na legitimate package delivery service. Among the four malicious applications discovered during the investigation, two\r\nmasqueraded as delivery service apps. A previous report by ESTSecurity documented similar cases where the threat actor\r\ntransmitted URLs hosting malicious apps via smishing texts that impersonated delivery companies. Consequently, we assess\r\nwith high confidence that the threat actor employed smishing or phishing emails for initial access, consistent with historical\r\nTTPs. The identified URLs are listed below.\r\nhxxps://27.102.137[.]181/store/tracking.php?id=[base64 encoded email address]\r\nhxxps://27.102.137[.]181/store/delivery.html\r\nQR-based mobile redirection\r\nQR-based mobile redirection\r\nWhen a user accesses the URL from a PC, the page displays the message “보안상의 이유로 PC에서는 조회할 수 없습니\r\n다.” (“For security reasons, you cannot view this page from a PC.”) and prompts the user to switch to a mobile device by\r\nscanning a QR code. During analysis, the server returned 404 Not Found for the path linked from the QR code, so the QR-based redirection was unsuccessfull. The QR code URL is listed below.\r\nhxxps://delivery.cjlogistics[.]kro[.]kr/loing/tracking.php?id=dGVzdEBuYXZlci5jb20=\r\nhttps://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code\r\nPage 1 of 13\n\nAccessing the URL with an Android User-Agent string reveals the distribution workflow designed by the threat actor.\r\nThe ”tracking.php” script appears to implement server-side logic that serves different content based on the client's User-Agent. The screenshots below illustrate the observed distribution screens.\r\nFake security scan\r\nFake security scan\r\nSecurity app install button\r\nSecurity app install button\r\nWhen the victim clicks the “보안앱 설치하기” (“Install security app”) button, the browser connects to a Base64-encoded\r\nURL and downloads the APK. The decoded URL is shown below.\r\nhxxps://27.102.137[.]181/store/SecDelivery.APK\r\nSecurity app install routine\r\nSecurity app install routine\r\nAs soon as the APK download starts, the application sends a POST request to ”downcat.php”, logging the access time and\r\nAPK URL path. Within this routine, the code contains a Korean comment “버튼 클릭시 로그 남기기” (“leave log when\r\nbutton is clicked”) and a Korean error message “로그 전송 실패” (“log transmission failed”).\r\nLogging routine\r\nLogging routine\r\n2.2. Malicious App Analysis\r\n2.2.1. SecDelivery.apk\r\nSecDelivery.apk app icon\r\nSecDelivery.apk app icon\r\n“SecDelivery.apk” is an APK file that decrypts and loads an encrypted APK file from its internal resources, subsequently\r\ncreating a malicious RAT service. The APK signature's validity period begins on May 20, 2025, and we assess that the threat\r\nactor likely developed, tested, or deployed the malicious application around this time. The APK signature information is\r\nprovided in the table below.\r\n| **DN** | C=US, ST=bitapp, L=bitapp, O=bitapp, OU=bitapp, CN=bitapp |\r\n| --- | --- |\r\n| MD5 | 7d00a43872dcdd1174d3713e6bbf01ba |\r\n| Certificate Validity Period | Tue May 20 18:41:34 KST 2025\r\nDN C=US, ST=bitapp, L=bitapp, O=bitapp, OU=bitapp, CN=bitapp\r\nMD5 7d00a43872dcdd1174d3713e6bbf01ba\r\nCertificate Validity Period Tue May 20 18:41:34 KST 2025\r\nAPK Signature Information\r\n2.2.2. Resource decryption \u0026 service creation\r\nThe AndroidManifest.xml file defines SplashActivity as the MAIN activity. When the app runs, SplashActivity loads the\r\nencrypted resources embedded in the APK, obtains the various permissions required for malicious behavior, and then\r\nregisters the malicious service.\r\nAndoridManifest.xml MAIN activity\r\nhttps://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code\r\nPage 2 of 13\n\nAndoridManifest.xml MAIN activity\r\nThe encrypted APK file resides in the resource section as security.dat. In past “DOCSWAP” variants, the code performed\r\nXOR decryption in Java when loading the internal APK, whereas in this case the threat actor uses an additional native\r\nlibrary.\r\nThe loadPluginAPK method stores the encrypted APK file security.dat in internal storage as security.dat_copy and then\r\ndecrypts it by calling the decryptFile function in the “native-lib” library.\r\nEmbedded APK loading routine\r\nEmbedded APK loading routine\r\nThe “libnative-lib.so” file in the resource section defines the decryptFile function. Within decryptFile, the xorDecrypt\r\nfunction performs the actual decryption. Unlike previous samples that only applied XOR decryption with a 4-byte key, this\r\nvariant adds several bitwise operations. The xorDecrypt function operates as follows.\r\n1. Invert the bits of each 1-byte value.\r\n2. Apply a 5-bit ROL.\r\n3. XOR with a 4-byte key.\r\nEmbedded APK decryption routine\r\nEmbedded APK decryption routine\r\nThe 4-byte key used for XOR is as follows.\r\n541161FE (hex)\r\nAfter loading the data, the application checks if the necessary permissions are secured. Once it confirms all permissions, it\r\nimmediately registers the MainService of the newly loaded APK as “com.delivery.security.MainService”. The permissions\r\nlisted in AndroidManifest.xml are as follows.\r\nSimultaneously with service registration, the base application launches AuthActivity. This activity masquerades as an OTP\r\nauthentication screen and verifies the user's identity using a delivery number. This delivery number is hardcoded within the\r\nAPK as “742938128549”, and we assess the threat actor likely delivered it alongside the malicious URL during the initial\r\naccess phase. Upon entering the delivery number, the application displays a notification with a 6-digit verification code\r\ncalculated as  ((int) (Math.random() * 900000.0d)) + 100000 .\r\nFake authentication screen\r\nFake authentication screen\r\nEntering the generated verification code executes MainActivity. MainActivity shows the official delivery tracking website\r\nusing a webview.\r\nOfficial site redirection routine\r\nOfficial site redirection routine\r\n2.2.3. Embedded APK \u0026 Malicious Service\r\nThe decrypted APK utilizes a signature distinct from that of SecDelivery.apk. The signature validity period begins on April\r\n22, 2025, indicating that the threat actor employed this malicious APK in attacks prior to developing SecDelivery.apk. The\r\nAPK signature details follow below.\r\n| **DN** | C=US, O=Android, CN=Android Debug |\r\n| --- | --- |\r\n| MD5 | afb708faf1a66892a6e6cae9e63c6c2b |\r\n| Certificate Validity Period | Tue Apr 22 15:57:54 KST 2025\r\nhttps://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code\r\nPage 3 of 13\n\nDN C=US, O=Android, CN=Android Debug\r\nMD5 afb708faf1a66892a6e6cae9e63c6c2b\r\nCertificate Validity Period Tue Apr 22 15:57:54 KST 2025\r\nAPK Signature Information\r\nSplashActivity registers the MainService contained within the decrypted ”security.dat”, allowing it to operate persistently.\r\nFurthermore, the application configures an intent filter for the actions listed below to automatically execute MainService\r\nupon system reboot.\r\nandroid.intent.action.BOOT_COMPLETED\r\nandroid.intent.action.ACTION_POWER_CONNECTED\r\nandroid.intent.action.ACTION_POWER_DISCONNECTED\r\nMainService connects to the C\u0026C server to function as an infostealer and RAT. The RAT supports a total of 57 commands;\r\nwe have attached the specific behaviors associated with each command in the \"Command List\".\r\nThe malware configures the initial C\u0026C server to  27.102.137[.]181:50005 , matching the IP of the distribution server.\r\nDuring communication, the client and server exchange data using the format  [ Length | \\x00 | Gzip compressed payload\r\n] .\r\nData transmission routine\r\nData transmission routine\r\nUpon receiving data, the service isolates the command using the structure  [ Length | \\x00 | Command ] , parses\r\ncommand, and executes the corresponding action. The parsing logic uses the string “10249” as a delimiter.\r\n“10256” | “10249” | “arg1” | “10249” | “arg2” → StartAudioRecord(arg1 , arg2 )\r\nCommand parsing routine\r\nCommand parsing routine\r\nAdditionally, the application executes keylogging logic via the Accessibility Service. When an accessibility event occurs, the\r\nkeylogger records the target app's icon, package name, event text, and timestamp. It compresses the app icon as a PNG file\r\nand Base64 encodes it before including it in the keylog.\r\nApp icon storage routine\r\nApp icon storage routine\r\nBy default, the malware saves the captured keylogs to the internal storage path  /Security/download_[day-month-year].dat . If a command sets the isOnelineKeylogger variable to True, the service transmits the keylog to the server before\r\nsaving it locally.\r\nReal-time keylogging and keylog storage routine\r\nReal-time keylogging and keylog storage routine\r\n3. Additional information\r\n3.1. Additional Malicious APK Files\r\nDuring analysis, three additional APK files that exhibit similar behavior were identified. Of these, two use 27.102.137[.]181\r\nas their C\u0026C server, the same as the sample analyzed above, while the remaining one uses the same APK signature as the\r\nanalyzed file. All three additional APK files decrypt an embedded encrypted APK and use it to register a malicious service,\r\nwhile masquerading as different types of applications. The detailed information for these additional malicious APK files is\r\nshown in the table below.\r\nhttps://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code\r\nPage 4 of 13\n\n| Malicious App Type | XOR Key (Hex) | C\u0026C |\r\n| --- | --- | --- |\r\n| \"옥션\"(\"Auction\") Delivery Info Auth | 541161FE | 27.102.137[.]181 |\r\n| VPN | 201925EA | 27.102.137[.]181 |\r\n| P2B Airdrop Auth | 541161FE | 27.102.137[.]180\r\nMalicious App Type XOR Key (Hex) C\u0026C\r\n\"옥션\"(\"Auction\") Delivery Info Auth 541161FE 27.102.137[.]181\r\nVPN 201925EA 27.102.137[.]181\r\nP2B Airdrop Auth 541161FE 27.102.137[.]180\r\nDetails of Malicious APK Files\r\nThe table below presents the APK signature and internal APK file hash information.\r\n| Malicious App Type | Signature MD5 | Internal APK file MD5 |\r\n| --- | --- | --- |\r\n| \"옥션\"(\"Auction\") Delivery Info Auth | 45a2140271ab7dfd73cbcf312c910926 | 858588b7c5331c948fb3e84d9b4ddbb7\r\n| VPN | 45a2140271ab7dfd73cbcf312c910926 | 03a117c6cb86859623720e75f839260a |\r\n| P2B Airdrop Auth | 7d00a43872dcdd1174d3713e6bbf01ba | 2a7dab4c0f6507bc5fd826f9a336d50c\r\nMalicious App Type Signature MD5 Internal APK file MD5\r\n\"옥션\"(\"Auction\") Delivery Info\r\nAuth\r\n45a2140271ab7dfd73cbcf312c910926 858588b7c5331c948fb3e84d9b4ddbb7\r\nVPN 45a2140271ab7dfd73cbcf312c910926 03a117c6cb86859623720e75f839260a\r\nP2B Airdrop Auth 7d00a43872dcdd1174d3713e6bbf01ba 2a7dab4c0f6507bc5fd826f9a336d50c\r\nDetails of Malicious APK Signatures and Internal APK File Hashes\r\nAmong the additional malicious APK files, the two samples utilizing 27.102.137[.]181 as their C\u0026C server share the same\r\nAPK signature. Their details appear in the table below.\r\n| **DN** | C=KR, ST=log, L=log, O=log, OU=log, CN=log |\r\n| --- | --- |\r\n| MD5 | 45a2140271ab7dfd73cbcf312c910926 |\r\n| Certificate Validity Period | Thu Aug 14 00:38:45 KST 2025\r\nDN C=KR, ST=log, L=log, O=log, OU=log, CN=log\r\nMD5 45a2140271ab7dfd73cbcf312c910926\r\nCertificate Validity Period Thu Aug 14 00:38:45 KST 2025\r\nAPK Signature Details\r\nThe application disguising itself as “옥션”(”Auction”) redirects users to the official website upon execution. The P2B\r\nAirdrop-masquerading application implements authentication logic similar to the analyzed malware. The validation logic\r\naccepts the input if the wallet address string length, excluding the “0x” prefix, equals 42. Furthermore, the verification code\r\ngeneration logic uses  ((int) (Math.random() * 900000.0d)) + 100000 , identical to the previously analyzed sample.The\r\nuser interface of the authentication screen also closely resembles that of the analyzed malware.\r\nFake authentication screen of the additional APK\r\nhttps://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code\r\nPage 5 of 13\n\nFake authentication screen of the additional APK\r\nThe VPN-masquerading app uses the package name “com.bycomsolutions.bycomvpn”. Its file structure, metadata, and code\r\nroutines closely resemble those of the legitimate application sharing the same package name. This indicates that the threat\r\nactor injected malicious functionality into the legitimate APK and repackaged it for use in the attack.\r\nUIActivity.onCreate() method of the malicious app\r\nUIActivity.onCreate() method of the malicious app\r\nUIActivity.onCreate() method of the legitimate app\r\nUIActivity.onCreate() method of the legitimate app\r\n3.2. Additional C\u0026C Servers\r\nWe investigated IPs belonging to “Daou Technology” that hosted open HTTP ports and shared the same JARM fingerprint\r\nas 27.102.137[.]181, the server used for malware distribution and C\u0026C. This investigation revealed additional infrastructure\r\nutilized by the threat actor, including 27.102.137[.]180, which served as the C\u0026C server for the fake Airdrop application.\r\nThe table below lists the JARM fingerprints and identified C\u0026C servers.\r\n| JARM | IP |\r\n| --- | --- |\r\n| 2ad2ad16d2ad2ad00042d42d00000061256d32ed7779c14686ad100544dc8d | 27.102.137[.]93-n27.102.137[.]106-n27.102\r\nJARM IP\r\n2ad2ad16d2ad2ad00042d42d00000061256d32ed7779c14686ad100544dc8d\r\n27.102.137[.]93\r\n27.102.137[.]106\r\n27.102.137[.]214\r\n27.102.138[.]163\r\n27.102.137[.]179\r\n27.102.137[.]180\r\n27.102.138[.]181\r\nIPs with the Same JARM Hash\r\nAmong the identified C\u0026C servers, we discovered a phishing site hosted at 27.102.137[.]106 distributing the malicious “옥\r\n션” (“Auction”) application. Similar to the CJ case, accessing the link from a PC triggers a notification prompting the user\r\nto switch to a mobile device. However, unlike the primary case in this report, this site did not employ a QR code for\r\nredirection. The URL is as follows.\r\nhxxp://27.102.137[.]106/tracking.php?id=[Email Address base64 encoded]\r\nhxxp://27.102.137[.]106/mobile.html\r\nMobile access induction notification\r\nMobile access induction notification\r\nBypassing the check by modifying the User-Agent reveals APK installation instructions, mirroring the behavior in the\r\nprimary case. Since Android blocks apps from unknown sources and displays security warnings by default, the threat actor\r\nclaims the app is a safe, official release to trick victims into ignoring the warning and installing the malware.\r\nMalicious APK installation guide\r\nMalicious APK installation guide\r\nClicking the confirm button on the warning sends a log to ”downcat.php” on the same server, consistent with the analyzed\r\nCJ malware. The site then downloads ”auction_8.7.01.APK” from the C\u0026C server. We identified the Korean comment\r\n“APK 다운로드 시작” (“Start APK download”) within this routine.\r\nLog transmission and malicious app download routine\r\nhttps://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code\r\nPage 6 of 13\n\nLog transmission and malicious app download routine\r\n3.2.1 Naver Phishing Site\r\nWe identified Naver phishing sites operating as proxies on all additional C\u0026C servers, except 27.102.137[.]180. The URL\r\npasses the victim's email address via the ”wreply” parameter and the proxy URL via the ”m” parameter. To load the proxy\r\nsite successfully, It requires the target site URL to be URL-encoded and then obfuscated using ROT13 before transmission.\r\nThe example URL and the resulting login screen are shown below.\r\nhxxp://27.102.137[.]181/users2/?\r\nwreply=qwer@naver.com\u0026m=uggcf%3N%2S%2Savq.anire.pbz%2Savqybtva.ybtva\r\nNaver login phishing screen\r\nNaver login phishing screen\r\nWhen the victim enters login credentials, the server creates a new directory named after the provided email address and\r\nstores the victim's information in that directory.\r\nStored victim information\r\nStored victim information\r\n3.2.2. Kakao Phishing Site\r\nWe confirmed the presence of Kakao phishing sites at the ”/login” path on 27.102.137[.]180 and 27.102.138[.]181.\r\nKakao login phishing screen\r\nKakao login phishing screen\r\nSimilar to the Naver phishing setup, these sites load content via a proxy. However, we identified an exfiltration routine that\r\nintercepts the password input and transmits it via a POST request to ”pass.php”.\r\nPassword exfiltration routine\r\nPassword exfiltration routine\r\n4. Attribution\r\n4.1. Shared Infrastructure with the \"Million OK !!!!\" Phishing Campaign\r\nWe identified connections between the servers distributing the malicious applications (27.102.137[.]181, 27.102.137[.]106)\r\nand Kimsuky's Naver phishing infrastructure. Relevant reports are listed below.\r\nThe identified phishing sites employ the same parameter format observed in Kimsuky's previous Naver phishing campaigns.\r\nHowever, they have added logic to obfuscate the proxy site URL using ROT13. The table below compares the phishing site\r\nURLs from the past campaign with those from the current campaign.\r\n| Historical Naver phishing URL | Current Naver phishing URL |\r\n| --- | --- |\r\n| http:\r\nHistorical Naver phishing URL Current Naver phishing URL\r\nhttp://158.247.202[.]109/invoice/?\r\nwreply=\u0026m=https%3a%2f%2fnid.naver[.]com%2fnidlogin[.]login\r\nhttp://27.102.137[.]181/users2/?\r\nwreply=qwer@naver.com\u0026m=uggcf%3N%2S%2Savq.anire.pbz%2Sav\r\nComparison of Past and Current Naver Phishing URLs\r\nThe user interface of the phishing sites remains identical to that of previous Naver phishing cases.\r\nhttps://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code\r\nPage 7 of 13\n\nIdentical login phishing screen\r\nFurthermore, accessing the root directory of the C\u0026C server displays the text string “Million OK !!!!”, a known signature of\r\nKimsuky's phishing infrastructure.\r\n“Million OK !!!!” string in the root directory\r\nWe identified Korean comments and error messages within the HTML code of the APK distribution websites. These\r\ncomments, located within the log generation and APK download routines, were highly likely written by the threat actor. This\r\nstrongly indicates that the code author is proficient in the Korean language.\r\nKorean comments in the CJ malicious app distribution site\r\nKorean comments in the ”옥션” malicious app distribution site\r\n5. Course of Action\r\n5.1. Verify Link Destinations\r\nhttps://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code\r\nPage 8 of 13\n\nAlthough we did not definitively confirm the initial delivery vector in this case, we assess that the threat actor likely\r\ntransmitted malicious app download links to victims via SMS or email. Accessing the URL from a mobile device\r\nimmediately initiates the malicious app download, whereas accessing it from a non-mobile device displays a QR code to\r\ninduce the victim to connect via their smartphone.\r\ncaption - Malicious link displayed upon QR code scan\r\nWhile clicking the link does not automatically execute the malicious application, the threat actor designs sophisticated\r\nphishing sites to trick victims into running the malware or entering personal information. To prevent infection, users should\r\navoid clicking links from unknown senders. For links received from known contacts, if the content appears unusual or\r\nsuspicious, users should verify the message with the sender before clicking.\r\n5.2. Applying the Principle of Least Privilege for Apps\r\nAndroid apps require user approval for runtime permissions to access system functions. Malicious apps typically request\r\nextensive permissions immediately upon execution such as file access, phone, and SMS.\r\nhttps://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code\r\nPage 9 of 13\n\ncaption - Permissions requested by the malicious app\r\nIn this case, requesting file access and phone permissions significantly deviates from the stated purpose of a \"Security\r\nDelivery Notification\" app. Also, legitimate apps are generally designed to request permissions again when a specific feature\r\nis needed, even if the user initially denies them, ensuring that a temporary denial does not break the app's overall\r\nfunctionality. Therefore, users should adopt a habit of conservatively evaluating whether requested permissions are essential\r\nfor an app's function, applying the principle of least privilege.\r\n6. Conclusion\r\nThis report analyzed new APK files and distribution channels associated with the malicious app campaign previously named\r\n“DOCSWAP”. While we could not confirm the initial vector, we assess that the threat actor distributed the malicious APK\r\nlink via smishing and used QR codes to lure victims into downloading and executing the app on their smartphones.\r\nThe executed malware launches a RAT service, similarly to past cases but demonstrates evolved capabilities, such as using a\r\nnew native function to decrypt the internal APK and incorporating diverse decoy behaviors.\r\nFurthermore, the link between the “DOCSWAP” malware and Kimsuky has become clearer. The “Million OK!!!” string\r\nidentified on the C\u0026C server, along with proxy servers and victim data storage formats resembling recent Kimsuky phishing\r\nattacks, provide strong evidence for this attribution. Additionally, the Korean comments and error messages found on the\r\ndistribution sites indicate the connection to DPRK-nexus threat actor.\r\nToday, smartphones have become mobile vaults storing sensitive data, including financial and personal information. Attacks\r\nattempting to compromise mobile and wearable environments to steal valuable personal data continue to persist. As\r\nsmartphones have become our closest companions and best assistants in modern society, individuals must strive to\r\nunderstand these attack methods and prevention strategies to protect themselves.\r\n7. Appendix\r\nAppendix A. MITRE ATT\u0026CK\r\n| Tactic | Techniques |\r\n| --- | --- |\r\n| Initial Access | T1660: Phishing |\r\n| Persistence | T1541: Foreground Persistence-nT1624.001: Event Triggered Execution: Broadcast Receivers |\r\n| Defense Evasion | T1575: Native API-nT1630.002: Indicator Removal on Host: File Deletion-nT1655: Masqueradin\r\n| Discovery | T1418: Software Discovery-nT1420: File and Directory Discovery-nT1426: System Information Discov\r\n| Collection | T1417.001: Input Capture:Keylogging-nT1429: Audio Capture-nT1512: Video Capture-nT1616: Call Co\r\n| Command and Control | T1437: Application Layer Protocol |\r\n| Exfiltration | T1646: Exfiltration Over C2 Channel\r\ncaption - MITRE ATT\u0026CK\r\nAppendix B. IOCs\r\nMD5\r\n36677d732da69b7a81a46f9a06c36260 - SecDelivery.APK\r\n3a2a9f205c79ee45a84e3d862884fd72 - auction_8.7.01.APK\r\n27ea7ef88724c51bbe3ad42853bbc204 - vpn APK\r\n86da5e00a9c73c9cb0855805cbc38c4a - airdrop.apk\r\n2b99603cd8e69f82c064856d6ff63996- decrypted CJ security.dat\r\n858588b7c5331c948fb3e84d9b4ddbb7- decrypted auction security.dat\r\n03a117c6cb86859623720e75f839260a - decrypted vpn search.db\r\n2a7dab4c0f6507bc5fd826f9a336d50c - decrypted airdrop security.dat\r\nhttps://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code\r\nPage 10 of 13\n\n436287ad0ea3a9e94cd4574d54d0dec5 - mobile.html\r\nc90ee7d3b1226f73044e7ae635493d31 - delivery.html\r\n506e136336ca9d7246caf8c9011fe97e - login.html\r\nC\u0026C\r\n27.102.137[.]106\r\n27.102.137[.]181\r\n27.102.137[.]93\r\n27.102.137[.]214\r\n27.102.138[.]163\r\n27.102.137[.]180\r\n27.102.138[.]181\r\nAppendix C. Command List\r\n| Command | Action |\r\n| --- | --- |\r\n| 10254 | Stop Audio Recording |\r\n| 10255 | Send Wallpaper |\r\n| 10256 | Start Audio Recording |\r\n| 10257 | Send Camera Info |\r\n| 10258 | Start Camara Recording |\r\n| 10259 | Stop Camara Recording |\r\n| 10260 | Set Flags |\r\n| 10261 | Send File Explorer Info |\r\n| 10262 | Send Thumbnail |\r\n| 10263 | Unset f1207X Flag |\r\n| 10264 | Set f1207X Flag |\r\n| 10265 | Collect File Info (path, size) |\r\n| 10266 | Upload File |\r\n| 10267 | Upload Text File |\r\n| 10268 | Download File |\r\n| 10269 | Start and Send location Info collection service |\r\n| 10270 | Stop location Info collection service |\r\n| 10271 | Send Call Logs |\r\n| 10272 | Send Registered Account Info |\r\n| 10273 | Send Contact Info |\r\n| 10274 | Cannot Decompile |\r\n| 10275 | Send Installed App Info |\r\n| 10276 | Run Package |\r\n| 10278 | Ping |\r\n| 10279 | Call |\r\n| 10281 | Reconnect C\u0026C Server |\r\n| 10282 | Clean Up Socket Connection |\r\n| 10283 | Remote Command Execution |\r\n| 10284 | Write File |\r\n| 10285 | Create Filw/Directory |\r\n| 10286 | Change File Name |\r\n| 10287 | Delete File |\r\n| 10288 | Delete Directory |\r\n| 10289 | Set Wallpaper |\r\n| 10290 | Move/Copy File |\r\n| 10291 | Play Audio |\r\n| 10292 | Stop Audio |\r\n| 10293 | Zip |\r\nhttps://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code\r\nPage 11 of 13\n\n| 10294 | Unzip |\r\n| 10295 | Send System Info |\r\n| 10296 | Audio/Wireless Settings |\r\n| 10297 | Send Keylog List |\r\n| 10298 | Send Keylog |\r\n| 10299 | Delete Keylog |\r\n| 10300 | Start Live Keylogging |\r\n| 10301 | Stop Live Keylogging |\r\n| 10302 | Connect New C\u0026C Server |\r\n| 10303 | Delete Latest Call Log |\r\n| 10304 | Delete Contact |\r\n| 10305 | Add Contact |\r\n| 10306 | Delete Data / Lock Screen / Change Password → needs privilege escalation |\r\n| 10307 | Open File |\r\n| 10308 | Send Package Info |\r\n| 10309 | Send “OK” Message |\r\n| 10310 | Pring Message |\r\n| 10311 | Stop Vibration |\r\n| 10312 | Start Vibration\r\ncaption - Command List\r\nAppendix D. Scripts\r\nInternal APK Decryption Script\r\nimport argparse\r\nfrom typing import List\r\ndef rol8(x, r):\r\n r \u0026= 7\r\n return ((x \u003c\u003c r) | (x \u003e\u003e (8 - r))) \u0026 0xFF\r\ndef parse_key_hex(s):\r\n s = s.strip()\r\n hexstr = \"\".join(s)\r\n bs = [int(hexstr[i:i+2], 16) for i in range(0, 8, 2)]\r\n return bs\r\ndef xor_decrypt_stream(fin, fout, key_bytes):\r\n data = fin.read()\r\n out = bytearray(len(data))\r\n for i, c in enumerate(data):\r\n c8 = c \u0026 0xFF\r\n t = rol8((~c8) \u0026 0xFF, 5)\r\n out[i] = key_bytes[i \u0026 3] ^ t\r\n fout.write(out)\r\ndef main():\r\n ap = argparse.ArgumentParser()\r\n ap.add_argument(\"infile\", help=\"input file\")\r\n ap.add_argument(\"outfile\", help=\"output file\")\r\n ap.add_argument(\"key_hex\", help='4-byte key in hex (e.g. \"12345678\")')\r\n args = ap.parse_args()\r\n key = parse_key_hex(args.key_hex)\r\n with open(args.infile, \"rb\") as fin, open(args.outfile, \"wb\") as fout:\r\n xor_decrypt_stream(fin, fout, key)\r\nif __name__ == \"__main__\":\r\n main()\r\nhttps://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code\r\nPage 12 of 13\n\nSource: https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code\r\nhttps://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.enki.co.kr/en/media-center/blog/kimsuky-distributing-malicious-mobile-app-via-qr-code" ], "report_names": [ "kimsuky-distributing-malicious-mobile-app-via-qr-code" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-29T06:58:57.705351Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail", "Earth Kumiho", "PatheticSlug" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "HTTPTroy", "schtasks", "certutil", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-29T06:58:56.291188Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "THALLIUM", "Sparkling Pisces", "Velvet Chollima", "Black Banshee", "Operation Stolen Pencil", "APT43", "Emerald Sleet", "Springtail", "Thallium" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "RevClient", "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-29T06:58:57.620982Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-29T06:58:57.969738Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777429236, "ts_updated_at": 1777450930, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/37114c033cf4dc4e27f0631d4af9be712dbea44b.pdf", "text": "https://archive.orkl.eu/37114c033cf4dc4e27f0631d4af9be712dbea44b.txt", "img": "https://archive.orkl.eu/37114c033cf4dc4e27f0631d4af9be712dbea44b.jpg" } }