{ "id": "eaa0fcc0-edb3-425c-a4af-d2fd2bd0d3e2", "created_at": "2026-04-06T00:07:42.140196Z", "updated_at": "2026-04-10T13:11:39.868712Z", "deleted_at": null, "sha1_hash": "3bae8faded2e02e7e831134465ba2bf8a5333235", "title": "Kimsuky Deploys TRANSLATEXT Chrome Extension |ThreatLabz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 835426, "plain_text": "Kimsuky Deploys TRANSLATEXT Chrome Extension\r\n|ThreatLabz\r\nBy Seongsu Park\r\nPublished: 2024-06-27 · Archived: 2026-04-05 15:45:35 UTC\r\nTechnical Analysis\r\nAccording to a recent publication by a South Korean security vendor, Kimsuky delivered an archive file named\r\n“한국군사학논집 심사평서 (1).zip”, which translates to \"Review of a Monograph on Korean Military History.\" \r\nThe archive contains two decoy files: \r\nHWP documents (a popular office file format in South Korea) \r\nA Windows executable masquerading as related documents \r\nWhen a user launches the executable, the malware retrieves a PowerShell script from the threat actor’s server. The\r\nfigure below shows the Kimsuky infection chain.\r\nFigure 1: Example Kimsuky infection chain.\r\nThe PowerShell script from the remote server is responsible for uploading general information about the victim\r\nand creating a Windows shortcut that retrieves an additional PowerShell script from the same server. During our\r\nown research into this campaign, we discovered another PowerShell script with the MD5\r\nhash:  bba3b15bad6b5a80ab9fa9a49b643658 and a GitHub account used by the script linked to the same actor.\r\nFrom this newly discovered GitHub account, we observed victim data and a previously deleted Chrome extension\r\nutilized by the actor. The delivery method for  TRANSLATEXT is not currently known.\r\nhttps://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia#technical-analysis\r\nPage 1 of 8\n\nHowever, the newly discovered PowerShell script reveals that Kimsuky checked for the presence of installed\r\nChrome extensions using the Windows registry key shown below: \r\nHKCU\\Software\\Policies\\Google\\Chrome\\ExtensionInstallForcelist\r\nThis registry key is used by Chrome to enforce the installation of specified extensions without user permission or\r\nintervention. Therefore, it appears Kimsuky registered  TRANSLATEXT in this registry key using previous stage\r\nmethods.\r\nTRANSLATEXT analysis\r\nIn the attacker-controlled GitHub account, we observed an XML file in addition to  TRANSLATEXT . These files\r\nwere present in the repository on March 7, 2024, and deleted the next day, implying that Kimsuky intended to\r\nminimize exposure and use the malware for a short period to target specific individuals. \r\nThe figure below shows how Kimsuky uploaded the files on March 7th to one of their GitHub accounts and then\r\ndeleted them on March 8th.\r\nFigure 2: Kimsuky GitHub commit log shows the addition and removal of an XML file and  TRANSLATEXT after\r\nonly one day.\r\nA timeline of the GitHub user’s activity is listed below:\r\nFebruary 13, 2024: Join GitHub\r\nMarch 7, 2024: Created first repository named “ motorcycle ”\r\n29 commits including uploads from the victim and subsequent removals.\r\nAdded  TRANSLATEXT files:  update.xml ,  GoogleTranslate.crx\r\nMar 8, 2024: Removed  update.xml and  GoogleTranslate.crx\r\nMar 18, 2024: Created  motorcycle/calc\r\nApr 4, 2024: Created a  motorcycle/laxi/ter.txt that contains “ sfsadfsadfa ”. \r\nAs the name suggests, the  update.xml file contained the parameters necessary for updating  TRANSLATEXT as\r\nshown below.\r\nhttps://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia#technical-analysis\r\nPage 2 of 8\n\nTRANSLATEXT was uploaded to GitHub as “ GoogleTranslate.crx ”, and masqueraded as a Google Translate\r\nextension. However,  TRANSLATEXT actually contained four malicious Javascript files for bypassing security\r\nmeasures, stealing email addresses, credentials, cookies, capturing browser screenshots, and exfiltrating stolen\r\ndata. \r\nThe figure below depicts the role of each Javascript file in stealing and sending information to the C2 server.\r\nFigure 3: Kimsuky  TRANSLATEXT architecture.\r\nAccording to the  manifest.json file, the author name is listed as “ Piano ”, and the  update_url points to\r\nanother GitHub address referencing an  update.xml file that did not exist at the time of our analysis. The\r\ndescription and default title fields contain Korean, which likely indicates that this campaign was specifically\r\ntargeting South Korea–we discuss this later in the blog.\r\nhttps://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia#technical-analysis\r\nPage 3 of 8\n\nA part of the  manifest.json file is shown below.\r\n{\r\n // Required\r\n \"author\": \"Piano\",\r\n \"manifest_version\": 3,\r\n \"name\": \"Google Translate\",\r\n \"version\": \"1.5.2\",\r\n \r\n // Recommended\r\n \"action\": {\r\n \"default_icon\": \"icons/16.png\",\r\n \"default_title\": \"번역하려면 마우스 왼쪽 버튼을 클릭하세요.\"\r\n },\r\n \"description\": \"웹을 탐색하면서 편하게 번역을 볼 수 있습니다. 이 기능은 Google 번역팀에서 제공합니다.\",\r\n \"icons\":{\r\n \"16\": \"icons/16.png\",\r\n \"19\": \"icons/19.png\",\r\n \"32\": \"icons/32.png\",\r\n \"38\": \"icons/38.png\",\r\n \"48\": \"icons/48.png\",\r\n \"128\": \"icons/128.png\"\r\n },\r\n \"update_url\": \"https://raw.githubusercontent.com/HelperDav/Web/main/update.xml\",\r\n \r\n // Optional\r\n \"background\": {\r\n \"service_worker\": \"background.js\"\r\n },\r\n \"content_security_policy\": {\r\n \"extension_page\": \"script-src 'self' 'wasm-unsafe-eval'; object-src 'self'\"\r\n },\r\n \"permissions\": [\"tabs\", \"activeTab\", \"cookies\", \"storage\", \"downloads\", \"scripting\"],\r\nThe  TRANSLATEXT manifest requests excessive permissions such as scripting. This broad permission\r\nallows  TRANSLATEXT to inject scripts into web pages, enabling it to modify page content, add functionality, and/or\r\ninteract with the page's elements.\r\nDepending on the URL the victim visits, a corresponding script is launched. \r\nWhen the victim visits the Naver login page (nid.naver.com/*) or the Kakao login page\r\n(accounts.kakao.com/*), the  auth.js file is injected into the web page. \r\nSimilarly, when visiting the Gmail login page (mail.google.com/), the  gsuit.js file is injected into the\r\nweb page. \r\nThe  content.js script is injected into all web pages using the manifest file as shown below.\r\nhttps://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia#technical-analysis\r\nPage 4 of 8\n\n\"content_scripts\": [\r\n {\r\n \"js\": [ \"content.js\"],\r\n \"matches\": [\r\n \"http://*/*\", \"https://*/*\"\r\n ],\r\n \"run_at\": \"document_idle\",\r\n \"all_frames\": false\r\n },\r\n {\r\n \"js\": [ \"auth.js\"],\r\n \"matches\": [\r\n \"https://nid.naver.com/*\",\r\n \"https://accounts.kakao.com/*\"\r\n ],\r\n \"run_at\": \"document_end\",\r\n \"all_frames\": false\r\n },\r\n {\r\n \"js\": [ \"gsuit.js\"],\r\n \"matches\": [\r\n \"https://mail.google.com/*\"\r\n ],\r\n \"run_at\": \"document_end\",\r\n \"all_frames\": false\r\n }\r\n ]\r\nSecurity bypass\r\nThe script injected into the web page is responsible for bypassing security measures on each specific login page. \r\nNote: For security reasons, we've replaced sensitive variable names in the script to prevent unauthorized actors\r\nfrom exploiting these methods. \r\nThe  gsuit.js script searches for all \r\nelements with the specific class name in the web page and then removes them from the Document Object\r\nModel (DOM) as shown below.\r\n\"use strict\";\r\nfunction NeverNotify()\r\n{\r\n var x = document.querySelectorAll(\"[redacted]\");\r\n for(var i=0; i {NeverNotify();}, 50);\r\nhttps://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia#technical-analysis\r\nPage 5 of 8\n\nThe\r\nauth.js script is used for manipulating security measures for Naver and Kakao. To bypass Kakao,\r\nthe script checks for elements with specific IDs. If these elements exist, the script clicks them.\r\nThis action typically means opting to remember the browser to avoid repeated security prompts. The\r\nscript selects all elements and ensures their class names are set correctly, possibly to ensure all\r\ncheckboxes of this type are checked.\r\nThe Naver section of the script, similar to the Kakao section, identifies elements with specific IDs\r\nand performs clicks on them. These clicks serve various purposes, such as skipping or acknowledging\r\nwaiting times and dialogs within Naver's security measure process. For instance, it locates an element\r\nwith the IDauto and sets its value toinit , potentially as part of a setup or initialization\r\nprocess for the authentication page.\r\nNote: We have notified the Google and Naver security teams about these security bypasses and are\r\nclosely working with them to mitigate the issue.\r\nEmail address stealer - content.js\r\nThe main objective of this Javascript file is to collect email address and password data entered into\r\nthe forms and send the information to a background page. The script performs these actions as\r\nfollows:\r\nHooking into various form elements such as buttons and input fields to capture clicks and\r\nkeypresses to initiate sending data.\r\nCollecting all email addresses entered into any input fields (“ type=email ”), general text\r\n(“ type=text ”), or textboxes (“ role=textbox ”), and concatenating them into a single string.\r\nCollecting values from all input fields of the typepassword, and concatenating the email\r\naddress and password data collected into a string format suitable for transmission.\r\nMonitoring user actions, like pressing Enter, by adding event listeners to various button\r\ntypes and input fields. It uses a mutex variable to prevent multiple transmissions at the same\r\ntime. This monitoring process is repeated every 500 milliseconds, ensuring new elements on the\r\npage or dynamically added elements are also monitored.\r\nService worker - background.js\r\nThe Javascript employs the dead drop resolver technique to retrieve configurations and commands from\r\nthe public blog service:\r\nhxxps://onewithshare.blogspot[.]com/2023/04/10.html\r\nIf the blog URL is active, the Javascript extracts the pattern with the following regular\r\nexpression:\r\n \r\nhttps://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia#technical-analysis\r\nPage 6 of 8\n\nThis parses the content from the\r\nvalue parameter of a hidden input field. When we originally\r\nchecked the blog, there were no relevant values present in this format. However, on July 1, 2024,\r\nanother researcher identified an update to the threat actor's blog with the Capture command,\r\nindicating that the threat actor is actively managing the campaign. The figure below shows the threat\r\nactor’s blog updated with the Capture command.\r\nFigure 4: The threat actor’s blog’s updated with theCapture command on July 1, 2024.\r\nThere are four types of commands expected by the code, and they are described in the table below:\r\nCommand Description\r\nURL\r\nParses and Base64 decodes the value and appends/log.php . This newly formedURL is\r\nused as a new C2 server.\r\nCapture\r\nWhen a new tab is created, the code sends the current time and URL of the tab, taking\r\na screenshot of the tab withchrome.tabs.captureVisibleTab API every 5 seconds.\r\ndelcookie Removes all cookies from the browser.\r\nRun\r\nInjects a tag with the href valuems-powerpoint:// in all Chrome tabs, invoking\r\nthe click event every 30 minutes.\r\nTable 1: Commands supported by Kimsuky’sTRANSLATEXT .\r\nThe background script also registers several listeners with specific functionality as described below:\r\nSend background Javascript listener: This listener is triggered when a new message is created,\r\nallowing for appropriate actions to be taken in response.\r\nTab update listener: When a tab is updated, this listener sends the URL of the newly created\r\ntab along with a screenshot, based on the presence of theCapture flag.\r\nCookie change listener: Whenever a cookie is modified, this listener checks if the domain\r\nincludesgoogle ,naver ,kakao , ordaum , and if the reason for the change\r\nisexpired ,evicted , orexplicit . In such cases, the new cookie value is sent to the remote\r\nC2 server.\r\nhttps://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia#technical-analysis\r\nPage 7 of 8\n\nTRANSLATEXT uses HTTP POST requests for C2 communications, with the following hardcoded HTTP headers:\r\nAccept: application/json, application/xml, text/plain, text/html, *.*,\r\nContent-Type: application/x-www-form-urlencoded; charset=utf-8\r\nAccess-Control-Allow-Origin: \"*\"\r\nAccess-Control-Allow-Credentials: true\r\nTRANSLATEXT uses the following HTTP POST fields for sending the stolen information.\r\nData to Send POST Data Format\r\nEmail/password\r\nevent=[current time]--\u003e\r\nevent=[url]\r\nevent=email=[email]**pwd=[passwd]\r\nNew tab image\r\ntab=[current time]--\u003e\r\ntab=[url]\r\nimage=[image data]\u0026url=[tab url]\r\nCookie (send all cookies)\r\ncookie=[current time]--\u003e\r\ncookie=[all cookie value]\r\nCookie (cookie changed)\r\ncookie={expired|evicted|explicit}:[current time]--\u003e\r\ncookie=[cookie value]\r\nTable 2: HTTP POST data format for Kimsuky’sTRANSLATEXT .\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia#technical-analysis\r\nhttps://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia#technical-analysis\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia#technical-analysis" ], "report_names": [ "kimsuky-deploys-translatext-target-south-korean-academia#technical-analysis" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434062, "ts_updated_at": 1775826699, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3bae8faded2e02e7e831134465ba2bf8a5333235.pdf", "text": "https://archive.orkl.eu/3bae8faded2e02e7e831134465ba2bf8a5333235.txt", "img": "https://archive.orkl.eu/3bae8faded2e02e7e831134465ba2bf8a5333235.jpg" } }