{ "id": "37f99c53-21e5-4766-815e-23cc3d8d3b43", "created_at": "2026-04-06T00:18:28.773904Z", "updated_at": "2026-04-10T03:37:41.049239Z", "deleted_at": null, "sha1_hash": "4627cdec29f790bceeefa9e4a8ed5621784b24e0", "title": "Securonix Threat Research Security Advisory: Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9141699, "plain_text": "Securonix Threat Research Security Advisory: Analysis of New\r\nDEEP#GOSU Attack Campaign Likely Associated with North Korean\r\nKimsuky Targeting Victims with Stealthy Malware\r\nArchived: 2026-04-05 17:45:31 UTC\r\nBy Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov\r\ntldr:\r\nThe Securonix Threat Research team has uncovered an elaborate multi-stage attack campaign likely associated with the\r\nNorth Korean Kimsuky group.\r\nThe Securonix Threat Research (STR) team has been monitoring a new campaign tracked as DEEP#GOSU likely associated\r\nwith the Kimsuky group, which features some new code/stagers as well as some recycled code and TTPs that were reported\r\nin the past. While the targeting of South Korean victims by the Kimsuky group happened before, from the tradecraft\r\nobserved it’s apparent that the group has shifted to using a new script-based attack chain that leverages multiple PowerShell\r\nand VBScript stagers to quietly infect systems. The later-stage scripts allow the attackers to monitor clipboard, keystroke,\r\nand other session activity.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 1 of 21\n\nThe threat actors also employed a remote access trojan (RAT) software to allow for full control over the infected hosts,\r\nwhile the background scripts continued to provide persistence and monitoring capabilities.\r\nAll of the C2 communication is handled through legitimate services such as Dropbox or Google Docs allowing the malware\r\nto blend undetected into regular network traffic. Since these payloads were pulled from remote sources like Dropbox, it\r\nallowed the malware maintainers to dynamically update its functionalities or deploy additional modules without direct\r\ninteraction with the system .\r\nThe malware used in the DEEP#GOSU campaign likely enters the system through typical means where the user downloads\r\na malicious email attachment containing a zip file with a single disguised file using the extension: pdf.lnk,\r\n(IMG_20240214_0001.pdf.lnk) in this case.\r\nStage 1: Initial execution: LNK files [T1204.002]\r\nThe use of shortcut files, or .lnk files by threat actors is nothing new. However, in the case of DEEP#GOSU, the\r\nmethodology behind the code execution is quite different from what we have typically seen in the past.\r\nFirst, as seen in the figure below, the length of the command is quite impressive and it’s clear that the executed PowerShell\r\nis designed to perform several complex functions. Additionally, standing at about 2.2MB, it’s clear that there is more to this\r\nshortcut file than what meets the eye.\r\nFigure 1: IMG_20240214_0001.pdf.lnk – command line execution\r\nThe embedded PowerShell script contained within the shortcut file is designed to take byte data from itself, which extracts\r\nembedded files, AESDecrypt and executes further malicious code downloaded from the internet (/step2/ps.bin) and clean up\r\ntraces of its execution. The use of encryption and cloud services for payload retrieval indicates some level of sophistication\r\nintended to evade detection and analysis. This type of infrastructure typically takes much more time to set up and maintain\r\nversus simply hosting files on rented servers.\r\nLet’s first analyze the reason that the shortcut file is over 2MB in size. Upon close analysis, the shortcut file appears to have\r\nan entire embedded PDF concatenated to it after tens of thousands of “A” characters. Those characters may be an attempt to\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 2 of 21\n\npad the size of the file to evade AV detections.\r\nThe figure below demonstrates how this looks when using a hexadecimal editor to view the file’s raw data. On the left, we\r\ncan see the end of the shortcut code which calls cmd.exe (to eventually call powershell.exe) and the start of the sequence of\r\n“A” characters. Over on the left the A’s terminate and the start of a PDF header appears!\r\nFigure 2: Hex bytes of IMG_20240214_0001.pdf.lnk highlighting the embedded PDF file\r\nSo, the shortcut file has a concatenated PDF file attached to it. The PowerShell code contains a clever function that performs\r\na few tasks. The PowerShell code below is taken from the code from within the shortcut file (figure 1) and then cleaned up a\r\nbit so it’s easier to read:\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 3 of 21\n\nFigure 3: IMG_20240214_0001.pdf.lnk – extract PDF portion from itself\r\nThis portion of the script extracts the PDF portion of the .lnk file’s content based on specific byte positions which\r\nexists between byte values 2105824 and 2282653 ($len1 to $len2).\r\nThe script writes out the progress at each operational task such as “readfileend”, “exestart” and “exeend”.\r\nThe alias “sc” is used to instantiate a new object to hold the PDF file.\r\nThis extracted content is then eventually saved to a new variable $path, and then executed using the PowerShell\r\nStart-Process commandlet.\r\nThe PDF content is then executed which will then open in the system’s default PDF viewer which opens as\r\n“IMG_20240214_0001.pdf”.\r\nAll files are then deleted.\r\nWhat makes this tactic clever is that there is technically no PDF file contained within the initial zip file sent to the victim.\r\nWhen the user clicks the PDF lure (shortcut file) they’re immediately presented with a PDF file thus removing any concern\r\nthat anything unexpected happened.\r\nThe PDF lure document is in Korean and appears to be an announcement regarding the son of Korean Airlines CEO Choi\r\nHyun (the late Choi Yul) and states that the son has passed away due to a car accident. The rest contains details and dates of\r\nthe funeral hall.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 4 of 21\n\nFigure 4: IMG_20240214_0001.pdf lure document\r\nIn addition to extracting and executing the PDF document, the shortcut file also executes the malware’s next stage payload\r\nfrom a Dropbox URL (hxxps://content.dropboxapi[.]com/2/files/download/step2/ps.bin). Despite its name, the ps.bin file is\r\nactually another PowerShell script which we’ll dive into later.\r\nSince Dropbox requires authentication, all of the required parameters are embedded into the shortcut’s original PowerShell\r\nscript (figure 1). With the PowerShell code cleaned up, the portion of the script responsible for downloading and executing\r\nthe next-stage payload ($newString) is highlighted below.\r\nFigure 5: IMG_20240214_0001.lnk – download and invoke next-stage payload from Dropbox\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 5 of 21\n\nTo sum up, the PowerShell script contained with the shortcut file is designed to silently find and execute the specifically\r\ncrafted malicious .lnk file (itself), extract and execute the embedded PDF lure document, authenticate, decrypt and execute\r\nfurther malicious code downloaded from Dropbox, and then clean up traces of its execution. The use of encryption and\r\ncloud services for payload retrieval indicates a level of sophistication intended to evade detection and analysis.\r\nStage 2: Invoked code from Dropbox [T1102]\r\nAt this stage, the initial shortcut file has downloaded and invoked a remote payload from Dropbox called ps3.bin. The\r\nPowerShell code contained within the .bin file defines a function (Load) that performs several operations which includes\r\ndownloading, decompressing, and dynamically loading and executing .NET assembly code from a different Dropbox URL.\r\nDefine a decompression helper function (GzExtract):\r\nThis inner function takes a byte array as input in the form of GZIP compressed data.\r\nDecompresses this data and return the resulting byte array\r\nDynamically loading .NET assemblies:\r\nThe script dynamically loads assemblies related to System.Drawing, System.Windows.Forms, and\r\nPresentationCore\r\nThis enables the script to use advanced graphical UI capabilities which have been used in the past for features\r\nsuch as screenshots or screen recording by Dark Pink malware among others.\r\nAuthenticating with Dropbox and downloading next-stage remote payload:\r\nSimilar to the shortcut file’s PowerShell script, it authenticates with Dropbox once again using a refresh token,\r\nclient ID, and client secret to obtain an access token.\r\nA file named r_enc.bin is downloaded from Dropbox (stage 3).\r\nAfter downloading the file, it attempts to decompress the payload using the GzExtract function defined earlier.\r\nThe script implies this payload is a .NET assembly in binary form, though compressed to evade detection.\r\nDynamically loading and executing the .NET assembly:\r\nIt loads the decompressed .NET assembly into memory without writing it to disk which can help cut down AV\r\ndetections.\r\nIt iterates through types and methods within the loaded assembly to find and invoke a specific method\r\n(makeProbe1). The invocation is commented out, but it suggests that the method would execute with a\r\nhardcoded parameter, which is partially shown and then truncated.\r\nThis dynamic loading and execution allow the malware to perform virtually any action the .NET framework\r\nsupports, based on the code within the downloaded assembly.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 6 of 21\n\nFigure 6: Example of PowerShell ps.bin\r\nIn addition to the above the script also invokes a method on an object instance using reflection in PowerShell, with a\r\nparameter that appears to be a Base64-encoded string. The string can be seen in the figure below.\r\nFigure 7: ps.bin PowerShell invokes next stage payloads\r\nThe $method variable is set up and holds a reference to a “MethodInfo” object, which represents a specific method of a\r\nclass. The “$instance” variable contains the instance of the class which in turn contains the method you want to invoke. The\r\nstring is encoded in Base64 and then passed as an argument to the method.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 7 of 21\n\nSince at this point the code is doing two pretty interesting things simultaneously, let’s follow the loading and execution of\r\n“r_enc.bin” from Dropbox further down (Stage 4) which is loaded from the following Dropbox URL:\r\nhxxps://content.dropboxapi[.]com/2/files/download/step2/r_enc.bin\r\nWe’ll continue with the invocation of the new Base64 encoded method (Stage 4) further down.\r\nStage 3: TutClient [C# RAT] (r_enc.bin)\r\nWhen analyzing the PowerShell script in Stage 2 we determined that the script once again reached back out to Dropbox and\r\ndownloaded a compressed Base64 string. The file itself is indeed a binary file which can be easily confirmed using a tool\r\nsuch as CyberChef. If we place the large Base64 string (r_enc.bin) inside the input field, select “From Base64” and\r\n“Gunzip”, we see the MZ header and other common strings for Windows executables inside the output.\r\nFigure 8: Decoding r_enc.bin in CyberChef\r\nThe decompressed binary file ends up being an open source RAT (remote access trojan), known as TruRat, TutRat or C#\r\nR.A.T. which generates a commonly named client called TutClient.exe.\r\nAs the name suggests, the RAT is coded in C# and is open source. Since the source of the application can be found online,\r\nwe won’t go too deep into the binary code analysis portion as it’s available online, but rather discuss its capabilities.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 8 of 21\n\nFigure 9: C# RAT executable client overview\r\nCurrently this particular RAT software is quite old and likely to be picked up by most antivirus vendors. However, given the\r\nunique method in which this binary is loaded and executed directly into memory (stage2), it’s likely to skirt some detections.\r\nExecution of the payload in memory, also known as “fileless” execution, is a technique used by attackers to evade detection\r\nby traditional file-based antivirus solutions. Since the payload does not touch the disk, it leaves fewer traces, making it\r\nharder for security tools to detect and mitigate the threat.\r\nAccording to the C# Rat’s GitHub page, the malware supports a wide range of features including:\r\nKeylogger\r\nRemote desktop\r\nMic and cam spy\r\nRemote Cmd prompt\r\nProcess and file manager\r\nFun menu (hiding desktop icons, clock, taskbar, showing messagebox, triggering Windows sound effects)\r\nDDoS with target validation\r\nPassword manager (supporting: Internet Explorer, Google Chrome, Firefox)\r\nInterestingly enough, this is not the first time that we’ve seen this RAT used against Korean targets. A year ago the Kimsuky\r\ngroup was identified delivering TutRAT and xRAT payloads through other methods.\r\nStage 4: VBScript execution (invoked code from stage 2) [T1059.005]\r\nCircling back to Stage 2, if you recall, we observed a large Base64 encoded string getting invoked. After decoding the string\r\nwe reveal a VBScript code segment which once again is designed to connect back to Dropbox by interacting with specific\r\nweb APIs.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 9 of 21\n\nFigure 10: Stage 4 VBScript execution – download info_sc.txt from Dropbox (from stage 2)\r\nThe next stage is downloaded from Dropbox in the same manner we observed during the last several stages. Using a unique\r\nclient ID, refresh token and secret, the file “info_sc.txt” is downloaded from the URL:\r\nhxxps://content.dropboxapi[.]com/2/files/download/step2/info_sc.txt\r\nOnce the file is downloaded, it is written to a VB Stream object then switches the stream’s type to text and reads it as a UTF-8 encoded string. This is a method to convert binary data (the downloaded file content) into a readable string.\r\nThe crucial part of this script is the “Execute” statement, which executes the string read from the stream as VBScript code.\r\nThis means the downloaded content is not just data but executable code, which makes the purpose for Stage 4 run arbitrary\r\nVBScript code fetched from Dropbox.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 10 of 21\n\nFigure 11: Stage 4 VBScript execution execute downloaded code\r\nWith the code downloaded from Dropbox, parsed and then converted, it’s placed inside “convertedString” and then\r\nexecuted.\r\nLastly, the script dynamically writes a PowerShell file on the disk and then executes it (Stage 7). This file was written to:\r\nc:\\users\\[redacted]\\appdata\\roaming\\microsoft\\windows\\w568232.ps1\r\nOriginally the script dropped the file named w568232.ps12x , however it was immediately renamed to w568232.ps1 using\r\nthe following command:\r\ncmd /c rename c:\\users\\[redacted]\\appdata\\roaming\\microsoft\\windows\\w568232.ps12x w568232.ps1\r\nStage 5: VBScript execution (info_sc.txt) [T1059.005]\r\nIf you thought at this point we were done with Dropbox stages, you might be right, depending on the OS version the victim\r\nsystem is running. But for now, a closer look at this script reveals several indications of more traditional malware such as\r\npersistence indicators and WMI (Windows Management Instrumentation) activity.\r\nThe script is quite complex, though it did not feature any form of obfuscation which needed to be decoded. Let’s go over\r\nsome of the more interesting routines and functions to better understand its capabilities.\r\nWMI Execution [T1047]\r\nAt the beginning of the script there is a WMProc Subroutine which uses WMI to execute commands on the system. It takes a\r\nsingle parameter p_cmd which specifies the executable or script that is launched by the WMI service.\r\nAdditionally, there is a commented out line with instructions to download, save and execute a remote .hwp document file.\r\nKimsuky has been known to use disguised hwp files in the past, so this could be an artifact of an older attack chain. The\r\ncommented out line references a remote server at regard.co[.]kr, however we did not observe any network communication to\r\nthat domain throughout the course of the DEEP#GOSU campaign.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 11 of 21\n\nFigure 12: Stage 5 VBScript execution – WMProc and TF functions\r\nScheduled tasks [T1053]\r\nThe TF function works with the Reg and Reg1 subroutines which are used to schedule tasks on the system. Additionally, the\r\nTF function formats a timestamp for scheduling, and the Reg subroutine actually schedules a new task. This task is\r\nconfigured to execute a script or command at a later time, ensuring that the malware maintains persistence on the system.\r\nFigure 13: Stage 5 VBScript execution – Reg and Reg1 functions\r\nRemote payload download\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 12 of 21\n\nAt this point the script checks the version of the operating system and branches its behavior accordingly. For OS versions\r\nprior to Windows 10, it uses Internet Explorer functionality to download and execute a script fetched from a remote server at\r\nhxxp://gbionet[.]com/inc/basl/up1/list.php?query=6\r\nAfter contacting the URL above, the script captures the “innerText” of the page’s body, which is the text content of the\r\nresponse from the server, excluding any HTML tags.\r\nFor systems running Windows 10 or later, it uses a PowerShell script which is saved into a single VBScript variable to\r\ndownload and execute a payload from Dropbox using similar methods we witnessed prior.\r\nFigure 14: Stage 5 VBScript execution – Next stage download\r\nThe inclusion of Google Docs URLs in the PowerShell script encapsulated within the psTxt variable is a method used to\r\ndynamically retrieve configuration data for the Dropbox connection. This could be useful for when payloads, or Dropbox\r\naccount data needs to be changed, without having to change the script itself.\r\nAs we witnessed previously, the PowerShell script uses a hard-coded password (pa55w0rd), and then executes the decrypted\r\ncontent. This also helps reduce the malware’s detection footprint. Using these types of services to fetch configuration data or\r\npayloads can blend in with legitimate network traffic, reducing the likelihood of network-based detection.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 13 of 21\n\nFigure 15: Stage 5 VBScript/PowerShell execution – invoke next stage\r\nThe decrypted content uses a predefined password and AES decryption. Since the downloaded content is encrypted another\r\nlayer of protection against detection is added.\r\nInterestingly enough, the $uh variable is not defined anywhere in the script. This is used by the Invoke-Command alias (icm)\r\nto execute a PowerShell scriptblock. This could be a mistake by the malware authors, or used in context with other more\r\nbroad malware operations where it could be used with portions of code not included in the samples identified by the team.\r\nLastly, the decrypted content is then executed directly in memory using a PowerShell invoke-expression, which leads us into\r\nStage 6!\r\nStage 6: PowerShell execution – system enumeration [T1082]\r\nCircling back to PowerShell, the next script that gets executed is an interesting script which attempts to enumerate the victim\r\nsystem as much as it can. Once again, Dropbox is used, however rather than downloading the next-stage payload, it issues a\r\ncarefully-crafted POST request to submit its enumeration findings.\r\nAs you can see in the data below, it formats the data into sections with headers containing plus signs on either side of the\r\nheader text.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 14 of 21\n\nFigure 16: Stage 6 PowerShell system enumeration example\r\nThe script enumerates the following items:\r\nRunning processes (tasklist)\r\nFirewall status for all profiles (Netsh Advfirewall show allprofiles)\r\nRegistered antivirus products via Security Center (AntiVirusProduct class from ROOT\\SecurityCenter and\r\nROOT\\SecurityCenter2 namespaces)\r\nUser profile directories:\r\nDesktop ($user_dir\\Desktop)\r\nDocuments ($user_dir\\Documents)\r\nDownloads ($user_dir\\Downloads)\r\nApplication data and start menu programs:\r\nRecent documents ($appdata\\Microsoft\\Windows\\Recent)\r\nStart Menu Programs ($appdata\\Microsoft\\Windows\\Start Menu\\Programs)\r\nProgram files directories:\r\nDefault Program Files ($env:ProgramFiles)\r\nProgram Files (x86) for 64-bit systems ($env:ProgramFiles(x86))\r\nAll drives and their content, including:\r\nDrive label, type, format\r\nDirectories and files within each accessible drive\r\nOnce the information is gathered it encrypts the data using AES functions similar to that of the AES decrypt functions we\r\ndiscussed earlier. The script then constructs an HTTP POST request to upload encrypted data. The script attempts to refresh\r\nan OAuth token for Dropbox using a client ID, secret, and refresh token, then uses this token to authorize an upload to\r\nDropbox.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 15 of 21\n\nFigure 17: Stage 6 PowerShell upload enumeration data\r\nStage 7: stealth and persistence in PowerShell [T1041]\r\nIf you recall, this script is created and saved to the disk from Stage 5 (\\appdata\\roaming\\microsoft\\windows\\w568232.ps1).\r\nThe purpose of this script appears to be designed to serve as a tool for periodic communication with a command and control\r\n(C2) server via Dropbox. Its main purposes include encrypting and exfiltrating or downloading data.\r\nMost of the script once again contains PowerShell code for handling Dropbox connections and AES encryption/decryptors\r\nhowever there are a few interesting functions worth mentioning.\r\nFigure 18: stage 7 various functions inside w568232.ps1\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 16 of 21\n\nTo ensure persistent, stealthy operation, it contains unique functions for both mutex-based singleton execution ($bMute) and\r\nvariable intervals for network connectivity (GetTimeInterval). The time is set to a random interval between 10000 seconds\r\n(2.78 hours). Essentially, the script acts as a versatile backdoor that allows attackers to continuously monitor and control\r\ntheir infected systems.\r\nStage 8: Keylogging [T1056.001]\r\nThe purpose of this (and final) script is to act as a keylogging and clipboard monitoring component to monitor and log user\r\nactivity on the compromised system.\r\nIt achieves this by first obtaining access to Windows native APIs using .NET assemblies, and then using the Add-Type\r\nPowerShell module to call the Core class within the session. The script uses some targeted variable substitution obfuscation\r\nthroughout the defined strings.\r\nFigure 19: stage 8 obfuscated .NET assemblies\r\nThe script uses functions such as GetAsyncKeyState to monitor the state of individual keys on the keyboard, capturing key\r\npresses and releases.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 17 of 21\n\nFigure 20: stage 8 PowerShell keylogging functions\r\nThe PowerShell script includes functionality to monitor and log changes in the clipboard content. It does this by using the\r\nGetClipboardSequenceNumber function to retrieve the current clipboard sequence number, which changes anytime the\r\ncontent of the clipboard changes.\r\nIt then compares the current clipboard sequence number in $curClip with the previously stored sequence number in\r\n$oldClip. If they differ, it indicates the clipboard content has changed. If the format is verified as “text” it then uses\r\n[Windows.Clipboard]::GetText() to retrieve the new clipboard text.\r\nLastly, it appends the content into the $Path (Version.xml) variable using [System.IO.File]::AppendAllText.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 18 of 21\n\nFigure 21: stage 8 PowerShell clipboard monitoring\r\nAdditional functionality:\r\nWindow monitoring: It uses both GetForegroundWindow and GetWindowText to track the active window and its\r\ntitle, enabling the script to log which application the user is interacting with alongside the captured keystrokes or\r\nclipboard.\r\nSystem tick count: GetTickCount is also used to manage the timing of log entries (clipboard, keystrokes, etc),\r\nensuring that entries are spaced out and potentially reducing the volume of logged data to focus on periods of activity.\r\nEncoding and file writing: All of the captured data is saved into the variable path $Path\r\n(“$env:appdata\\Microsoft\\Windows\\Themes\\version.xml“), using UTF-8 encoding (created and exfiltrated in stage\r\n7.)\r\nWrapping up…\r\nThe malware payloads used in the DEEP#GOSU represent a sophisticated, multi-stage threat designed to operate stealthily\r\non Windows systems especially from a network-monitoring standpoint. It relied on both PowerShell and VBScript for its\r\nexecution which interestingly enough used very minimal obfuscation. Each stage was encrypted using AES and a common\r\npassword and IV which should minimize network, or flat file scanning detections.\r\nIts capabilities included keylogging, clipboard monitoring, dynamic payload execution, and data exfiltration, and persistence\r\nusing both RAT software for full remote access, scheduled tasks as well as self-executing PowerShell scripts using jobs.\r\nSecuronix recommendations\r\nSince many malware infections begin outside the organization, exercise caution especially around unsolicited emails,\r\nespecially when the email is unexpected or employs a sense of urgency. When it comes to prevention and detection, the\r\nSecuronix Threat Research Team recommends:\r\nAvoid downloading files or attachments from external sources, especially if the source was unsolicited.\r\nMonitor common malware staging directories, especially script-related activity in world-writable directories. In the\r\ncase of this campaign the threat actors staged in subdirectories in %APPDATA%\r\nSince all of the network communication in the DEEP#GOSU campaign is encrypted and employs legitimate services\r\nsuch as Dropbox or Google Docs, we strongly recommend deploying robust endpoint logging capabilities. This\r\nincludes leveraging additional process-level logging such as Sysmon and PowerShell logging for additional log\r\ndetection coverage.\r\nSecuronix customers can scan endpoints using the Securonix hunting queries below.\r\nC2 and infrastructure\r\nC2 Address\r\nhttps://content.dropboxapi.com/2/files/download/step2/ps.bin\r\nhttps://content.dropboxapi.com/2/files/download/step2/r_enc.bin\r\nhttps://content.dropboxapi.com/2/files/download/step2/info_sc.txt\r\nhttps://content.dropboxapi.com/2/files/download/step2/info_ps.bin\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 19 of 21\n\nC2 Address\r\nhttps://content.dropboxapi.com/2/files/download/step2/ad_ps.bin\r\nhttps://content.dropboxapi.com/2/files/download/step2/info_sc.txt\r\ngbionet.com\r\nMITRE ATT\u0026CK Matrix\r\nTactics Techniques\r\nDefense Evasion\r\nT1027: Obfuscated Files or Information\r\nT1027.010: Obfuscated Files or Information: Command Obfuscation\r\nT1070.004: Indicator Removal: File Deletion\r\nT1140: Deobfuscate/Decode Files or Information\r\nDiscovery\r\nT1057: Process Discovery\r\nT1082: System Information Discovery\r\nT1083: File and Directory Discovery\r\nExecution\r\nT1059: Command and Scripting Interpreter\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nT1059.005: Command and Scripting Interpreter: Visual Basic\r\nT1204.001: User Execution: Malicious Link\r\nExfiltration T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage\r\nPersistence T1053 – Scheduled Task/Job\r\nCommand and Control\r\nT1102: Web Service\r\nT1132.001: Data Encoding: Standard Encoding\r\nT1219 – Remote Access Software\r\nT1573: Encrypted Channel\r\nCollection\r\nT1115 – Clipboard Data\r\nT1056.001 – Input Capture: Keylogging\r\nRelevant provisional Securonix detections\r\nEDR-ALL-623ER\r\nEDR-ALL-335-RU\r\nEDR-ALL-336-RU\r\nEDR-ALL-928-RU\r\nRelevant hunting queries\r\n(remove square brackets “[ ]” for IP addresses or URLs)\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 20 of 21\n\nindex = activity AND rg_functionality=”Next Generation Firewall” AND requesturl CONTAINS\r\n“content.dropboxapi[.]com/2/files/download/step2/” AND (requesturl CONTAINS “ps.bin” OR requesturl\r\nCONTAINS “r_enc.bin” OR requesturl CONTAINS “info_sc.txt” OR requesturl CONTAINS “info_ps.bin” OR\r\nrequesturl CONTAINS “ad_ps.bin”)\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “File created” OR\r\ndeviceaction = “File created (rule: FileCreate)”) AND customstring49 ENDS WITH\r\n“Appdata\\Microsoft\\Windows\\Themes\\version.xml”\r\nindex = activity AND rg_functionality = “Microsoft Windows Powershell” AND (message CONTAINS\r\n“content.dropboxapi[.]com/2/files/download” OR message CONTAINS “content.dropboxapi[.]com/2/files/upload”)\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “File created” OR\r\ndeviceaction = “File created (rule: FileCreate)”) AND customstring49 CONTAINS “\\AppData\\Local\\Temp\\” AND\r\ncustomstring49 CONTAINS “.zip” AND customstring49 ENDS WITH “.lnk”\r\nAnalyzed files/hashes\r\nName FILE HASH\r\nIMG_20240214_0001.pdf.lnk\r\nF262588C48D2902992FFD275D2BE6362FE7F02E2F00A44AB8C75AC1A2827C6E9\r\n1617587CCDF5B0344089559ECF8FE7D39F6E07A6A64F74F2B44BFA2C8CB67983\r\n트레이딩 스파르타코스 강\r\n의안-100불남(2차).zip\r\n46A5D54C264152CE915792AF31C75824A558AF7D7340D78B34E146D8C6249E79\r\n트레이딩_스파르타코스_강\r\n의안_100불남_2차.pdf.lnk\r\n1B75F70C226C9ADA8E79C3FDD987277B0199928800C51E5A1E55FF01246701DB\r\nIMG_20240214_0001.pdf 69C917EA96DB28DBD5B67073CA0AAC234D25651A849171B45F20979EAFA05A1C\r\nPowerShell file hashes\r\n60666CACDD6806ED05771F32EAA719E3EFD2F4DB55F28A447D383C3EAC1DC72E\r\nB72CAAB78D164637FEA0937D7A94FC470579EC6BB4FA87DADB6F0FA7826E217C\r\n89CAD9A57985CC0AB3B7403A943AD0AA7B167DC7A3C38557417FEDEA67A77B87\r\nReferences:\r\n1. North Korean Advanced Persistent Threat Focus: Kimsuky\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-301a\r\n1. Threat Intelligence Report: Kimsuky\r\nhttps://www.genians.co.kr/hubfs/blogfile/20231030_threat_inteligence_report_Kimsuky.pdf\r\n2. Dark Pink – New APT hitting Asia-Pacific, Europe that goes deeper and darker\r\nhttps://www.group-ib.com/blog/dark-pink-apt/\r\n3. February 2023 – Threat Trend Report on Kimsuky Group\r\nhttps://asec.ahnlab.com/wp-content/uploads/2023/04/ATIP_2023_Feb_Threat-Trend-Report-on-Kimsuky-Group.pdf\r\n4. Malware Disguised as HWP Document File (Kimsuky)\r\nhttps://asec.ahnlab.com/en/54736/\r\nSource: https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\nPage 21 of 21\n\nMost of the script however there once again are a few interesting contains PowerShell functions worth code for handling mentioning. Dropbox connections and AES encryption/decryptors\nFigure 18: stage 7 various functions inside w568232.ps1 \n Page 16 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/" ], "report_names": [ "securonix-threat-research-security-advisory-new-deepgosu-attack-campaign" ], "threat_actors": [ { "id": "fd4c3ddd-11cc-4192-9c94-ff107d7f8492", "created_at": "2023-02-18T02:04:24.06294Z", "updated_at": "2026-04-10T02:00:04.644528Z", "deleted_at": null, "main_name": "Dark Pink", "aliases": [ "Saaiwc Group" ], "source_name": "ETDA:Dark Pink", "tools": [ "Ctealer", "Cucky", "KamiKakaBot", "LOLBAS", "LOLBins", "Living off the Land", "PowerSploit", "TelePowerBot", "ZMsg" ], "source_id": "ETDA", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434708, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4627cdec29f790bceeefa9e4a8ed5621784b24e0.pdf", "text": "https://archive.orkl.eu/4627cdec29f790bceeefa9e4a8ed5621784b24e0.txt", "img": "https://archive.orkl.eu/4627cdec29f790bceeefa9e4a8ed5621784b24e0.jpg" } }