{
	"id": "b6886217-b183-4813-bec5-c8908cb76e2c",
	"created_at": "2026-04-10T03:21:58.477402Z",
	"updated_at": "2026-04-10T13:11:52.950192Z",
	"deleted_at": null,
	"sha1_hash": "4d612928d40b956cf990c917aca29944d7abb949",
	"title": "Distribution of PebbleDash Malware in March 2025",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1379948,
	"plain_text": "Distribution of PebbleDash Malware in March 2025\r\nBy ATCP\r\nPublished: 2025-04-21 · Archived: 2026-04-10 02:54:48 UTC\r\nPebbleDash is a backdoor malware that was previously identified by the Cybersecurity and Infrastructure Security\r\nAgency (CISA) in the U.S. as a backdoor malware of Lazarus (Hidden Corba) in 2020. At the time, it was known\r\nas the malware of the Lazarus group, but recently, there have been more cases of the PebbleDash malware being\r\ndistributed by the Kimsuky group, who have been targeting individuals, rather than the Lazarus group. This report\r\nwill cover the latest distribution process of the PebbleDash malware by the Kimsuky group, other malware and\r\nadditional modules that have been identified alongside PebbleDash.\r\nAs mentioned in multiple TI reports in the past, the Kimsuky threat group is known to use an open-source RDP\r\nWrapper along with PebbleDash for remote control. However, there have been numerous recent cases where the\r\nthreat actors directly patched termsrv.dll, which performs the role of terminal services.\r\nThe figure below shows the attack process using the PebbleDash malware by the Kimsuky group.\r\nFigure 1. The latest PebbleDash attack process of the Kimsuky group\r\nAttack Process\r\n1. Gaining Initial Access, Maintaining Persistence, and Establishing Foothold\r\nIn cases where PebbleDash is used, the threat actor’s attack process can be categorized into four main stages:\r\ninitial access, persistence, establishing a foothold, and creating additional malware. First, the threat actor targets\r\nspecific individuals with spear-phishing attacks to gain initial access. When a user opens the shortcut file attached\r\nhttps://asec.ahnlab.com/en/87621/\r\nPage 1 of 7\n\nto the spear-phishing email, the LNK file executes a JavaScript through the Cmdline. This JavaScript then\r\nexecutes PowerShell to perform tasks such as registering a task scheduler for system persistence, registering\r\nregistry keys for auto-execution, and performing socket communications with Dropbox and the threat actor’s\r\nC\u0026C server. This allows the threat actor to create backdoors, RDP tools, and other malware like PebbleDash.\r\nFigure 2. Initial infiltration process\r\n2. Installing Additional Malware for Controlling Infected PCs\r\nWhen PowerShell is executed by the LNK malware, the threat actor sends additional malware and CMD\r\ncommands to the infected PC through Dropbox and TCP socket communication. The threat actor uses PebbleDash\r\nand AsyncRAT to control the infected PC. The following have been identified: termsrv.dll patched for RDP\r\nconnection authentication bypass, UAC bypass malware for privilege escalation, and ForceCopy utility for data\r\nexfiltration.\r\n2.1. PebbleDash\r\nSince 2021, the PebbleDash malware has been continuously used by the Kimsuky group. There are slight\r\ndifferences in the execution methods between the past and current versions. For example, in 2021, the threat actors\r\nexecuted the bait document file and PebbleDash directly using a PIF file. In the recently identified cases, the threat\r\nactors directly created advconf2.dll using PowerShell, as shown in the image below.\r\nFigure 3. Log showing the creation of PebbleDash malware by PowerShell\r\nAfter advconf2.dll is created, cmd.exe and reg.exe are used to register and execute advconf2.dll as a service. The\r\nfinal executed PebbleDash feature is the same as the one introduced in the AhnLab SEcurity intelligence Center\r\n(ASEC) blog in the past.\r\nFigure 4. Registering the service-related registry key\r\n2.2. UAC Bypass Malware\r\nhttps://asec.ahnlab.com/en/87621/\r\nPage 2 of 7\n\nThe Kimsuky group has been using various privilege escalation tools, mainly UACMe. They are still using\r\nmultiple privilege escalation tools in 2024, but one particular type is more prevalent than the others. The threat\r\nactor only utilized the “AppInfo ALPC” technique among the UAC bypass techniques supported by UACMe to\r\ncreate their malware. This technique takes advantage of the fact that if a handle for a debug object of a specific\r\nprocess can be obtained, it can be used to gain a handle that provides full access to the said process. Logs show\r\nthat this privilege escalation tool was created and executed by PowerShell in the AhnLab Smart Defense (ASD)\r\ninfrastructure.\r\nFigure 5. Creating and executing privilege escalation tool using PowerShell\r\nFigure 6. Code routine using the AppInfo ALPC technique for privilege escalation\r\n2.3. Modified termsrv.dll\r\nThe threat actor used PowerShell to add the modified termsrv.dll file to the infected PC. Upon comparison with\r\nthe normal termsrv.dll, a specific function was found to be patched. According to the analysis, the function\r\n(CDefPolicy::Query) responsible for RDP license authentication was disabled. This means that any user accessing\r\nthe system is allowed to establish an RDP connection.\r\nhttps://asec.ahnlab.com/en/87621/\r\nPage 3 of 7\n\nFigure 7. Comparison values of the malicious file before and after patching in BinDiff (sub_18002F300 function\r\nmismatch)\r\nFigure 8. Comparison of the normal and patched modules (CDefPolicy::Query function)\r\nTo replace a legitimate system DLL in the Windows path with a modified DLL, the threat actor changed the\r\nregistry key value related to the RDP service.\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\TermService\\Parameters\r\nAs a result, the RDP service loads the %SystemRoot%\\System32\\termsrv.dll file by default, so the path must be\r\nchanged to the modified DLL to load the tampered DLL. In addition, the threat actor used takeown.exe to change\r\nthe ownership of the termsrv.dll file in the existing system path to Administrators for DLL replacement.\r\ntakeown /F C:\\Windows\\System32\\termsrv.dll /A\r\nhttps://asec.ahnlab.com/en/87621/\r\nPage 4 of 7\n\nResponse Guide\r\n1. Double Extension\r\nThe Kimsuky group distributes LNK malicious shortcut files disguised as normal documents by attaching a\r\ndouble extension to emails. For example, a file named “pdf.lnk” appears to be a PDF document, but it is actually a\r\nWindows shortcut (.lnk) file that can execute malicious scripts or programs. As such, regular users must prevent\r\nsuch suspicious files from being executed by verifying the actual file extension.\r\n[How to Enable File Extensions Display]\r\nOpen File Explorer and select the “File name extensions” checkbox in the “View” tab of the top menu, or use\r\nGroup Policy in Windows settings to force the display.\r\n2. Handling of Modified termsrv.dll File\r\nThe hash value must be calculated to check if the legitimate termsrv.dll file has been replaced with the malicious\r\nversion. To perform this verification, run the following command in Command Prompt (Run as administrator) to\r\ncalculate the hash value (MD5) of the modified file.\r\n certutil -hashfile C:\\Windows\\System32\\termsrv.dll MD5\r\nThe calculated hash value is compared to “641593eea5f235e27d7cff27d5b7ca2a” and\r\n“70d92e2b00ec6702e17e266b7742bbab”. If the values are the same, it means that the file has been tampered with\r\nand needs to be replaced with the normal termsrv.dll. Windows provides the sfc program to restore normal\r\nprograms. Users can restore the patched termsrv.dll to a normal program by entering the following command after\r\nexecuting CMD with administrator privileges:\r\n  sfc /scannow\r\n3. Hidden Administrator Account (“Root”)\r\nIf there is a suspicious account named “Root” that was not created by the administrator, the account must be\r\ndisabled or removed. Run the following command in the command prompt (Run as administrator) to check the\r\naccount information.\r\nnet user\r\nSearch for accounts with suspicious names such as “Root” and suspicious creation time and attributes, excluding\r\nstandard administrator accounts. If a suspicious account is found, take actions such as removing the hidden\r\nattribute and deleting/deactivating the account.\r\nOpen the registry editor and navigate to the following path. Then, delete the item corresponding to the account\r\nthat has been hidden.\r\nhttps://asec.ahnlab.com/en/87621/\r\nPage 5 of 7\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\r\nThis prevents the account from being used by threat actors.\r\n net user Root /delete\r\nConclusion\r\nWhile the Kimsuky group uses various types of malware, in the case of PebbleDash, they execute malware based\r\non an LNK file by spear-phishing in the initial access stage to launch their attacks. They then utilize a PowerShell\r\nscript to create a task scheduler and register it for automatic execution. Through communication with a Dropbox\r\nand TCP socket-based C\u0026C server, the group installs multiple malware and tools including PebbleDash. Recently,\r\nthe group has moved away from their previous method of using the open-source RDP Wrapper. Instead, they have\r\nbegun directly modifying the system DLL (termsrv.dll) to disable RDP authentication. This demonstrates that the\r\nKimsuky group is continuously evolving their attack techniques to suit their target environments.\r\nThis blog post analyzed the latest distribution and execution process of the PebbleDash malware by the Kimsuky\r\ngroup. Considering that the group mainly targets individuals, individual users must be cautious of initial access\r\ntechniques like spear-phishing and keep their security products up to date to prevent such attacks in advance.\r\nMD5\r\n641593eea5f235e27d7cff27d5b7ca2a\r\n70d92e2b00ec6702e17e266b7742bbab\r\n876dbd9529f00d708a42f470a21a6f79\r\na5cca2b56124e8e9e0371b6f6293e729\r\na8976e7dc409525a77b0eef0d0c3c4f2\r\nAdditional IOCs are available on AhnLab TIP.\r\nIP\r\n159[.]100[.]13[.]216\r\n213[.]145[.]86[.]223\r\n216[.]219[.]87[.]41\r\n64[.]20[.]59[.]148\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/87621/\r\nPage 6 of 7\n\nSource: https://asec.ahnlab.com/en/87621/\r\nhttps://asec.ahnlab.com/en/87621/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/87621/"
	],
	"report_names": [
		"87621"
	],
	"threat_actors": [],
	"ts_created_at": 1775791318,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4d612928d40b956cf990c917aca29944d7abb949.pdf",
		"text": "https://archive.orkl.eu/4d612928d40b956cf990c917aca29944d7abb949.txt",
		"img": "https://archive.orkl.eu/4d612928d40b956cf990c917aca29944d7abb949.jpg"
	}
}