{
	"id": "6e729dd4-8ac7-490d-8b59-c534ad99f914",
	"created_at": "2026-04-06T00:12:49.032291Z",
	"updated_at": "2026-04-10T13:12:30.582091Z",
	"deleted_at": null,
	"sha1_hash": "55aa42a757a41400db1573aec1470a89b04688c0",
	"title": "Case of Larva-25004 Group (Related to Kimsuky) Exploiting Additional Certificate - Malware Signed with Nexaweb Certificate - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1093109,
	"plain_text": "Case of Larva-25004 Group (Related to Kimsuky) Exploiting\r\nAdditional Certificate - Malware Signed with Nexaweb Certificate\r\n- ASEC\r\nBy ATCP\r\nPublished: 2025-05-21 · Archived: 2026-04-05 16:25:51 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) has discovered malware signed with the certification of Nexaweb\r\nInc. by investigating a file with the same characteristics as the one signed with a Korean company’s certificate.\r\nThese malware samples have been reported by other security companies about the activities of the Kimsuky\r\ngroup.\r\nAhnLab is tracking them, naming them Larva-25004.\r\nTwo files were discovered, and their MD5 hash values are as follows:\r\nJob Description (LM HR Division II).pdf.scr : 73d2899aade924476e58addf26254c2e\r\nKnown as Automation Manager JD(LM HR II).scr: aa8936431f7bc0fabb0b9efb6ea153f9\r\nThese files were signed with the Nexaweb certificate (Serial number: 0315e137a6e2d658f07af454c63a0af2) on\r\nMay 24 and 28, 2024.\r\nhttps://asec.ahnlab.com/en/88132/\r\nPage 1 of 4\n\nWhen the malware is executed, it displays a PDF file related to employment as a bait.\r\nhttps://asec.ahnlab.com/en/88132/\r\nPage 2 of 4\n\nThe exact target is unknown, but considering that the document is a bait, it is likely to be intended for those\r\ninterested in working for a defense company.\r\nNexaweb Certificate Still Unknown\r\nNo malware was found in the files signed with the certificate previously used by Nexaweb (Serial number:\r\n28ce4d33e7994c2be95816eea5773ed1).\r\nhttps://asec.ahnlab.com/en/88132/\r\nPage 3 of 4\n\nThe certificate signed by the malware is only used to sign the two malware files and not used to sign other files.\r\nWe have contacted Nexaweb to verify if the certificate is actually theirs, but we have not yet received a response.\r\nMD5\r\n27d4ff7439694041ef86233c2b804e1f\r\n73d2899aade924476e58addf26254c2e\r\naa8936431f7bc0fabb0b9efb6ea153f9\r\nAdditional IOCs are available on AhnLab TIP.\r\nSource: https://asec.ahnlab.com/en/88132/\r\nhttps://asec.ahnlab.com/en/88132/\r\nPage 4 of 4\n\n   https://asec.ahnlab.com/en/88132/  \nWhen the malware is executed, it displays a PDF file related to employment as a bait.\n   Page 2 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/88132/"
	],
	"report_names": [
		"88132"
	],
	"threat_actors": [
		{
			"id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2",
			"created_at": "2022-10-25T15:50:23.280374Z",
			"updated_at": "2026-04-10T02:00:05.305572Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"Kimsuky",
				"Black Banshee",
				"Velvet Chollima",
				"Emerald Sleet",
				"THALLIUM",
				"APT43",
				"TA427",
				"Springtail"
			],
			"source_name": "MITRE:Kimsuky",
			"tools": [
				"Troll Stealer",
				"schtasks",
				"Amadey",
				"GoBear",
				"Brave Prince",
				"CSPY Downloader",
				"gh0st RAT",
				"AppleSeed",
				"Gomir",
				"NOKKI",
				"QuasarRAT",
				"Gold Dragon",
				"PsExec",
				"KGH_SPY",
				"Mimikatz",
				"BabyShark",
				"TRANSLATEXT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "760f2827-1718-4eed-8234-4027c1346145",
			"created_at": "2023-01-06T13:46:38.670947Z",
			"updated_at": "2026-04-10T02:00:03.062424Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"G0086",
				"Emerald Sleet",
				"THALLIUM",
				"Springtail",
				"Sparkling Pisces",
				"Thallium",
				"Operation Stolen Pencil",
				"APT43",
				"Velvet Chollima",
				"Black Banshee"
			],
			"source_name": "MISPGALAXY:Kimsuky",
			"tools": [
				"xrat",
				"QUASARRAT",
				"RDP Wrapper",
				"TightVNC",
				"BabyShark",
				"RevClient"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d",
			"created_at": "2025-08-07T02:03:25.101147Z",
			"updated_at": "2026-04-10T02:00:03.846812Z",
			"deleted_at": null,
			"main_name": "NICKEL KIMBALL",
			"aliases": [
				"APT43 ",
				"ARCHIPELAGO ",
				"Black Banshee ",
				"Crooked Pisces ",
				"Emerald Sleet ",
				"ITG16 ",
				"Kimsuky ",
				"Larva-24005 ",
				"Opal Sleet ",
				"Ruby Sleet ",
				"SharpTongue ",
				"Sparking Pisces ",
				"Springtail ",
				"TA406 ",
				"TA427 ",
				"THALLIUM ",
				"UAT-5394 ",
				"Velvet Chollima "
			],
			"source_name": "Secureworks:NICKEL KIMBALL",
			"tools": [
				"BabyShark",
				"FastFire",
				"FastSpy",
				"FireViewer",
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "71a1e16c-3ba6-4193-be62-be53527817bc",
			"created_at": "2022-10-25T16:07:23.753455Z",
			"updated_at": "2026-04-10T02:00:04.73769Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"APT 43",
				"Black Banshee",
				"Emerald Sleet",
				"G0086",
				"G0094",
				"ITG16",
				"KTA082",
				"Kimsuky",
				"Larva-24005",
				"Larva-25004",
				"Operation Baby Coin",
				"Operation Covert Stalker",
				"Operation DEEP#DRIVE",
				"Operation DEEP#GOSU",
				"Operation Kabar Cobra",
				"Operation Mystery Baby",
				"Operation Red Salt",
				"Operation Smoke Screen",
				"Operation Stealth Power",
				"Operation Stolen Pencil",
				"SharpTongue",
				"Sparkling Pisces",
				"Springtail",
				"TA406",
				"TA427",
				"Thallium",
				"UAT-5394",
				"Velvet Chollima"
			],
			"source_name": "ETDA:Kimsuky",
			"tools": [
				"AngryRebel",
				"AppleSeed",
				"BITTERSWEET",
				"BabyShark",
				"BoBoStealer",
				"CSPY Downloader",
				"Farfli",
				"FlowerPower",
				"Gh0st RAT",
				"Ghost RAT",
				"Gold Dragon",
				"GoldDragon",
				"GoldStamp",
				"JamBog",
				"KGH Spyware Suite",
				"KGH_SPY",
				"KPortScan",
				"KimJongRAT",
				"Kimsuky",
				"LATEOP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Lovexxx",
				"MailPassView",
				"Mechanical",
				"Mimikatz",
				"MoonPeak",
				"Moudour",
				"MyDogs",
				"Mydoor",
				"Network Password Recovery",
				"PCRat",
				"ProcDump",
				"PsExec",
				"ReconShark",
				"Remote Desktop PassView",
				"SHARPEXT",
				"SWEETDROP",
				"SmallTiger",
				"SniffPass",
				"TODDLERSHARK",
				"TRANSLATEXT",
				"Troll Stealer",
				"TrollAgent",
				"VENOMBITE",
				"WebBrowserPassView",
				"xRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434369,
	"ts_updated_at": 1775826750,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/55aa42a757a41400db1573aec1470a89b04688c0.pdf",
		"text": "https://archive.orkl.eu/55aa42a757a41400db1573aec1470a89b04688c0.txt",
		"img": "https://archive.orkl.eu/55aa42a757a41400db1573aec1470a89b04688c0.jpg"
	}
}