{ "id": "7c1b44a6-28ed-4a25-baca-bdd02e2b3830", "created_at": "2026-04-06T00:12:08.145728Z", "updated_at": "2026-04-10T13:12:30.305378Z", "deleted_at": null, "sha1_hash": "574c7416c0e2cc4b17834e8531a4abf1b29d8478", "title": "Malware Disguised as HWP Document File (Kimsuky)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2012346, "plain_text": "Malware Disguised as HWP Document File (Kimsuky)\r\nBy ATCP\r\nPublished: 2023-06-15 · Archived: 2026-04-06 00:04:41 UTC\r\nAhnLab Security Emergency response Center (ASEC) has recently confirmed malware, which was previously\r\ndistributed in CHM and OneNote file formats, being distributed as an executable. Considering that the words used\r\nin the malware and the executed script code are similar to that of previously analyzed codes, it is suspected that\r\nthe same threat group (Kimsuky) is also the creator of this malware.\r\nAnalysis Report on Malware Distributed by the Kimsuky Group – Oct 20, 2022\r\nOneNote Malware Disguised as Compensation Form (Kimsuky) – Mar 24, 2023\r\nCHM Malware Disguised as North Korea-related Questionnaire (Kimsuky) – Mar 13, 2023\r\nKimsuky’s Attack Attempts Disguised as Press Releases of Various Topics – May 25, 2022\r\nAPT Attack Attempts Disguised as North Korea-Related Paper Requirements (Kimsuky) – Feb 22, 2022\r\nThe identified malware is distributed as a compressed file which contains a readme.txt along with an executable\r\ndisguised with an HWP document file extension.\r\nhttps://asec.ahnlab.com/en/54736/\r\nPage 1 of 5\n\nThe readme.txt file contains the following message which prompts users to open the malicious EXE file (Personal\r\nData Leakage Details.hwp.exe). The malicious EXE file was compiled with .NET and uses the HWP document\r\nicon to disguise itself to appear like a document file. Multiple spaces were also inserted into the file name to\r\nprevent the file extension from being fully visible.\r\nThe above EXE file contains a PowerShell command encoded in Base64. Thus, when the file is executed, this\r\ncommand is decoded and saved as update.vbs in the %APPDATA% folder. The generated update.vbs file is then\r\nexecuted through PowerShell.\r\nThe following message box is then generated, rendering it difficult for users to realize that malicious behaviors are\r\nbeing performed. The message contains North Korean dialect as shown in Figure 4 below.\r\nhttps://asec.ahnlab.com/en/54736/\r\nPage 2 of 5\n\nThe created update.vbs file contains obfuscated commands. Decoding this reveals a code that downloads and\r\nexecutes an additional script from hxxp://well-story.co[.]kr/adm/inc/js/list.php?query=1.\r\nBoth the script present in the above URL and the subsequent scripts executed perform functions such as user\r\ncredential leakage and keylogging, which are consistent with the findings in the \u003cAnalysis Report on Malware\r\nDistributed by the Kimsuky Group\u003e. The identified URL and features of the created file are as follows.\r\nURL and Filename Feature\r\nupdate.vbs\r\n– Changes a certain registry\r\n– Runs the script hxxp://well-story.co[.]kr/adm/inc/js/list.php?query=1\r\nhxxp://well-story.co[.]kr/adm/inc/js/list.php?query=1\r\n– Changes a certain registry\r\n– Creates\r\nOfficeAppManifest_v[Min]_[Hr]_[Day]\r\n[Month].xml and registers it as a service\r\n– Runs the script hxxp://well-story.co[.]kr/adm/inc/js/lib.php?idx=1\r\nOfficeAppManifest_v[Min]_[Hr]_[Day]\r\n[Month].xml\r\n– Runs the script hxxp://well-story.co[.]kr/adm/inc/js/list.php?query=6\r\nhxxp://well-story.co[.]kr/adm/inc/js/list.php?query=6– Runs the script hxxp://well-story.co[.]kr/adm/inc/js/lib.php?idx=5\r\nhttps://asec.ahnlab.com/en/54736/\r\nPage 3 of 5\n\nhxxp://well-story.co[.]kr/adm/inc/js/lib.php?idx=5\r\n– Keylogger\r\n– Transmits keylogging data to hxxp://well-story.co[.]kr/adm/inc/js/show.php\r\nhxxp://well-story.co[.]kr/adm/inc/js/lib.php?idx=1\r\n– Collects user PC information\r\n– Transmits the collected information to\r\nhxxp://well-story.co[.]kr/adm/inc/js/show.php\r\nTable 1. Features of the scripts found on a certain URL and the generated files\r\nThe information collected at this stage also matches those of the aforementioned report.\r\nGiven the continuous detection of this malware type being distributed, users are advised to exercise extra caution.\r\nUsers should always verify the file extension when opening email attachments and refrain from executing files\r\nreceived from unknown sources.\r\n[File Detection]\r\nDropper/Win.Agent.C5441936 (2023.06.16.02)\r\nTrojan/VBS.Kimsuky (2023.03.21.03)\r\nTrojan/PowerShell.Obfuscated (2023.03.14.00)\r\nTrojan/PowerShell.KeyLogger (2023.05.09.00)\r\nMD5\r\nhttps://asec.ahnlab.com/en/54736/\r\nPage 4 of 5\n\n73174c9d586531153a5793d050a394a8\r\n8133c5f663f89b01b30a052749b5a988\r\n91029801f6f3a415392ccfee8226be67\r\nec1b518541228072eb75463ce15c7bce\r\nf05991652398406655a6a5eebe3e5f3a\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//well-story[.]co[.]kr/adm/inc/js/lib[.]php?idx=1\r\nhttp[:]//well-story[.]co[.]kr/adm/inc/js/lib[.]php?idx=5\r\nhttp[:]//well-story[.]co[.]kr/adm/inc/js/list[.]php?query=1\r\nhttp[:]//well-story[.]co[.]kr/adm/inc/js/list[.]php?query=6\r\nhttp[:]//well-story[.]co[.]kr/adm/inc/js/show[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/54736/\r\nhttps://asec.ahnlab.com/en/54736/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/54736/" ], "report_names": [ "54736" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434328, "ts_updated_at": 1775826750, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/574c7416c0e2cc4b17834e8531a4abf1b29d8478.pdf", "text": "https://archive.orkl.eu/574c7416c0e2cc4b17834e8531a4abf1b29d8478.txt", "img": "https://archive.orkl.eu/574c7416c0e2cc4b17834e8531a4abf1b29d8478.jpg" } }