{ "id": "c921fd20-ef93-4262-a5fb-75c233f42704", "created_at": "2026-04-06T00:16:54.588745Z", "updated_at": "2026-04-10T03:38:06.525843Z", "deleted_at": null, "sha1_hash": "5852a6bc3cac355c497c3c1e51f8e329670dca6f", "title": "Detecting Ongoing STARK#MULE Attack Campaign Targeting Victims Using US Military Document Lures", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 19550823, "plain_text": "Detecting Ongoing STARK#MULE Attack Campaign Targeting\r\nVictims Using US Military Document Lures\r\nArchived: 2026-04-05 15:28:22 UTC\r\nBy Securonix Threat Research: Den Iuzvyk, Tim Peck, Oleg Kolesnikov\r\nJul 28, 2023, updated August 1, 2023\r\ntldr:\r\nAn interesting new ongoing attack campaign which lures its victims using US military related documents to run\r\nmalware staged from legitimate compromised Korean websites has been identified by Securonix Threat Research.\r\nCaption: Example of an MNRS recruitment post.\r\nThe Securonix Threat Research (STR) team has been monitoring a new attack campaign tracked by STR as\r\nSTARK#MULE. The campaign appears to be targeting Korean-speaking victims based on the nomenclature and\r\nnames of documents used, and based on the contents of the lure document. There is a possibility that the malicious\r\nthreat actor (MTA) originates from North Korea (this is still to be confirmed). In this case, the documents suggest\r\nthey contain information regarding US Army/military recruitment resources. It appears the goal is to spark the\r\nrecipient’s curiosity enough to have them open the attached documents, and inadvertently execute the contained\r\nmalware.\r\nhttps://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/\r\nPage 1 of 11\n\nBased on the source and likely targets, these types of attacks are on par with past attacks stemming from typical\r\nNorth Korean groups such as APT37 as South Korea has historically been a primary target of the group, especially\r\nits government officials.\r\nThe entire malicious infrastructure used in the STARK#MULE campaign is centered around legitimate\r\ncompromised Korean e-commerce websites. The websites allowed the threat actors to blend in with normal traffic\r\nto evade detection when it comes to delivering malware stagers and managing full on command and control on the\r\nvictim’s machine.\r\nThe final stage of the attack chain ends with an interesting and persistent malware embedded into the target’s\r\nmachine which runs on a scheduled task and immediately opens communication over HTTP.\r\nAttack chain overview\r\nFigure 1: STARK#MULE attack chain diagram\r\nThe attack likely begins with a phishing email with a zip file attachment. In our case, the zip file we were able to\r\nobtain and analyze was: “미군 구인공고 웹사이트 주소 및 사용방법 안내.zip”, which translates to “U.S. Army\r\njob posting website address and how to use it”.\r\nThe zip file is not password protected and contains three files as seen in the figure below:\r\nhttps://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/\r\nPage 2 of 11\n\nFigure 2: Contents of ““미군 구인공고 웹사이트 주소 및 사용방법 안내.zip”\r\nEmbedded inside another zip file is another zip file named “Multi National Recruitment System\r\nTemplete.pdf.zip”. The awkward usage of “Multi National” and typos such as “Templete” [sic] further solidify\r\nthat the author(s) were of non-English origin or a possible false-flag attempt.\r\nInside the second zip file was a single shortcut file named the same as the PDF file “Multi National Recruitment\r\nSystem Templete.pdf.lnk”. Why the attackers zipped the .lnk file into its own zip file, we’re not quite sure as it\r\ndoes increase the odds that this could be missed in favor of the actual PDF file.\r\nhttps://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/\r\nPage 3 of 11\n\nFigure 3: PDF lure document “Multi National Recruitment System Templete.pdf”\r\nCode execution: Shortcut file to PowerShell\r\nCircling back to the shortcut file, this is where, like so many malicious phishing emails, our code execution\r\nbegins. Instead of embedding the malicious code directly into the shortcut file itself, the code that is executed\r\nsimply reads in the contents of one of the other embedded files from the original zip file, “Thumbs.db”\r\nIn Windows systems, “thumbs.db” is a legitimate file that simply stores image thumbnails. This allows for a much\r\nmore user-friendly browsing and scrolling experience in Windows Explorer versus having to analyze media files\r\nand display a thumbnail image each time you open a directory.\r\nIn our case, this Thumbs.db file is not storing image thumbnails, but contains PowerShell code executed by the\r\nshortcut file. Analyzing the shortcut file, we get a better understanding of how this works:\r\nhttps://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/\r\nPage 4 of 11\n\nFigure 4: Analysis of “Multi National Recruitment System Templete.pdf.lnk”\r\nSo now that we know that PowerShell is going to execute whatever is contained within Thumbs.db, putting it all\r\ntogether, we’ve got the following command which gets executed:\r\nC:\\Windows\\System32\\cmd.exe /c powershell.exe -command – \u003c Thumbs.db\r\nPowerShell execution: Thumbs.db analysis\r\nThe Thumbs.db file masquerades as a .ps1 PowerShell file. This file performs several functions which include\r\ndownloading further stagers and leveraging schtasks.exe to establish persistence.\r\nhttps://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/\r\nPage 5 of 11\n\nFigure 5: Contents of Thumbs.db file\r\nThroughout the code the Thumbs.db script contains useless variables named $a and $b which set themselves to\r\nuseless, repeating Base64 strings. This is likely an attempt to pad the script in order to evade AV detections,\r\nhowever the actual malicious code is completely unobfuscated.\r\nFirst, the script reaches out to our first compromised website www.jkmusic.co[.]kr to download two unique\r\npayloads into the C:\\ProgramData directory.\r\nURL Binary\r\nhxxp://www.jkmusic.co[.]kr/shop/data/theme/e6a137162c56087 C:\\ProgramData\\lsasetup.tmp\r\nhxxp://www.jkmusic.co[.]kr/shop/data/theme/c9665058c3ef16b C:\\ProgramData\\winrar.exe\r\nTwo scheduled tasks are then created using schtasks.exe.\r\nschtasks /create /sc DAILY /st 10:10 /tn zuzip /tr “cmd /c echo y| C:\\\\ProgramData\\\\winrar.exe e\r\nC:\\\\ProgramData\\\\lsasetup.tmp C:\\\\ProgramData\\\\ -plast”\r\nschtasks /create /sc DAILY /st 10:11 /tn zconshost /tr C:\\\\ProgramData\\\\conshost.exe\r\nThe binary winrar.exe is executed first at 10:10am every day. This is a legitimate winrar binary used to extract\r\ncontents out of lsasetup.tmp. It does this by first suppresses confirmation messages through echo “echo y|”  The\r\nscheduled task then runs C:\\ProgramData\\winrar.exe, uses the extraction flag “e”, passes in “C:\\ProgramData\\” as\r\nthe destination and specifies the password using the “-p” parameter which in this case is “last”.\r\nhttps://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/\r\nPage 6 of 11\n\nThe file “conshost.exe” is extracted into “ProgramData” and is then executed using the second scheduled task\r\nwhich is set to run a minute later at 10:11am every day.\r\nBinary file analysis: conshost.exe\r\nThe file “conshost.exe”, which is likely masquerading as the Windows binary “conhost.exe” stands only 360kb\r\nand is compiled using Microsoft Visual C/C++.\r\nFigure 6: Conshost.exe binary file information\r\nThe binary itself is heavily obfuscated, however during   dynamic analysis of the file we observed it making\r\nHTTP post requests to the following URL:\r\nhxxp://www.notebooksell[.]kr/mall/m_schema.php\r\nThe user-agent was set to “Mozilla/88.0” and would contain request data in either clear text or Base64 encoded.\r\nOnce the connection was established, the attackers were able to acquire system details such as the system MAC\r\naddress, Windows version, IP address. It appears that the set ID for the infected machine would be its MAC\r\naddress as it is always present in subsequent commands.\r\nSample requests:\r\nrequest_raw: mpVI=MDA[REDACTED]wxMC44LjIuNywxNQ==\r\nrequest_raw  mpCMD=sss\u0026mpVID=00-[REDACTED MAC]-00\r\nC2 and infrastructure\r\nhttps://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/\r\nPage 7 of 11\n\nThe threat actor’s infrastructure appears to be solely based on two compromised websites that appear to be\r\nlegitimate businesses. It’s possible that there could be more compromised websites that the threat actors are using,\r\nhowever in this attack chain we only observed communication between the two:\r\nhxxp://www.jkmusic.co[.]kr (182.162.94[.]42)\r\nhxxp://www.notebooksell[.]kr  (183.111.169[.]84)\r\nBoth websites are registered in Korea and at the time of publication are not flagged as malicious by blacklisting\r\nwebsites including Virustotal. Both are e-commerce sites which only utilize the HTTP protocol.\r\nFigure 7: screenshots of the two compromised websites used in the attack\r\nThe two IP addresses involved in this campaign are both registered to…\r\nC2 Address Description Description\r\n182.162.94[.]42 AS 3786 (LG DACOM Corporation)\r\n183.111.169[.]84 AS 4766 (Korea Telecom)\r\nSecuronix recommendations and mitigations\r\nContinue to be extra vigilant to unsolicited emails containing email attachments especially when a sense of\r\nurgency is stressed. With the case of the STARK#MULE campaign, these particular lures tend to prey upon the\r\nvictims’ curiosity which is another technique to be aware of.\r\nWhen it comes to prevention and detection, the Securonix Threat Research Team recommends:\r\nhttps://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/\r\nPage 8 of 11\n\nAvoid opening any attachments especially from those that are unexpected or are from outside the\r\norganization, ZIP files in particular in regards to this campaign.\r\nImplement an application whitelisting policy to restrict the execution of unknown binaries\r\nMonitor common malware staging directories, especially “C:\\ProgramData\\” which was used in this attack\r\ncampaign\r\nDeploy additional process-level logging such as Sysmon and PowerShell logging for additional log\r\ndetection coverage\r\nSecuronix customers can scan endpoints using the Securonix Seeder Hunting Queries below\r\nMITRE ATT\u0026CK matrix\r\nTactic Technique\r\nInitial Access\r\nT1566: Phishing\r\nT1566.001: Phishing: Spearphishing Attachment\r\nExecution\r\nT1204.002: User Execution: Malicious File\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nDefense Evasion\r\nT1204.002: User Execution: Malicious File\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nPersistence T1053.005: Scheduled Task/Job: Scheduled Task\r\nCommand and Control\r\nT1573.001: Encrypted Channel: Symmetric Cryptography\r\nT1105: Ingress Tool Transfer\r\nT1571: Non-Standard Port\r\nResource Development T1584.004: Compromise Infrastructure: Server\r\nExfiltration T1567: Exfiltration Over Web Service\r\nAnalyzed file hashes\r\nFile Name SHA256 (IoC)\r\n미군 구인공고\r\n웹사이트 주소\r\n및 사용방법 안\r\n내.zip\r\nE4A8610461D3B3C534346B9C874EDFF6D37CA085D578365FF75B25F682EC5FD0\r\nMulti National\r\nRecruitment\r\nSystem\r\nTemplete.pdf.zip\r\n6149D861F38DB6D6F5110B234EDB1BA31800F7EB621AD27B6CBF99F05DDEAE18\r\nhttps://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/\r\nPage 9 of 11\n\nFile Name SHA256 (IoC)\r\nMulti National\r\nRecruitment\r\nSystem.pdf\r\n019E4327B8292DAD32C92209A1E0FA03636381B1163AC57941CD8CC711A40097\r\nMulti National\r\nRecruitment\r\nSystem\r\nTemplete.pdf.lnk\r\n89062A28F33021539AB3D197C124040177E5AE94A05E1AC7A4F1C852D6B498CF\r\nlsasetup.tmp 7893C8B41A2E4281E73A1761061AC9EEE52920B6840E43697AABF606F701D11A\r\nThumbs.db C90EBF988F96C9A51D6AD0B23AD7260C6B7F8D3B7C905ACC20E18A7227E46237\r\nconshost.exe 6F11C52F01E5696B1AC0FAF6C19B0B439BA6F48F1F9851E34F0FA582B09DFA48\r\nRelevant Securonix detection policies\r\nEDR-SYM74-RUN\r\nEDR-ALL-82-RU\r\nEDR-ALL-782-RU\r\nCEDR-ALL-82-RU\r\nWEL-ALL-1084-RU\r\nEDR-ALL-979-RU\r\nWEL-ALL-1070-RU\r\nEDR-ALL-1215-ERR\r\nWEL-ALL-1186-ERR\r\nWEL-ALL-1205-RU\r\nEDR-ALL-1245-RU\r\nRelevant Spotter queries (be sure to remove square brackets “[ ]”)\r\n(rg_functionality = “Next Generation Firewall” OR rg_functionality = “Web Application Firewall” OR\r\nrg_functionality = “Web Proxy”) AND (destinationaddress = “182.162.94[.]42” OR destinationaddress =\r\n“183.111.169[.]84”)\r\nindex = activity AND rg_functionality = “Web Proxy” AND (requesturl CONTAINS\r\n“www.jkmusic.co[.]kr/shop/data/theme/e6a137162c56087” OR requesturl CONTAINS\r\n“www.jkmusic.co[.]kr/shop/data/theme/c9665058c3ef16b”)\r\nindex = activity AND rg_functionality = “Web Proxy” AND c-method = “POST” AND flowsiemid = “200”\r\nAND ipaddress = “183.111.169[.]84″\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process\r\nCreate” AND destinationprocessname ENDS WITH “conshost.exe”\r\nindex = activity AND rg_functionality = “Microsoft Windows Powershell” AND scriptblocktext\r\nCONTAINS “Net.WebClient” AND scriptblocktext CONTAINS “www.jkmusic.co[.]kr”\r\nhttps://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/\r\nPage 10 of 11\n\nReferences:\r\n1. HHS: North Korean Cyber Activity\r\nhttps://www.hhs.gov/sites/default/files/dprk-cyber-espionage.pdf\r\n2. MITRE ATT\u0026CK: APT37\r\nhttps://attack.mitre.org/groups/G0067/\r\n3. Windows’ thumbs.db files: What they are, and what to do when they get in your way\r\nhttps://www.pcworld.com/article/424188/manage-thumbs-db-files-in-windows-and-on-the-network.html\r\n4. WinRAR: Common command line syntax\r\nhttps://documentation.help/WinRAR/HELPCommandLineSyntax.htm\r\n5. Securonix: STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked\r\nto Konni/APT37 (North Korea)\r\nhttps://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/\r\nSource: https://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/\r\nhttps://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/" ], "report_names": [ "detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434614, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5852a6bc3cac355c497c3c1e51f8e329670dca6f.pdf", "text": "https://archive.orkl.eu/5852a6bc3cac355c497c3c1e51f8e329670dca6f.txt", "img": "https://archive.orkl.eu/5852a6bc3cac355c497c3c1e51f8e329670dca6f.jpg" } }