{ "id": "44ab1142-bd12-4a5b-aac7-fd63df3c49d4", "created_at": "2026-04-06T00:19:50.941961Z", "updated_at": "2026-04-10T13:13:05.602374Z", "deleted_at": null, "sha1_hash": "5ad493b7216e907980c75eb0208b6a3ddf74cb12", "title": "Kimsuky’s Use of GitHub for Malware Delivery and Exfiltration", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 101581, "plain_text": "Kimsuky’s Use of GitHub for Malware Delivery and Exfiltration\r\nArchived: 2026-04-05 20:45:52 UTC\r\n✅ Executive Summary:\r\n- S2W’s Threat Intelligence Center, TALON, has recently identified ongoing activity by the North Korea–backed\r\nAPT group Kimsuky involving the abuse of GitHub repositories. A detailed analysis was conducted on the latest\r\nobserved tactics.\r\n- The threat actor leveraged a malicious LNK file to download and execute additional PowerShell-based scripts\r\nfrom a GitHub repository.\r\n- To access the repository, the attacker embedded a hardcoded GitHub Private Token directly within the script.\r\n- The PowerShell script retrieved from the repository collects system metadata including last boot time, system\r\nconfiguration, and running processes, writes the information into a log file, and uploads it to the attacker-controlled repository.\r\n📌 Detailed Analysis\r\n1) NTS_Attach.zip\r\n- The ZIP archive contains an LNK file masquerading as an electronic tax invoice.\r\n2) 전자세금계산서.pdf.lnk\r\n- Executing the shortcut file disguised as a PDF launches a PowerShell command that downloads and runs an\r\nadditional malicious script.\r\n3) main.ps1\r\n- The dropped main.ps1 script downloads a decoy document and an additional malicious payload from a private\r\nGitHub repository operated by the threat actor. The script includes a hardcoded GitHub Private Token to access\r\nthe repository.\r\n  - GitHub Repository: hxxps://github[.]com/God0808RAMA/group_0721/\r\n- The decoy document impersonates an electronic tax invoice and is displayed upon execution. \r\n- The script then downloads a file named real.txt from the group_0721 repository. It replaces the string $upFolder\r\nwith a timestamped value (ntxBill_{MMdd_HHmm}), then re-uploads the modified script back to the attacker’s\r\nhttps://s2w.inc/en/resource/detail/920\r\nPage 1 of 3\n\nrepository using the filename real.txt_{MMdd_HHmm}.txt. This allows the attacker to dynamically manage\r\nscripts based on infection time.\r\n- To establish persistence, the script creates a file named MicrosoftEdgeUpdate.ps1 under the %AppData% path\r\nand writes a PowerShell code block defined in main.ps1.\r\n- This block downloads the previously uploaded real.txt_{MMdd_HHmm}.txt file, saves it as temporary.ps1\r\nunder %AppData%, and executes it.\r\n- A scheduled task is then created to repeatedly run temporary.ps1 at 30-minute intervals:\r\n  - Task Name: BitLocker MDM policy Refresh{DBHDFE12-496SDF-Q48D-SDEF-1865BCAD7E00}\r\n  - Trigger: One-time execution after 5 minutes, then every 30 minutes\r\n- This mechanism allows the attacker to automatically fetch and execute updated PowerShell scripts over time.\r\n- Additionally, a file named first.txt is downloaded from the repository, with folder names similarly modified to\r\nntxBill_{MMdd_HHmm}. It is saved as %AppData% emporary.ps1 and appears to be executed immediately after\r\ninitial infection, prior to the scheduled task being activated.\r\n4) temporary.ps1: Info-Stealer\r\n- The first downloaded first.txt (saved as temporary.ps1) functions as an info-stealer. It collects:\r\n  - IP address (first NIC, first IP)\r\n  - Current time (MMdd_HHmm)\r\n  - Last boot time\r\n  - OS information (Caption/Version/Build/Architecture)\r\n  - Hardware information (Manufacturer/Model/Domain/Memory from Win32_ComputerSystem)\r\n  - Device type: Notebook (Mobile) or Desktop\r\n  - OS installation date\r\n  - List of running processes\r\n- All collected data is written to a log file and uploaded to the attacker's repository under a folder named\r\nntxBill_{MMdd_HHmm}.\r\n5) temporary.ps1: Time Logger\r\n- The later-downloaded real.txt_{MMdd_HHmm}.txt file is also saved as temporary.ps1 and executed via the task\r\nscheduler. It creates a log file and records the last boot time, which is uploaded to the same folder\r\n(ntxBill_{MMdd_HHmm}).\r\n📌 GitHub Repositories used by Kimsuky\r\n- By analyzing the hardcoded token, investigators identified nine private repositories associated with the attacker\r\nas of August 20, 2025:\r\n  - group_0717/\r\n  - group_0721/\r\nhttps://s2w.inc/en/resource/detail/920\r\nPage 2 of 3\n\n- test/\r\n  - hometax/\r\n  - group_0803/\r\n  - group_0805/\r\n  - group_0811/\r\n  - fsc_doc/\r\n  - repayment/\r\n- Commit history from these repositories revealed the email address used by the attacker during GitHub account\r\ncreation:\r\n  - Email: sahiwalsuzuki4[@]gmail.com\r\n- These repositories contained logs exfiltrated from infected systems, decoy documents used in the campaign, and\r\nfiles resembling payment reminders, business reports, and audit-related documents.\r\n- Notably, one test log generated by the info-stealer included the process names xeno_rat_server and rdpclip,\r\nindicating the presence of remote administration tools and clipboard monitoring.\r\n✅ Recommended Threat Detection and Mitigation Actions:\r\n- Given the group’s continued abuse of trusted infrastructure (such as GitHub) and the use of PowerShell-based\r\nmalware for information theft, the following actions are strongly recommended:\r\n  - Monitor traffic to api.github.com, especially PUT /repos/*/contents/ requests\r\n  - Detect the creation of scheduled tasks indicative of malware persistence mechanisms\r\n🧑‍💻 Report Author: S2W TALON\r\n👉 Contact us: https://s2w.inc/en/contact\r\n*The full report is available upon request and for QUAXAR subscribers.\r\nSource: https://s2w.inc/en/resource/detail/920\r\nhttps://s2w.inc/en/resource/detail/920\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://s2w.inc/en/resource/detail/920" ], "report_names": [ "920" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434790, "ts_updated_at": 1775826785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5ad493b7216e907980c75eb0208b6a3ddf74cb12.pdf", "text": "https://archive.orkl.eu/5ad493b7216e907980c75eb0208b6a3ddf74cb12.txt", "img": "https://archive.orkl.eu/5ad493b7216e907980c75eb0208b6a3ddf74cb12.jpg" } }