{ "id": "eba7d6ef-2c59-4596-bd7c-82b38f452a61", "created_at": "2026-04-06T00:15:34.188693Z", "updated_at": "2026-04-10T03:37:41.077157Z", "deleted_at": null, "sha1_hash": "67bdf2b2c8b53204d5535a5b26bdced50e8493a5", "title": "CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2269913, "plain_text": "CHM Malware Disguised as North Korea-related Questionnaire\r\n(Kimsuky)\r\nBy ATCP\r\nPublished: 2023-03-07 · Archived: 2026-04-05 23:16:23 UTC\r\nAhnLab Security Emergency response Center (ASEC) has recently discovered a CHM malware which is assumed\r\nto have been created by the Kimsuky group. This malware type is the same as the one covered in the following\r\nASEC blog posts and the analysis report on the malware distributed by the Kimsuky group, its goal being the\r\nexfiltration of user information. \r\nAnalysis Report on Malware Distributed by the Kimsuky Group – Oct 20, 2022\r\nAPT Attack Being Distributed as Windows Help File (*.chm) – Mar 17, 2022\r\nMalicious Help File Disguised as Missing Coins Report and Wage Statement  (*.chm) – May 11, 2022\r\nThe CHM file has been compressed and is being distributed as an email attachment. The first email that is sent\r\npretends to be an interview request about matters related to North Korea. If the email recipient accepts the\r\ninterview, then a password-protected compressed file is sent as an attachment. Not only is this email pretending to\r\nbe a North Korea-related interview identical to the one previously analyzed, but it also follows the same format of\r\nsending the malicious file only when a recipient replies to the email. \r\nMalware Disguised as Normal Documents (Kimsuky) – Feb 03, 2023\r\nhttps://asec.ahnlab.com/en/49295/\r\nPage 1 of 6\n\nWord File Provided as External Link When Replying to Attacker’s Email  (Kimsuky) – July 26, 2022\r\nFigure 1. Distributed email\r\nhttps://asec.ahnlab.com/en/49295/\r\nPage 2 of 6\n\nFigure 2. Original email\r\nFigure 3. Inside the compressed file\r\nWhen the InterviewQuestionnaire(***).chm file is executed, a help document with actual questions appears as\r\nshown below, making it difficult for users to realize that the file is malicious.\r\nFigure 4. CHM disguised as a questionnaire\r\nThe CHM holds a malicious script, and, like the CHM malware covered before, it uses a shortcut object\r\n(ShortCut). The shortcut object is called through the Click method and the command in Item1 is executed. The\r\ncommand executed through ‘InterviewQuestionnaire(***).chm’ is as follows. \r\nExecuted Command cmd, /c echo [Encoded Command] \u003e “%USERPROFILE%\\Links\\Document.dat \u0026\r\nstart /MIN certutil -decode “%USERPROFILE%\\Links\\Document.dat”\r\n“%USERPROFILE%\\Links\\Document.vbs” \u0026 start /MIN REG ADD\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v Document /t REG_SZ /d\r\n“%USERPROFILE%\\Links\\Document.vbs” /f’\r\nhttps://asec.ahnlab.com/en/49295/\r\nPage 3 of 6\n\nFigure 5. Malicious Script within CHM\r\nThus, the encoded command is saved to %USERPROFILE%\\Links\\Document.dat when the CHM is executed.\r\nThe command that has been decoded by Certutil is saved to %USERPROFILE%\\Links\\Document.vbs. The threat\r\nactor also registered Document.vbs to the Run key\r\n(HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run) to ensure the malicious script would run\r\npersistently. Ultimately, Document.vbs executes the PowerShell script\r\nin hxxp://mpevalr.ria[.]monster/SmtInfo/demo.txt.\r\nFigure 6. (Top) A portion of Document.vbs’s code / (Bottom) A portion of the vbs code uncovered in a past report\r\nThe URL that Document.vbs connects to is currently unavailable, but a script assumed to have been downloaded\r\nfrom this address has been found. The confirmed script file is responsible for intercepting a user’s key inputs\r\nbefore saving them in a certain file and sending that file to the threat actor. In addition to reading the caption of the\r\ncurrently running ForegroundWindow and keylogging, it periodically checks the clipboard contents and saves\r\nthem to the %APPDATA%\\Microsoft\\Windows\\Templates\\Pages_Elements.xml file. Afterward, it sends this file\r\nto hxxp://mpevalr.ria[.]monster/SmtInfo/show.php.\r\nhttps://asec.ahnlab.com/en/49295/\r\nPage 4 of 6\n\nFigure 7. (Top) A portion of demo.txt / (Bottom) A portion of the PowerShell script code from a past report\r\nAs can be seen from Figure 6 and Figure 7, Document.vbs (VBS script file) and demo.txt (PowerShell script file)\r\nhave the same format as the malware that was analyzed in the ‘Analysis Report on Malware Distributed by the\r\nKimsuky Group’ published on ATIP last year. With this in mind, users should take extreme caution as the\r\nKimsuky group appears to be distributing phishing emails with malware strains in various forms like Word files\r\nand CHM. [File Detection] Dropper/CHM.Generic (2023.03.07.00) Data/BIN.Encoded (2023.03.07.00)\r\nDownloader/VBS.Agent.SC186747 (2023.03.07.00) Trojan/PowerShell.Agent.SC186246 (2023.02.09.00)\r\n[Behavior Detection] Execution/MDP.Cmd.M4230 \r\nMD5\r\n0f41d386e30e9f5ae5be4a707823fd78\r\n726af41024d06df195784ae88f2849e4\r\n89c0e93813d3549efe7274a0b9597f6f\r\n9f560c90b7ba6f02233094ed03d9272e\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps://asec.ahnlab.com/en/49295/\r\nPage 5 of 6\n\nhttp[:]//mpevalr[.]ria[.]monster/SmtInfo/demo[.]txt\r\nhttp[:]//mpevalr[.]ria[.]monster/SmtInfo/show[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/49295/\r\nhttps://asec.ahnlab.com/en/49295/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://asec.ahnlab.com/en/49295/" ], "report_names": [ "49295" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434534, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/67bdf2b2c8b53204d5535a5b26bdced50e8493a5.pdf", "text": "https://archive.orkl.eu/67bdf2b2c8b53204d5535a5b26bdced50e8493a5.txt", "img": "https://archive.orkl.eu/67bdf2b2c8b53204d5535a5b26bdced50e8493a5.jpg" } }