{ "id": "10430914-1aab-4f07-ae1f-c8ce50f38eda", "created_at": "2026-04-06T00:18:15.521842Z", "updated_at": "2026-04-10T13:11:47.466013Z", "deleted_at": null, "sha1_hash": "6ccfbc9ad488bd5ec5718a6958d59f1a36b5fe22", "title": "Kimsuky Distributing CHM Malware Under Various Subjects", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2330522, "plain_text": "Kimsuky Distributing CHM Malware Under Various Subjects\r\nBy ATCP\r\nPublished: 2023-06-15 · Archived: 2026-04-05 22:00:20 UTC\r\nAhnLab Security Emergency response Center (ASEC) has continuously been tracking the Kimsuky group’s APT\r\nattacks. This post will cover the details confirmed during the past month of May. While the Kimsuky group often\r\nused document files for malware distribution, there have been many recent cases where CHM files were used in\r\ndistribution. Also, unlike in the past when the document files contained North Korea-related topics, the group is\r\nnow attempting to attack using a variety of subjects.\r\n(1) Cases of Distribution\r\nThe names of the distributed files found during May are as follows. They show a variety of subjects such as\r\ncryptocurrency, tax accounting, and contracts, and it seems the personal data of a certain individual is being used.\r\nFile Names Used in Distribution\r\n(Coinone)Client Transaction Confirmation.chm\r\n202305050017 Order Sheet (1).chm\r\nBITWAK Application Form.chm\r\nhttps://asec.ahnlab.com/en/54678/\r\nPage 1 of 10\n\n20230412_Tax Investigation Return Guidelines.chm\r\n2023 Annual Membership Fee Payment-related Materials(****).chm\r\nRevised Lease Contract.chm\r\nPayment Slip.chm\r\nLeague of Legends Restricted Account Notice (Riot Games).chm\r\nWritten Act for the 2023 1st Provisional General Meeting.chm\r\nTuition Receipt.chm\r\nCTP Lockup Cancellation Notice(***).chm\r\nMaterials for Publication Fees for Volume 23 Issue 5(***).chm\r\nRental(Renewal) Application Materials for Gumi General Business Support Center\r\n(***).chm\r\nListing Deliberation Materials.chm\r\n*** Proof of Social Insurance Subscription.chm\r\nTable 1. File names used in distribution\r\nThe CHM malware in distribution generates a normal help window upon execution and performs malicious\r\nbehaviors through the malicious script inside. It is not easy for users to notice the malicious behaviors, having\r\nbeen deceived with the help window disguised as a normal file. The help window generated in the user’s PC has a\r\ndifferent topic according to which particular field the target works in. Below are some of the common examples.\r\nhttps://asec.ahnlab.com/en/54678/\r\nPage 2 of 10\n\nFigure 1 shows the type that was disguised as a National Tax Service tax investigation return guide for users that\r\nmust file tax returns. The global income tax return season in Korea falls in May, and the threat actor seems to have\r\ntaken advantage of this fact.\r\nhttps://asec.ahnlab.com/en/54678/\r\nPage 3 of 10\n\nFigure 2 shows the type disguised as financial transaction data between certain users. The actual account number\r\nand transaction histories can be seen, and this may have been created using stolen personal data.\r\nFigure 3 shows the type disguised as cryptocurrency transaction data. Like the second case, it contains personal\r\ndata such as an actual user’s email and phone number.\r\nhttps://asec.ahnlab.com/en/54678/\r\nPage 4 of 10\n\nThere are also other types such as contracts, certificates, and order sheets as shown in Figure 4. These are the\r\nmajor files in distribution, but as there are files disguised as the household register of a certain individual, ticket\r\nreservation details, and other topics, users are advised to practice particular caution.\r\n(2) Operation Process\r\nThe overall operation flow of this CHM type is shown in Figure 5. Additional scripts are downloaded to exfiltrate\r\nuser information and download additional malware. Each step is outlined below.\r\nhttps://asec.ahnlab.com/en/54678/\r\nPage 5 of 10\n\nThe malicious script in the CHM is shown in Figure 6. Malicious commands are executed through a shortcut\r\nobject, and this object is called through the Click method.\r\nExecuted Command\r\ncmd, /c start /MIN REG ADD HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v oeirituttvv\r\n/t REG_SZ /d “%USERPROFILE%\\Links\\oeirituttvv.vbs” /f \u0026 echo [Encoded command] \u003e\r\n“%USERPROFILE%\\Links\\oeirituttbb.dat” \u0026 echo [Encoded command] \u003e\r\n“%USERPROFILE%\\Links\\oeirituttvv.dat” \u0026 start /MIN certutil -decode\r\n“%USERPROFILE%\\Links\\oeirituttvv.dat” “%USERPROFILE%\\Links\\oeirituttvv.vbs” \u0026 start /MIN\r\ncertutil -decode “%USERPROFILE%\\Links\\oeirituttbb.dat” “%USERPROFILE%\\Links\\oeirituttbb.bat” \u0026\r\nstart /MIN timeout -t 1 /nobreak \u0026 start /MIN CScript “%USERPROFILE%\\Links\\oeirituttvv.vbs” \u0026 start\r\n/MIN timeout -t 2 /nobreak \u0026 start /MIN CScript “%USERPROFILE%\\Links\\oeirituttvv.vbs\r\nThis command saves two encoded commands under “%USERPROFILE%\\Links\\oeirituttbb.dat” and\r\n“%USERPROFILE%\\Links\\oeirituttvv.dat” and saves the commands decrypted through certutil in the files\r\noeirituttbb.vbs and oeirituttvv.bat. Afterward, it runs oeirituttbb.vbs and registers oeirituttbb.vbs to the RUN key\r\nto enable it to run continuously.\r\nOeirituttbb.vbs is a runner that runs the oeirituttvv.bat file created with it. oeirituttvv.bat downloads additional\r\nmalicious files through curl. Two files are downloaded: a BAT file and a CAB file.\r\nhttps://asec.ahnlab.com/en/54678/\r\nPage 6 of 10\n\nDownload URL\r\nhxxp://vndjgheruewy1[.]com/tnd/pung03.txt\r\nhxxp://vndjgheruewy1[.]com/tnd/qung03.txt\r\nThe downloaded BAT file (pung03.bat) decompresses the CAB file (qung03.cab), then runs temprr03.bat. The\r\nCAB file contains a total of 6 scripts. The features of each script are outlined in Table 2.\r\nFile Name Feature\r\ntemprr03.bat Runs loyes03.bat\r\nloyes03.bat\r\nRegisters to RunKey (mnasrt.vbs)\r\nRuns loyestemp03.bat\r\nRuns dwpp.vbs\r\nmnasrt.vbs Runs loyes03.bat\r\nloyestemp03.bat\r\nCollects user information\r\nRuns uwpp.vbs\r\ndwpp.vbs Downloads CAB\r\nuwpp.vbs Uploads user information\r\nTable 2. Features of each script\r\nThe final malicious behaviors performed by this script are exfiltrating user information and downloading\r\nadditional malicious files.\r\nhttps://asec.ahnlab.com/en/54678/\r\nPage 7 of 10\n\nFile Name Saved Information\r\ncudk.txt List of files on the Desktop (including subfolders)\r\nipif.txt IP information\r\nstif.txt System information\r\nTable 3. Exfiltrated information\r\nThe code for the exfiltration of user information is shown in Figure 9, and the pieces of exfiltrated information are\r\nshown in Table 3. User information is collected through loyestemp03.bat, and uwpp.vbs sends the collected\r\ninformation along with the PC name to “hxxp://vndjgheruewy1[.]com/uun06/uwpp.php”.\r\nhttps://asec.ahnlab.com/en/54678/\r\nPage 8 of 10\n\nThe code for file download is shown in Figure 10. It seems that the threat actor checks the stolen user information,\r\nand only when the system is a target of attack, uploads additional malicious files to the C2. If the system is a\r\ntarget, the threat actor uploads files with the infected PC’s name. Infected PCs continuously make attempts to\r\ndownload through the script registered to RunKey, and when additional files are uploaded, the files are\r\ndownloaded. It then decompresses the downloaded files through the expand command before executing them.\r\nThis allows us to assume that the additional file is also a CAB file.\r\nDownload URL\r\nhxxp://vndjgheruewy1[.]com/jun06/dw_%COMPUTERNAME%.dat\r\nAs such, more elaborate attacks have become possible because the types of malicious files downloaded may differ\r\naccording to the attack target. Recently, there has been an increase in malware distribution targeting particular\r\nusers using personal information. Cases of using CHM files in APT attacks are also commonly found. Users must\r\ncarefully check the senders of emails and refrain from opening files from unknown sources. They should also\r\nperform routine PC checks and always keep their security products updated to the latest version.\r\n[File Detection]\r\nDownloader/CHM.Generic (2023.06.03.00)\r\nTrojan/BAT.Runner (2023.06.17.00)\r\nTrojan/VBS.Runner (2023.06.17.00)\r\nDownloader/BAT.Generic (2023.06.17.00)\r\nDownloader/VBS.Generic (2023.06.17.00)\r\nInfostealer/BAT.Generic (2023.06.17.00)\r\nInfostealer/VBS.Generic (2023.06.17.00)\r\nhttps://asec.ahnlab.com/en/54678/\r\nPage 9 of 10\n\nMD5\r\n075160d6c8d82b96d1ae7893761695a6\r\n7c7b8dd6dd4ba7b443e84287671f0e79\r\n9861999409cdbc1f7c4c1079d348697c\r\n98764ae00cee9f2cc87530601c159387\r\nae6fdb8945991b587ab790c2121345ce\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//vndjgheruewy1[.]com/jun06/dw_%COMPUTERNAME%[.]dat\r\nhttp[:]//vndjgheruewy1[.]com/tnd/pung03[.]txt\r\nhttp[:]//vndjgheruewy1[.]com/tnd/qung03[.]txt\r\nhttp[:]//vndjgheruewy1[.]com/uun06/uwpp[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/54678/\r\nhttps://asec.ahnlab.com/en/54678/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/54678/" ], "report_names": [ "54678" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434695, "ts_updated_at": 1775826707, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6ccfbc9ad488bd5ec5718a6958d59f1a36b5fe22.pdf", "text": "https://archive.orkl.eu/6ccfbc9ad488bd5ec5718a6958d59f1a36b5fe22.txt", "img": "https://archive.orkl.eu/6ccfbc9ad488bd5ec5718a6958d59f1a36b5fe22.jpg" } }