{
	"id": "ef48cd4c-7a4e-4b28-8a5e-4f93333174bf",
	"created_at": "2026-04-06T00:16:11.071491Z",
	"updated_at": "2026-04-10T13:12:20.627112Z",
	"deleted_at": null,
	"sha1_hash": "7263b00a040f0f4ef128187ace6d9efb91f02d4c",
	"title": "IAmTheKing and the SlothfulMedia malware family",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 82399,
	"plain_text": "IAmTheKing and the SlothfulMedia malware family\r\nBy Ivan Kwiatkowski\r\nPublished: 2020-10-15 · Archived: 2026-04-05 13:26:50 UTC\r\nOn October 1, 2020, the DHS CISA agency released information about a malware family called SlothfulMedia, which they\r\nattribute to a sophisticated threat actor. We have been tracking this set of activity through our private reporting service, and\r\nwe would like to provide the community with additional context.\r\nIn June 2018, we published the first report on a new cluster of activities that we named IAmTheKing, based on malware\r\nstrings discovered in a malware sample from an unknown family. Amusingly, other strings present inside of it invited\r\n“kapasiky antivirus” to “leave [them] alone”.\r\nOver time, we identified three different malware families used by this threat actor, one of which was SlothfulMedia. The aim\r\nof this blog post is to introduce all of them and to provide data we have been able to gather about the attackers’ interests.\r\nKingOfHearts\r\nThis C++ backdoor, which contains the character strings discussed above, is the first element of this toolset we encountered.\r\nIt comes in EXE or DLL variants, and we have been able to find traces of this family dating back to 2014. We believe it was\r\ndistributed through spear-phishing e-mails containing malicious Word documents, but have been unable to obtain samples of\r\nthese. The infection process relies on a PowerShell script that downloads from a remote server a base64-encoded payload\r\nhidden in an image file.\r\nIn terms of capabilities, KingOfHearts offers nothing more than the basic features you would expect from a backdoor:\r\nArbitrary command execution\r\nFile system manipulation: listing drives and files, deleting, uploading and downloading data, etc.\r\nListing of running processes with the option to terminate any of them\r\nCapturing screenshots using a custom standalone utility, described below\r\nRather than developing sophisticated features, the malware developers instead opted to include anti-debugging and\r\nvirtualization detection routines. Communications with the C2 server take place over HTTP(S), implemented with the\r\nwsdlpull open source library. The backdoor looks for new orders every second by sending a heartbeat to the C2 (the\r\n“HEART” command, hence the name).\r\nWe identified two main development branches: one of them sends url-encoded POST data, and the other one sends JSON\r\nobjects. Both have been used concurrently and otherwise display the same capabilities: we cannot say what motivates\r\nattackers to choose the one or the other.\r\nQueenOfHearts\r\nFollowing our initial discovery, we identified another, more widespread malware family linked to the same threat actor.\r\nWhile it does not contain the anti-analysis countermeasures of its cousin, the rest of its features and overall design decisions\r\nmap to King of Hearts almost one to one. QueenOfHearts seems to have appeared somewhere in 2017. It is the family\r\ndesignated as PowerPool by our esteemed colleagues from ESET.\r\nQueenOfHearts also interacts with its C2 server over HTTP. It sends simple GET requests containing a backdoor identifier\r\nand optional victim machine information, then reads orders located in the cookie header of the reply. Orders come in the\r\nform of two-letter codes (e.g.: “xe” to list drives) which tend to vary between samples. As of today, this family is still in\r\nactive development, and we have observed code refactoring as well as incremental upgrades over 2020. For instance, earlier\r\nbackdoor responses were sent as base64-encoded payloads in POST requests. They are now compressed beforehand, and\r\nadditionally supplied through the cookie header.\r\nQueenOfClubs\r\nIn the course of our investigations, we discovered another malware strain that appeared to fill the same role as\r\nQueenOfHearts. This C++ backdoor also offers similar features as KingOfHearts, as well as the ability to execute arbitrary\r\nPowershell scripts. One minute difference is that in this one, screenshot capture capabilities are embedded directly into the\r\nprogram instead of being handled by a separate utility.\r\nhttps://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/\r\nPage 1 of 5\n\nIt contains a number of links to QueenOfHearts, namely:\r\nIdentical hardcoded file names can be found in both malware strains.\r\nWe observed a number of command and control servers concurrently handling traffic originating from both families.\r\nQueenOfHearts and QueenOfClubs were on occasion deployed simultaneously on infected machines.\r\nHowever, it is also our belief that they originate from two separate codebases, although their authors shared common\r\ndevelopment practices.\r\nThe malware designated as SlothfulMedia by US-CERT is an older variant of this family.\r\nJackOfHearts\r\nAstute readers will notice that we did not discuss persistence mechanisms for any of the two aforementioned families. In\r\nfact, both of them expect to run in an environment that has already been prepared for them. JackOfHearts is the dropper\r\nassociated with QueenOfHearts: its role is to write the malware somewhere on the disk (for instance:\r\n%AppData%\\mediaplayer.exe) and create a Windows service pointing to it as well as a shortcut in the startup folder that is\r\nalso used to immediately launch QueenOfHearts. This shortcut is the one that contains references to a “david” user\r\nhighlighted by the DHS CISA report.\r\nFinally, the dropper creates a self-deletion utility in the %TEMP% folder to remove itself from the filesystem.\r\nAs of 2020, JackOfHearts is still used to deploy QueenOfHearts.\r\nScreenshot capture utility\r\nA simple program that captures screenshots and saves them as “MyScreen.jpg”. It is sometimes embedded directly inside\r\nQueenOfHearts but has also been seen in conjunction with KingOfHearts.\r\nPowershell backdoor\r\nIn addition to these malware families, IAmTheKing also leverages an extensive arsenal of Powershell scripts. Recent\r\ninfection vectors have involved archives sent over e-mail which contain LNK files masquerading as Word documents.\r\nClicking on these links results in the execution of a Powershell backdoor that hides inside custom Windows event logs and\r\nretrieves additional scripts over HTTPS, DNS or even POP3S.\r\nThe C2 server provides PNG files, which contain additional Powershell scripts hidden through steganography. The code\r\nperforming this operation comes from the open-source project Invoke-PSImage. This allows operators to stage components\r\non the victim machine, such as:\r\nAn information-stealing utility written in Powershell that collects all documents found on the victim’s machine and\r\nsends them in password-protected RAR archives. These archives are sent back to the attackers over e-mail.\r\nA command execution utility which obtains orders from DNS TXT records. The code to accomplish this is derived\r\nfrom another open-source project, Nishang.\r\nAn information-gathering utility tasked with collecting running processes, disk drives and installed programs with\r\nWMI queries. It may also steal passwords saved by the Chrome browser.\r\nA spreader script that lists computers connected to the domain, and tries to open a share on each of them to copy a\r\nbinary and create a remote scheduled task.\r\nA home-made keylogger.\r\nQueenOfHearts, one of the malware families described above.\r\nLateral movement\r\nOnce the attackers have gained access to a machine through any of the tools described above, they leverage well-known\r\nsecurity testing programs to compromise additional machines on the network. In particular, we found evidence of the\r\nfollowing actions on the target:\r\nMicrosoft’s SysInternals suite: ProcDump to dump the exe process and PsExec to run commands on remote hosts.\r\nLaZagne and Mimikatz to collect credentials on infected machines.\r\nBuilt-in networking utilities such as ipconfig.exe, net.exe and ping.exe, etc. for network discovery.\r\nVictimology\r\nUntil very recently, IAmTheKing has focused exclusively on collecting intelligence from high-profile Russian entities.\r\nVictims include government bodies and defense contractors, public agencies for development, universities and companies in\r\nthe energy sector. This threat actor’s geographic area of interest is so specific that KingOfHearts, QueenOfHearts and even\r\nrecent versions of JackOfHearts include code referring specifically to the Russian language character set:\r\nhttps://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/\r\nPage 2 of 5\n\nIn 2020, we discovered rare incidents involving IAmTheKing in central Asian and Eastern European countries. The DHS\r\nCISA also reports activity in Ukraine and Malaysia. Our data however indicates that Russia overwhelmingly remains\r\nIAmTheKing’s primary area of operation.\r\nThere is currently debate within our team on whether this constitutes a slight shift in this threat actor’s targeting, or if its\r\ntoolset is now shared with other groups. We are unable to provide a definitive answer to this question at this juncture.\r\nConclusion\r\nWhile the public has only recently discovered this set of activity, IAmTheKing has been very active for a few years.\r\nConsidering the type of organizations that cybercriminals have been targeting, we felt that there was little public interest in\r\nraising awareness about this group beyond our trusted circle of industry partners. However, now that researchers have\r\nstarted investigating this threat actor, we want to assist the community as much as possible by providing this brief summary\r\nof our knowledge of IAmTheKing.\r\nBased on the type of information IAmTheKing is after, we believe that it is state-sponsored. Its toolset is rapidly evolving,\r\nand it is not afraid to experiment with non-standard communications channels. The group is characterized by a mastery of\r\ntraditional pentesting methodologies and a solid command of Powershell. Data available to us indicates that it has achieved\r\noperational success on numerous occasions.\r\nKaspersky will keep investigating incidents related to this group in the foreseeable future and has gathered a detailed view\r\nof their 2020 activity so far. We invite individuals or companies who think they might be – or have been – targeted by\r\nIAmTheKing to get in touch with us for additional information, or otherwise request access to our Threat Intelligence Portal\r\nfor regular updates on this threat actor.\r\nYARA rules\r\nIn virtually all our investigations, we write YARA rules to hunt for additional malware samples and get a better idea of each\r\nfamily’s prevalence. In the spirit of sharing knowledge with the community and assisting research efforts on this threat actor,\r\nwe are happy to release a few of these rules, which will allow defenders to identify recent samples from the families\r\ndescribed above. If you are unfamiliar with YARA or would like to learn more about the art of writing rules, please check\r\nout the online training written by members of GReAT.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\nrule apt_IAmTheKing_KingOfHearts {\r\n  meta:\r\n    description = \"Matches IAmTheKing's KingOfHearts C++ implant\"\r\n    author = \"Kaspersky Lab\"\r\n    copyright = \"Kaspersky Lab\"\r\n    version = \"1.0\"\r\n    type = \"APT\"\r\n    filetype = \"PE\"\r\nhttps://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/\r\nPage 3 of 5\n\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n    last_modified = \"2020-01-20\"\r\n  strings:\r\n    $payload_fmt = \"cookie=%s;type=%s;length=%s;realdata=%send\" ascii\r\n    $cmd1 = \"HEART\" ascii\r\n    $cmd2 = \"CMDINFO\" ascii\r\n    $cmd3 = \"PROCESSINFO\" ascii\r\n    $cmd4 = \"LISTDRIVE\" ascii\r\n    $cmd5 = \"LISTFILE\" ascii\r\n    $cmd6 = \"DOWNLOAD\" ascii\r\n  condition:\r\n    uint16(0) == 0x5A4D and filesize \u003c 1MB and\r\n    ($payload_fmt or all of ($cmd*))\r\n}\r\nrule apt_IAmTheKing_KingOfHearts_json {\r\n  meta:\r\n    description = \"Matches IAmTheKing's KingOfHearts JSON C++ implant\"\r\n    author = \"Kaspersky Lab\"\r\n    copyright = \"Kaspersky Lab\"\r\n    version = \"1.0\"\r\n    type = \"APT\"\r\n  filetype = \"PE\"\r\n    last_modified = \"2020-01-20\"\r\n  strings:\r\n    $user_agent = \"Mozilla/4.0 (compatible; )\" ascii\r\n    $error = \"write info fail!!! GetLastError--\u003e%u\" ascii\r\n    $multipart = \"Content-Type: multipart/form-data; boundary=--MULTI-PARTS-FORM-DATA-BOUNDARY\\x0D\\x0A\" ascii\r\n  condition:\r\n    uint16(0) == 0x5A4D and filesize \u003c 1MB and all of them\r\n}\r\nrule apt_IAmTheKing_QueenOfHearts_2020 {\r\n  meta:\r\n    author = \"Kaspersky\"\r\n    copyright = \"Kaspersky\"\r\n    version = \"1.0\"\r\n    type = \"APT\"\r\n    filetype = \"PE\"\r\n    description = \"Find IAmTheKing's QueenOfHearts 2020 variants\"\r\n    last_modified = \"2020-09-29\"\r\n  strings:\r\nhttps://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/\r\nPage 4 of 5\n\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\n74\r\n    $s1 = \"www.yahoo.com\" fullword wide\r\n    $s2 =\r\n\"8AAAAHicJY9HDsIwFAXnMmQHIsGULKKIUPZwA0SNqCEIcXwGI+vL781vdknNjR17PvQ48eLKhZKGlsJMwoE7T2nBipSKNQtpy0PSlS\r\nascii\r\n    $s3 =\r\n\"kgAAAHicHYy7DoJAEEXPp2xMKJVEehoKSwsLSqMLCRh5BDTK33vWTHbuzpk7NzLQEMiJ9pmJDy0LK536tA7q1xfYcVJf7Km96jlz5yG\r\nascii\r\n    $s4 =\r\n\"2gAAAHicHY/JDoJAEAXrZ+SmEUSUAyEueNc/MOBCVFwwxs+3nEw6/V71lilp6Wg48GXEmTc3rpQ86SmsRBy585IWbIlZsqOS9jwkQ0m\r\nascii\r\n    $s5 = \"MyScreen.jpg\" fullword wide\r\n    $s6 = \"begin mainthread\" fullword wide\r\n    $s7 = \"begin mainthread ok\" fullword wide\r\n    $s8 = \"getcommand error\" fullword wide\r\n    $s9 = \"querycode error\" fullword wide\r\n    $s10 = \"{'session':[{'name':'admin_001','id':21,'time':12836123}],'jpg':\" fullword ascii\r\n    $s11 = \"cookie size :%d\" fullword wide\r\n    $s12 = \"send request error:%d\" fullword wide\r\n    $s13 = \"AABBCCDDEEFFGGHH\" fullword wide\r\n    $s14 = \" inflate 1.2.8 Copyright 1995-2013 Mark Adler \" fullword ascii\r\n    $s15 = \" Type Descriptor'\" fullword ascii\r\n    $s16 = \" constructor or from DllMain.\" fullword ascii\r\n    $s17 = \" Base Class Descriptor at (\" fullword ascii\r\n    $ex = \"ping 127.0.0.1\" ascii fullword\r\n  condition:\r\n    ( uint16(0) == 0x5A4D ) and\r\n    ( filesize \u003e 70KB and filesize \u003c 3MB ) and\r\n    ( 12 of them ) and\r\n    ( not $ex )\r\n}\r\nIndicators of Compromise\r\n00E415E72A4FC4C8634D4D3815683CE8 KingOfHearts (urlencode variant)\r\n4E2C2E82F076AD0B5D1F257706A5D579 KingOfHearts (JSON variant)\r\nAB956623B3A6C2AC5B192E07B79CBB5B QueenOfHearts\r\n4BBD5869AA39F144FADDAD85B5EECA12 QueenOfHearts\r\n4076DDAF9555031B336B09EBAB402B95 QueenOfHearts\r\n096F7084D274166462D445A7686D1E5C QueenOfHearts\r\n29AA501447E6E20762893A24BFCE05E9 QueenOfClubs\r\n97c6cfa181c849eb87759518e200872f JackOfHearts\r\n7DB4F1547D0E897EF6E6F01ECC484314 Screenshot capture utility\r\n60D78B3E0D7FFE14A50485A19439209B Malicious LNK\r\n90EF53D025E04335F1A71CB9AA6D6592 Keylogger\r\nSource: https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/\r\nhttps://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/"
	],
	"report_names": [
		"99000"
	],
	"threat_actors": [
		{
			"id": "3262c97f-3311-49f5-807c-bcea4d8c9924",
			"created_at": "2022-10-25T16:07:23.717772Z",
			"updated_at": "2026-04-10T02:00:04.725048Z",
			"deleted_at": null,
			"main_name": "IAmTheKing",
			"aliases": [],
			"source_name": "ETDA:IAmTheKing",
			"tools": [
				"JackOfHearts",
				"KingOfHearts",
				"LaZagne",
				"Mimikatz",
				"ProcDump",
				"PsExec",
				"QueenOfClubs",
				"QueenOfHearts",
				"SLOTHFULMEDIA",
				"SlothfulMedia"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "62985c5c-6938-4365-8432-29573e99ecf4",
			"created_at": "2022-10-25T16:07:24.075092Z",
			"updated_at": "2026-04-10T02:00:04.859737Z",
			"deleted_at": null,
			"main_name": "PowerPool",
			"aliases": [],
			"source_name": "ETDA:PowerPool",
			"tools": [
				"ALPC Local PrivEsc",
				"FireMaster",
				"PowerDump",
				"PowerSploit",
				"Quarks PwDump",
				"SMBExec"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "adee5dfb-98d1-488f-969d-48eed28cd7e4",
			"created_at": "2023-01-06T13:46:38.799427Z",
			"updated_at": "2026-04-10T02:00:03.105089Z",
			"deleted_at": null,
			"main_name": "PowerPool",
			"aliases": [
				"IAmTheKing"
			],
			"source_name": "MISPGALAXY:PowerPool",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434571,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7263b00a040f0f4ef128187ace6d9efb91f02d4c.pdf",
		"text": "https://archive.orkl.eu/7263b00a040f0f4ef128187ace6d9efb91f02d4c.txt",
		"img": "https://archive.orkl.eu/7263b00a040f0f4ef128187ace6d9efb91f02d4c.jpg"
	}
}