{ "id": "21c43ede-ef34-478e-8544-eaceca768ee1", "created_at": "2026-04-06T00:14:04.427861Z", "updated_at": "2026-04-10T13:11:20.859562Z", "deleted_at": null, "sha1_hash": "74a8e4d2e0035e88c9c163c1b32640262793cdac", "title": "Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 938483, "plain_text": "Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed\r\nBy ATCP\r\nPublished: 2022-01-27 · Archived: 2026-04-05 21:38:32 UTC\r\nOn January 26th, 2022, the ASEC analysis team has discovered that the Kimsuky group was using the xRAT\r\n(Quasar RAT-based open-source RAT) malware.\r\nxRAT Github Address: https://github.com/tidusjar/xRAT\r\nAccording to the logs collected by AhnLab’s ASD (AhnLab Smart Defense) infrastructure, the attacker installed a\r\nvariant of Gold Dragon on the first infected PC on January 24th. The basis for assuming that the obtained file is a\r\nvariant of Gold Dragon is as follows:\r\nInjection method is same as the method used by the original Gold Dragon (behavior of process hollowing\r\non iexplore.exe, svchost.exe,etc.)\r\nFeature of terminating AhnLab product’s real-time detection window class (49B46336-BA4D-4905-9824-\r\nD282F05F6576)\r\nTermination of Daum Cleaner (daumcleaner.exe) process\r\nThe attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer\r\ndownloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as\r\n“in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.\r\nhttps://asec.ahnlab.com/en/31089/\r\nPage 1 of 5\n\nThe installed Gold Dragon has 4 export functions.\r\nPerform\r\nProcess\r\nStart\r\nWork\r\nThe installer first executes Gold Dragon by giving the “Start” argument. Once the “Start” export function is\r\nexecuted, Gold Dragon copies itself to a certain path and registers the copied DLL to the autorun registry key. The\r\n“Perform” export function is given for DLL execution argument.\r\nFigure 1. Path for registry registration and self-copy\r\nIt is assumed that the info leaking feature of the variant that was discovered was modularized. The system\r\ninformation acquisition command execution feature that is mainly used by Gold Dragon did not exist in the Gold\r\nDragon variant. This means that additional payloads can be downloaded from the attacker’s server to obtain\r\nsystem information.\r\ncmd.exe /c ipconfig/all \u003e\u003e”%s” \u0026 arp -a \u003e\u003e”%s”\r\ncmd.exe /c systeminfo \u003e\u003e”%s”\r\ncmd.exe /c tasklist \u003e\u003e”%s”\r\nThe attacker does not obtain information through system processes, but instead additionally installs xRAT\r\n(Filename: cp1093.exe) that allows remote control of the system to the infected PC to perform info-stealing\r\nfeatures. Once cp1093.exe is executed, it copies a normal powershell process (powershell_ise.exe) to the\r\n“C:\\ProgramData\\”path and executes xRAT via process hollowing technique.\r\nhttps://asec.ahnlab.com/en/31089/\r\nPage 2 of 5\n\nFigure 2. xRAT malware\r\nThe attacker was also meticulous enough to also distribute an additional file (UnInstall_kr5829.co.in.exe) along\r\nwith xRAT to delete the traces of attack existing in the target PC.\r\nhttps://asec.ahnlab.com/en/31089/\r\nPage 3 of 5\n\nFigure 3. Code related to deletion of traces of infection\r\nAhnLab is constantly monitoring and responding to such APT attacks, and users should refrain from opening\r\nattachments from emails from unknown sources and update the security software to the latest version to prevent\r\ndamage by information leakage.\r\nMD5\r\n070f0390aad17883cc8fad2dc8bc81ba\r\n40b428899db353bb0ea244d95b5b82d9\r\n4ea6cee3ecd9bbd2faf3af73059736df\r\nb841d27fb7fee74142be38cee917eda5\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//45[.]77[.]71[.]50[:]8082/\r\nhttps[:]//sk5621[.]com[.]co/\r\nhttps://asec.ahnlab.com/en/31089/\r\nPage 4 of 5\n\nAdditional IOCs are available on AhnLab TIP.\r\nFQDN\r\nkr5829[.]co[.]in\r\nsk5621[.]com[.]co\r\nAdditional IOCs are available on AhnLab TIP.\r\nSource: https://asec.ahnlab.com/en/31089/\r\nhttps://asec.ahnlab.com/en/31089/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/31089/" ], "report_names": [ "31089" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434444, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/74a8e4d2e0035e88c9c163c1b32640262793cdac.pdf", "text": "https://archive.orkl.eu/74a8e4d2e0035e88c9c163c1b32640262793cdac.txt", "img": "https://archive.orkl.eu/74a8e4d2e0035e88c9c163c1b32640262793cdac.jpg" } }