{ "id": "65dc1fd3-e5cb-4520-8812-adabb47c7c3a", "created_at": "2026-04-06T00:19:26.903644Z", "updated_at": "2026-04-10T03:37:40.637168Z", "deleted_at": null, "sha1_hash": "7cb3a6de237181a43b5609c14cf9e48733532d00", "title": "Trend Analysis on Kimsuky Group’s Attacks Using AppleSeed - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 533889, "plain_text": "Trend Analysis on Kimsuky Group’s Attacks Using AppleSeed -\r\nASEC\r\nBy ATCP\r\nPublished: 2023-12-21 · Archived: 2026-04-05 14:26:06 UTC\r\nKnown to be supported by North Korea, the Kimsuky threat group has been active since 2013. At first, they\r\nattacked North Korea-related research institutes in South Korea before attacking a South Korean energy\r\ncorporation in 2014. Since 2017, attacks targeting countries other than South Korea have also been observed. [1]\r\nThe group usually launches spear phishing attacks against national defense, defense industries, media, diplomacy,\r\nnational organizations, and academic sectors. Their attacks aim to steal internal information and technology from\r\norganizations. [2]\r\nWhile the Kimsuky group typically uses spear phishing attacks for initial access, most of their recent attacks\r\ninvolve the use of shortcut-type malware in LNK file format. Although LNK malware comprise a large part of\r\nrecent attacks, cases using JavaScripts or malicious documents are continuing to be detected.\r\nSuch attack cases that use JavaScript-type malware usually involve the distribution of AppleSeed which was\r\ncovered in a past report titled “Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)”. [3]\r\nThis report was published in November 2021, but the Kimsuky group is still using AppleSeed in their attacks. In\r\naddition to JavaScript, Excel macro malware are also used to install AppleSeed. [4]\r\nA notable point about attacks that use AppleSeed is that similar methods of attack have been used for many years\r\nwith no significant changes to the malware that are used together. Another point of interest is that the group still\r\nuses the same Infostealer and RDP Patch malware files that were first identified in 2022, which are used after the\r\ngroup takes control over an infected system.\r\nThis post will cover the characteristics of malware used in recent attack cases in comparison to the past report. For\r\nexample, while the same AppleSeed is still being used, arguments are checked to obstruct analysis and a variant of\r\nAppleSeed named AlphaSeed is being used. Another notable fact is that while in the past the group typically used\r\nRDP to control the infected system after installing AppleSeed, they are often observed installing Chrome Remote\r\nDesktop in recent cases. [5]\r\n1. AppleSeed\r\nAppleSeed is a backdoor that can receive the threat actor’s commands from the C\u0026C server and execute the\r\nreceived commands. The threat actor can use AppleSeed to control the infected system. It also offers features such\r\nas a downloader that installs additional malware, keylogging and taking screenshots, and stealing information by\r\ncollecting files from the user system and sending them.\r\nLike in past attack cases, AppleSeed is frequently distributed via a JavaScript dropper. The JavaScript dropper is\r\nresponsible for installing AppleSeed while simultaneously creating and opening document files such as HWP and\r\nhttps://asec.ahnlab.com/en/60054/\r\nPage 1 of 8\n\nPDF. Due to this, ordinary users are deceived into thinking that a legitimate document file has been opened.\r\nWhile the installed AppleSeed is similar to the one from the past, since early 2022, AppleSeed has been created by\r\na dropper instead of being installed by JavaScript malware. Not only was a dropper added to the installation\r\nprocess but also a feature that checks the arguments upon malware execution. AppleSeed, which is in DLL format,\r\nis installed via the Regsvr32 process, during which the “/i” option is used to pass an argument. AppleSeed checks\r\nthis argument and proceeds with installation only when it matches a certain string; otherwise, it deletes itself.\r\nBecause of this, the AppleSeed DLL alone cannot perform malicious behaviors in a sandbox environment.\r\nAppleSeed execution argument – example: regsvr32.exe /s /n /i:1qa2ws4rf “C:\\Users\\\r\n{UserName}\\AppData\\Roaming\\FoxitReader\\Service\\FoxitReaderUpdate.db”\r\nPeriod List of Arguments\r\nPast\r\n123qweasdzxc\r\n123qweASDTYU\r\n12345QWERTY\r\n1q2w3e4r!\r\n2wsx!QAZ3edc\r\n$%ERT345ert\r\nRecent\r\n12qw3ed\r\n1qa2ws4rf\r\nTable 1. Arguments used when installing AppleSeed\r\nAppleSeed is installed in the “%APPDATA%” or “%PROGRAMDATA%” path. The specific folder and file name\r\nare disguised to look like a legitimate program or file such as Antivirus, Chrome, and Adobe. While AppleSeed\r\nwas often installed in the “%PROGRAMDATA%” path in the past, recently, “%APPDATA%” has been used\r\nfrequently. The following table is a summary of the various paths AppleSeed was installed in. Paths used in\r\nattacks in the past several months were sorted separately.\r\nPeriod Installation Path\r\nPast %APPDATA%\\EastSoft\\Control\\Service\\EastSoftUpdate.dll\r\n%APPDATA%\\ESTsoft\\AlLUpdate\\AlCommon.dll\r\n%APPDATA%\\ESTsoft\\Common\\ESTCommon.dll\r\n%APPDATA%\\ESTsoft\\Common\\ko-kr.dll\r\n%APPDATA%\\ESTsoft\\updat\\ESTCommon.dll\r\n%APPDATA%\\Microsoft\\Windows\\Defender\\AutoUpdate.dll\r\n%APPDATA%\\Microsoft\\Windows\\Defender\\patch.dll\r\n%PROGRAMDATA%\\Firmware\\ESTsoft\\Common\\ESTCommon.dll\r\n%PROGRAMDATA%\\Firmware\\Microsoft\\Windows\\Defender\\AutoUpdate.dll\r\n%PROGRAMDATA%\\Software\\Ahnlab\\Service\\AutoService.dll\r\n%PROGRAMDATA%\\Software\\ControlSet\\Service\\ServiceScheduler.dll\r\nhttps://asec.ahnlab.com/en/60054/\r\nPage 2 of 8\n\n%PROGRAMDATA%\\Software\\Defender\\Windows\\Update\\AutoUpdate.dll\r\n%PROGRAMDATA%\\Software\\ESTsoft\\Common\\ESTCommon.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\AvastAntiVirus\\AvastUpdate.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\Avg\\AvgSkin.dll\r\n%PROGRAMDATA%\\software\\microsoft\\iecleaner\\cpature\\iecaptureclean.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\Network\\NetworkService.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\Printer\\PrinterService.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\Service\\TaskScheduler.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\Windows\\AutoDefender\\UpdateDB.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\Windows\\AutoPatch\\patch.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\Windows\\Chrome\\GoogleUpdate.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\WIndows\\Defender\\AutoCheck.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\Windows\\Defender\\AutoUpdate.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\Windows\\Defender\\update.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\Windows\\Explorer\\FontChecker.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\Windows\\FontChecker.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\Windows\\MDF\\WDFSync\\WDFSync.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\Windows\\MetaSec\\MetaSecurity.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\Windows\\Patch\\patch.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\Windows\\Protect\\ProtectUpdate.dll\r\n%PROGRAMDATA%\\Software\\Microsoft\\Windows\\Secrity\\AutoCheck.dll\r\nRecent\r\n%APPDATA%\\Abode\\Service\\AdobeService.dll\r\n%APPDATA%\\Acrobatreader\\Service\\AcrobatReaderUpdate.db\r\n%APPDATA%\\chrome\\Service\\updategoogle.dll\r\n%APPDATA%\\EastSoft\\Control\\Service\\EastSoftUpdate.dll\r\n%APPDATA%\\FoxitReader\\Service\\FoxitReaderUpdate.db\r\n%APPDATA%\\ProtectSoft\\Update\\Service\\ProtectSoftUpdate.db\r\nTable 2. AppleSeed’s installation paths\r\n2. AlphaSeed\r\nAlphaSeed is a malware developed in Golang and supports similar features to AppleSeed such as command\r\nexecution and infostealing. Due to these similarities and the path name contained in the binary, S2W named this\r\nmalware AlphaSeed. [6]\r\nThough most of its features are similar to those of AppleSeed, there are some differences as well. AlphaSeed was\r\ndeveloped in Golang and uses ChromeDP for communications with the C\u0026C server. When receiving commands\r\nfrom the threat actor or stealing collected information, AppleSeed generally used the HTTP protocol or email\r\n(SMTP and IMAPS). AlphaSeed also uses email protocols to communicate with the C\u0026C, but instead of directly\r\nsending an email, it uses a tool called ChromeDP. The login process is also different: instead of using an ID and\r\npassword, it uses cookie values to log into certain accounts.\r\nhttps://asec.ahnlab.com/en/60054/\r\nPage 3 of 8\n\nAlphaSeed has been used in attacks since at least October 2022 if not before. Like AppleSeed, AlphaSeed attacks\r\nuse a JavaScript dropper. Because the binary itself is in DLL format which runs using the Regsvr32 process, the\r\nactual installation process is also similar to that of AppleSeed.\r\nThe threat actor sometimes installs AlphaSeed and AppleSeed together in the same target system. Although the\r\ninitial distribution stage in the following case has not been identified, seeing from the fact that AlphaSeed and\r\nAppleSeed were installed at almost the same point in time and that certutil.exe was used, it seems that like in most\r\ncases, the two malware were installed by a JavaScript dropper.\r\nThe AlphaSeed identified around October 2022 had the path name “E:/golang/src/naver_crawl/” in the binary,\r\nwhile the binary in the version used in attacks from around May 2023 until recently contained the path\r\n“E:/Go_Project/src/alpha/naver_crawl_spy/”.\r\nhttps://asec.ahnlab.com/en/60054/\r\nPage 4 of 8\n\n3. Meterpreter\r\nMetasploit is a penetration testing framework. They are tools that can be used to inspect security vulnerabilities\r\nfor networks and systems of companies and organizations, providing various features for each penetration test\r\nstage. Meterpreter is a backdoor provided by Metasploit and is used to control infected systems.\r\nThe Kimsuky group has often used Meterpreter in attack processes involving AppleSeed. [7] In the first half of\r\n2023, Meterpreter Stager developed in Golang was identified. [8] However, the recently distributed version of\r\nMeterpreter was self-developed using C++ instead of Golang.\r\nhttps://asec.ahnlab.com/en/60054/\r\nPage 5 of 8\n\n4. VNC – TightVNC, HVNC (TinyNuke)\r\nAside from using RDP, the Kimsuky group also develops VNC malware to control the infected system. [9] There\r\nare two types that have been used since the initial discovery: TightVNC and HVNC.\r\nTightVNC is an open-source VNC utility, and the threat actor customizes it to use it. The Kimsuky group\r\ndistributes TightVNC which is customized to allow the Reverse VNC feature to be used independently in the\r\ninfected environment without installing a service. As such, simply running tvnserver will allow the attacker to\r\naccess tvnviewer that operates on the C\u0026C server and gain control of the screen of the infected system.\r\nTinyNuke, also known as Nuclear Bot, is a banking malware discovered in 2016. It includes features such as\r\nHVNC (HiddenDesktop/VNC), reverse SOCKS4 proxy, and form grabbing. As its source code was disclosed in\r\n2017, TinyNuke is used by various threat actors, and out of its features, the HVNC and reverse SOCKS4 proxy\r\nfeatures are partially borrowed by other malware such as AveMaria and BitRAT.\r\nAmong the various features offered by TinyNuke, the Kimsuky group only enables the HVNC feature before\r\ndistributing it. TinyNuke uses the string “AVE_MARIA” for verification when establishing an HVNC\r\ncommunication session between server and client. The Kimsuky group either uses this string without modification\r\nor uses the string “LIGHT’S BOMB” instead. Since the first half of 2022, the string “Alpha’s nuke” has been\r\nused, which was also found in recently identified versions.\r\nhttps://asec.ahnlab.com/en/60054/\r\nPage 6 of 8\n\n5. Conclusion\r\nThe Kimsuky threat group is constantly launching spear phishing attacks against South Korean users. The group\r\nusually distributes malware disguised as document files attached to emails. When users run these attachments,\r\nthey may lose control over their system.\r\nThe Kimsuky threat group uses AppleSeed, Meterpreter, and VNC malware to seize control over infected systems,\r\nand even abuses the RDP remote desktop service included in Windows. Recently, the group has also been\r\nobserved using the remote desktop feature in Google Chrome.\r\nUsers must carefully check the senders of emails and refrain from opening files from unknown sources. Users\r\nshould also apply the latest patch for OS and programs such as internet browsers, and update V3 to the latest\r\nversion to prevent malware infection in advance.\r\nFile Detection\r\n– Backdoor/Win.AppleSeed.C5565172 (2023.12.21.00)\r\n– Backdoor/Win.AppleSeed.R626582 (2023.12.04.02)\r\n– Malware/Win.Agent.R628198 (2023.12.18.02)\r\n– Trojan/Win.VNC.C5563987 (2023.12.18.03)\r\n– Trojan/Win.TinyNuke.C5563988 (2023.12.18.03)\r\n– Backdoor/Win.AppleSeed.C5563985 (2023.12.18.03)\r\n– Backdoor/Win.AlphaSeed.R628550 (2023.12.21.03)\r\n– Malware/Win.Agent.R628198 (2023.12.18.02))\r\n– Backdoor/Win.AlphaSeed.R628552 (2023.12.21.03)\r\n– Backdoor/Win.Iedoor.R626024 (2023.11.29.02)\r\n– Backdoor/Win.Iedoor.R625563 (2023.11.27.03)\r\n– Backdoor/Win.AppleSeed.R625539 (2023.11.27.02)\r\n– Dropper/Win.AppleSeed.R625538 (2023.11.27.02)\r\n– Backdoor/Win.AppleSeed.R624029 (2023.11.24.00)\r\n– Backdoor/Win.AppleSeed.R625553 (2023.11.27.03)\r\n– Backdoor/Win.AppleSeed.C5502219 (2023.10.08.03)\r\nBehavior Detection\r\n– Execution/MDP.Regsvr32.M4470\r\nMD5\r\n02843206001cd952472abf5ae2b981b2\r\n0cce02d2d835a996ad5dfc0406b44b01\r\n153383634ee35b7db6ab59cde68bf526\r\n1f7d2cbfc75d6eb2c4f2b8b7a3eec1bf\r\n232046aff635f1a5d81e415ef64649b7\r\nhttps://asec.ahnlab.com/en/60054/\r\nPage 7 of 8\n\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//104[.]168[.]145[.]83[:]993/\r\nhttp[:]//107[.]148[.]71[.]88[:]993/\r\nhttp[:]//159[.]100[.]6[.]137[:]993/\r\nhttp[:]//38[.]110[.]1[.]69[:]993/\r\nhttp[:]//45[.]114[.]129[.]138[:]33890/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/60054/\r\nhttps://asec.ahnlab.com/en/60054/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/60054/" ], "report_names": [ "60054" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434766, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7cb3a6de237181a43b5609c14cf9e48733532d00.pdf", "text": "https://archive.orkl.eu/7cb3a6de237181a43b5609c14cf9e48733532d00.txt", "img": "https://archive.orkl.eu/7cb3a6de237181a43b5609c14cf9e48733532d00.jpg" } }