{
	"id": "1dd32f57-e678-4979-8ac3-ddc6228bf950",
	"created_at": "2026-04-06T00:14:21.778369Z",
	"updated_at": "2026-04-10T03:37:40.877321Z",
	"deleted_at": null,
	"sha1_hash": "7e8e8ab47cddc9cc08e44bb46f777914b90667dd",
	"title": "Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1429047,
	"plain_text": "Keylogger Installed Using MS Office Equation Editor Vulnerability\r\n(Kimsuky)\r\nBy ATCP\r\nPublished: 2024-05-28 · Archived: 2026-04-05 20:31:07 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) has identified the details of the Kimsuky threat group recently\r\nexploiting a vulnerability (CVE-2017-11882) in the equation editor included in MS Office (EQNEDT32.EXE) to\r\ndistribute a keylogger. The threat actor distributed the keylogger by exploiting the vulnerability to run a page with\r\nan embedded malicious script with the mshta process.\r\nhttps://asec.ahnlab.com/en/66720/\r\nPage 1 of 5\n\nThe page that mshta connects to is http://xxxxxxxxxxx.xxxxxx.xxxxxxxx.com/images/png/error.php and uses the\r\nfile name error.php. As shown in Figure 2, the “Not Found” message makes it seem to the user as if a connection\r\nis not being established, but the malicious script is being run.\r\nFigure 3 shows the content of error.php. Major behaviors include downloading an additional malware strain from\r\nthe C2 (Query=50) via a PowerShell command, creating a file named desktop.ini.bak under the\r\nUsers\\Public\\Pictures path, and registering the desktop.ini.bak file in the Run key under HKLM with the name\r\n“Clear Web History” to allow it to run again. While an additional malware was downloaded and executed via\r\nhttps://asec.ahnlab.com/en/66720/\r\nPage 2 of 5\n\nPowerShell, the attacker’s erroneous coding in the part where wscript is run resulted in the failure to register to the\r\nRun key and create the file. When editing the script for replication purposes and having it run as intended, the\r\ndesktop.ini.bak file is created and correctly registers itself to the registry key as shown in Figure 4.\r\nThe first downloaded malware is a PowerShell script shown in Figure 5. It collects system and IP information and\r\nsends them to the C2 (Query=97). In addition, it can download and execute a keylogger from the C2 (Query=107).\r\nhttps://asec.ahnlab.com/en/66720/\r\nPage 3 of 5\n\nFigure 6 shows the script of the main part of the keylogger. The script creates the file desktop.ini.bak in the\r\nUsers\\Public\\Music path, which is for recording users’ keylogging data as well as clipboard data. It uses a mutex\r\nvalue “Global\\AlreadyRunning19122345” to prevent duplicate instances. The collected data is sent at random\r\ntimes within the time range set by the threat actor to the C2 (Query=97), deleted, and created again. The overall\r\nprocess execution is shown in the Procmon process tree.\r\nThe Kimsuky group still exploits the vulnerability (CVE-2017-11882) in the MS Office equation editor\r\n(EQNEDT32.EXE) it frequently used before in order to increase the success rate of attacks. It is important to\r\npatch vulnerabilities to prevent malware infection from old vulnerabilities. Software must always be updated to\r\nthe latest version and users should refrain from using software that has reached the end of service (EOS). Also,\r\nusers must not open suspicious document files and update V3 to the latest version to prevent malware infection in\r\nadvance. In addition to endpoint security products (V3), sandbox-based APT solutions such as MDS must be\r\nimplemented to prevent harm from cyberattacks.\r\n[File Detection]\r\nTrojan/VBS.Agent.SC198696 (2024.03.29.00)\r\nDownloader/PowerShell.Agent.SC197158 (2024.02.26.03)\r\nKeylogger/PowerShell.Agent.SC197159 (2024.02.26.03)\r\nMD5\r\n279c86f3796d14d2a4d89049c2b3fa2d\r\n5bfeef520eb1e62ea2ef313bb979aeae\r\nhttps://asec.ahnlab.com/en/66720/\r\nPage 4 of 5\n\nd404ab9c8722fc97cceb95f258a2e70d\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/66720/\r\nhttps://asec.ahnlab.com/en/66720/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/66720/"
	],
	"report_names": [
		"66720"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2",
			"created_at": "2022-10-25T15:50:23.280374Z",
			"updated_at": "2026-04-10T02:00:05.305572Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"Kimsuky",
				"Black Banshee",
				"Velvet Chollima",
				"Emerald Sleet",
				"THALLIUM",
				"APT43",
				"TA427",
				"Springtail"
			],
			"source_name": "MITRE:Kimsuky",
			"tools": [
				"Troll Stealer",
				"schtasks",
				"Amadey",
				"GoBear",
				"Brave Prince",
				"CSPY Downloader",
				"gh0st RAT",
				"AppleSeed",
				"Gomir",
				"NOKKI",
				"QuasarRAT",
				"Gold Dragon",
				"PsExec",
				"KGH_SPY",
				"Mimikatz",
				"BabyShark",
				"TRANSLATEXT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "760f2827-1718-4eed-8234-4027c1346145",
			"created_at": "2023-01-06T13:46:38.670947Z",
			"updated_at": "2026-04-10T02:00:03.062424Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"G0086",
				"Emerald Sleet",
				"THALLIUM",
				"Springtail",
				"Sparkling Pisces",
				"Thallium",
				"Operation Stolen Pencil",
				"APT43",
				"Velvet Chollima",
				"Black Banshee"
			],
			"source_name": "MISPGALAXY:Kimsuky",
			"tools": [
				"xrat",
				"QUASARRAT",
				"RDP Wrapper",
				"TightVNC",
				"BabyShark",
				"RevClient"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d",
			"created_at": "2025-08-07T02:03:25.101147Z",
			"updated_at": "2026-04-10T02:00:03.846812Z",
			"deleted_at": null,
			"main_name": "NICKEL KIMBALL",
			"aliases": [
				"APT43 ",
				"ARCHIPELAGO ",
				"Black Banshee ",
				"Crooked Pisces ",
				"Emerald Sleet ",
				"ITG16 ",
				"Kimsuky ",
				"Larva-24005 ",
				"Opal Sleet ",
				"Ruby Sleet ",
				"SharpTongue ",
				"Sparking Pisces ",
				"Springtail ",
				"TA406 ",
				"TA427 ",
				"THALLIUM ",
				"UAT-5394 ",
				"Velvet Chollima "
			],
			"source_name": "Secureworks:NICKEL KIMBALL",
			"tools": [
				"BabyShark",
				"FastFire",
				"FastSpy",
				"FireViewer",
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "71a1e16c-3ba6-4193-be62-be53527817bc",
			"created_at": "2022-10-25T16:07:23.753455Z",
			"updated_at": "2026-04-10T02:00:04.73769Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"APT 43",
				"Black Banshee",
				"Emerald Sleet",
				"G0086",
				"G0094",
				"ITG16",
				"KTA082",
				"Kimsuky",
				"Larva-24005",
				"Larva-25004",
				"Operation Baby Coin",
				"Operation Covert Stalker",
				"Operation DEEP#DRIVE",
				"Operation DEEP#GOSU",
				"Operation Kabar Cobra",
				"Operation Mystery Baby",
				"Operation Red Salt",
				"Operation Smoke Screen",
				"Operation Stealth Power",
				"Operation Stolen Pencil",
				"SharpTongue",
				"Sparkling Pisces",
				"Springtail",
				"TA406",
				"TA427",
				"Thallium",
				"UAT-5394",
				"Velvet Chollima"
			],
			"source_name": "ETDA:Kimsuky",
			"tools": [
				"AngryRebel",
				"AppleSeed",
				"BITTERSWEET",
				"BabyShark",
				"BoBoStealer",
				"CSPY Downloader",
				"Farfli",
				"FlowerPower",
				"Gh0st RAT",
				"Ghost RAT",
				"Gold Dragon",
				"GoldDragon",
				"GoldStamp",
				"JamBog",
				"KGH Spyware Suite",
				"KGH_SPY",
				"KPortScan",
				"KimJongRAT",
				"Kimsuky",
				"LATEOP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Lovexxx",
				"MailPassView",
				"Mechanical",
				"Mimikatz",
				"MoonPeak",
				"Moudour",
				"MyDogs",
				"Mydoor",
				"Network Password Recovery",
				"PCRat",
				"ProcDump",
				"PsExec",
				"ReconShark",
				"Remote Desktop PassView",
				"SHARPEXT",
				"SWEETDROP",
				"SmallTiger",
				"SniffPass",
				"TODDLERSHARK",
				"TRANSLATEXT",
				"Troll Stealer",
				"TrollAgent",
				"VENOMBITE",
				"WebBrowserPassView",
				"xRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434461,
	"ts_updated_at": 1775792260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e8e8ab47cddc9cc08e44bb46f777914b90667dd.pdf",
		"text": "https://archive.orkl.eu/7e8e8ab47cddc9cc08e44bb46f777914b90667dd.txt",
		"img": "https://archive.orkl.eu/7e8e8ab47cddc9cc08e44bb46f777914b90667dd.jpg"
	}
}