{ "id": "67999895-9f62-4156-a3d4-6d23bf024dfe", "created_at": "2026-04-06T00:14:11.406389Z", "updated_at": "2026-04-10T03:37:40.680188Z", "deleted_at": null, "sha1_hash": "7faa8655733ce23d861df818f1ab5fd073d0b1f1", "title": "BlueShell Used in APT Attacks Against Korean and Thai Targets - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2547622, "plain_text": "BlueShell Used in APT Attacks Against Korean and Thai Targets -\r\nASEC\r\nBy ATCP\r\nPublished: 2023-09-04 · Archived: 2026-04-05 18:45:17 UTC\r\nBlueShell is a backdoor developed in Go. It is available on GitHub and supports Windows, Linux, and Mac\r\noperating systems. Currently, it seems the original GitHub repository has been deleted, but the BlueShell source\r\ncode can be downloaded from other repositories. Notably, the ReadMe file containing the guidelines is in Chinese,\r\nand this suggests that the creator may be a Chinese speaker.\r\nFigure 1. BlueShell published on GitHub\r\nThere aren’t many cases where BlueShell is known to have been used in the attacks unlike SparkRAT, Silver C2,\r\nor other malware published on GitHub. However, examining attack cases in Korea shows that a variety of threat\r\nactors are continuously using BlueShell in their attacks.\r\nAhnLab Security Emergency response Center (ASEC) is monitoring APT attack cases using BlueShell. In this\r\npost, we will provide a summary of such cases. The attack cases that have been identified by AhnLab are mostly\r\nhttps://asec.ahnlab.com/en/56941/\r\nPage 1 of 11\n\nthose that targeted Windows systems of Korean companies. However, attacks against Linux systems include cases\r\nwhere not only Korean but Thai broadcasting companies were also targeted.\r\n1. BlueShell\r\nOne of the main characteristics of BlueShell is that it was developed in Go. Because of the many advantages of\r\nthe Go language including the fact that it is easy to develop with and offers cross-platform support, it is used often\r\nto not only develop applications but also create malware. SparkRAT included in a Korean VPN installer [1] and\r\nSliver C2 used in the attack campaign exploiting the vulnerability in Sunlogin, a Chinese remote control utility [2]\r\nare both malware developed in Go and published on GitHub. Besides these, there have been a growing number of\r\ncases where APT threat groups used Go to create malware; the Kimsuky threat group developed a downloader that\r\ninstalls Meterpreter, [3] the RedEyes (APT37) threat group developed a backdoor by abusing the Ably service, [4]\r\nand the Andariel threat group developed a variety of malware including 1th Troy reverse shell, Black RAT, Goat\r\nRAT, and Durian Beacon. [5]\r\nIn terms of features, BlueShell is a backdoor with a simple structure. It supports TLS encryption in\r\ncommunications with the C2 server and bypasses network detection. Features that can be run according to the\r\ncommands from the threat actor include remote command execution, file download/upload, and Socks5 proxy.\r\nCommand Feature\r\nshell Run command\r\nupload Upload file\r\ndownload Download file\r\nsocks5 Socks5 proxy\r\nTable 1. Commands supported by BlueShell\r\nFigure 2. Commands supported by BlueShell\r\nhttps://asec.ahnlab.com/en/56941/\r\nPage 2 of 11\n\nBlueShell has three configuration data: the IP address of the C2 server, the port number, and the wait time.\r\nOrdinarily, these are hard-coded into the binary when the malware is created, and the init() function initializes the\r\nconfiguration data.\r\nFigure 3. Configuration data used by BlueShell\r\n2. Windows Version\r\n2.1. Attack Cases of the Dalbit Threat Group\r\nThe Dalbit group is a threat group based in China. The group usually targets vulnerable servers to breach\r\ninformation including internal data from companies or encrypts files and demands money. [6] Their targets of\r\nattack are usually Windows servers that are poorly managed or are not patched to the latest version. Besides these,\r\nthere are also attack cases that targeted email servers or MS-SQL database servers.\r\nThe Dalbit group is known for using open-source tools in most stages of their attack from initial infiltration,\r\nprivilege escalation, internal reconnaissance, to lateral movement, until their goals are achieved. The malware\r\nused in the actual command and control stages are also publicly available tools such as CobaltStrike, Metasploit,\r\nLadaon, and BlueShell.\r\nOut of the various attack cases, here, we will cover the case where BlueShell was collected during the attack\r\nprocess. While it has not been confirmed whether the threat actor used BlueShell in the actual attack, the\r\nBlueShell malware with the default C2 server set in the original source code was collected during the attack\r\nprocess. The collected files have x86 and x64 architectures. The source code information in the binary and the\r\ntime they were collected by VirusTotal allows us to assume that these files were probably included in the\r\ncollection of attack tools used by the threat actor.\r\n/root/pentesttools/BlueShell/client.go\r\nhttps://asec.ahnlab.com/en/56941/\r\nPage 3 of 11\n\nIn attacks against web servers, the Dalbit threat group usually exploits the WebLogic or file upload vulnerability\r\nto upload web shells. Various JSP web shell files were also found in this attack case.\r\nFigure 4. JSP web shells used in the attack\r\nIn the internal reconnaissance stage, the threat actor used the Lsass dump tool to steal account credentials and used\r\nthe fscan tool to scan the internal network. It is presumed that the collected information would have been used for\r\nlateral movement using the Impacket tool.\r\nThe most prominent characteristic of the Dalbit group is that it uses Fast Reverse Proxy (FRP) as the proxy tool.\r\nIn the attack process, the Frpc tool, its configuration file, and another proxy tool by the name of Venom [7] were\r\nused.\r\nhttps://asec.ahnlab.com/en/56941/\r\nPage 4 of 11\n\nFigure 5. Collected Frpc configuration file\r\n2.2. Attack Against a Korean Corporation\r\nAlthough the case above was not one where BlueShell was used in its normal way in the attack process, a case of\r\nattack against a Korean corporation using BlueShell was later identified. Due to a lack of relevant information, the\r\ninitial attack vector or whether the threat actor is the same one as the Dalbit group of the past could not be\r\nascertained, but it is notable that BlueShell and Frpc were used together in the attack.\r\nExamining the source code information in the binary shows that the threat actor likely created BlueShell in a\r\nWindows environment. Two versions of BlueShell were identified in the attack process; while both communicate\r\nwith the same C2 server, one is obfuscated.\r\nD:/skens/SK/BlueShell-master/client.go\r\nThe Frpc used in the attack is also obfuscated, and instead of being the default format of Frpc, it is a version\r\ncustomized by the threat actor. Ordinarily, Frpc reads and loads configuration data in file format, but the Frpc used\r\nin the attack decodes the encoded configuration data in the memory area during execution.\r\nFigure 6. Frpc configuration data included in the binary\r\nhttps://asec.ahnlab.com/en/56941/\r\nPage 5 of 11\n\n3. Linux Version\r\n3.1. Cases of Attack Presumed to Have Targeted Korea and Thailand\r\nBlueShell, developed in Go, offers cross-platform support and thus can run not only in Windows environments but\r\nalso in Linux systems. While monitoring BlueShell targeting Linux environments, ASEC identified customized\r\ntypes of BlueShell from VirusTotal. As they were uploaded to VirusTotal from Korea and Thailand, it seems that\r\nthe two areas were the targets of attack.\r\nThe threat actor first created a dropper and used this to install BlueShell. The dropper is responsible for creating\r\nand executing BlueShell like ordinary droppers, but the difference here is that upon execution, an environment\r\nvariable by the name “lgdt” is configured and executed. The created BlueShell finds the “lgdt” environment\r\nvariable, decodes it, and uses it as the C2 server URL. Thus, BlueShell by itself cannot find the C2 server URL.\r\nA. Analysis of the dropper\r\nDuring the execution process, the dropper Xor-decrypts BlueShell saved in the internal .data section with the 0x63\r\nkey. The decrypted data is in compressed form, and it is decompressed and copied into the “/tmp/kthread” path.\r\nFigure 7. The dropper’s main routine\r\nAfter “/tmp/kthread” (BlueShell malware) is executed, it deletes itself, so BlueShell only runs in the memory area.\r\nThe dropper has two other characteristics. The first is that the argument “/sbin/rpcd” is transmitted when\r\nBlueShell is run and changes the name of the running process into “/sbin/rpcd” to disguise it. As such, the name of\r\nthe disguised process is visible in the ps command or “/proc/[pid]/cmdline”.\r\nhttps://asec.ahnlab.com/en/56941/\r\nPage 6 of 11\n\nFigure 8. Changed process name\r\nIt is also notable that when the created BlueShell is run, the environment variable “lgdt” is configured before\r\nexecution. Thus, the “lgdt” environment variable “MjAuMjE0LjIwMS4xNjYgNDQzIDE1” is given as an\r\nargument for the sys_execve system call, and the child process BlueShell executed accordingly also receives this\r\nenvironment variable.\r\nFigure 9. lgdt environment variable transmitted upon execution\r\nB. Analysis of customized BlueShell\r\nThe BlueShells used in the attacks have the same features aside from a few notable points. Instead of having\r\nconfiguration data such as the C2 server URL or the port number in the binary, a certain environment variable is\r\nread and decrypted to obtain said data. In the case above, the dropper configured the environment variable “lgdt”\r\nbefore executing BlueShell, and therefore the environment variable was inherited. BlueShell decodes the\r\nenvironment variable “lgdt” with Base64 and uses this as configuration data.\r\nhttps://asec.ahnlab.com/en/56941/\r\nPage 7 of 11\n\nFigure 10. Routine that decrypts environment variables and uses them as configuration data\r\nIn the attack case in Korea covered above, three arguments are found after decoding with Base64. These are the\r\nC2 server URL, port number, and wait time.\r\nDecrypted environment variable: 20.214.201[.]166 443 15\r\nThe BlueShell uploaded from Thailand is created in the path “/tmp/.ICECache”. When the environment variable is\r\ndecoded, four pieces of data can be identified. The values are the same for up to the third configuration data. The\r\nfourth is used to distinguish between infected systems. The customized BlueShell uses the hostname() function to\r\nobtain the host name of the currently running system and runs only when this value matches the fourth data.\r\nIt is difficult to pinpoint the attack targets using only the host name of the infected system, but the host name of\r\nthe decoded string is the same as one of the broadcasting companies in Thailand. The country that uploaded to\r\nVirusTotal and the malware’s conditions for infected systems show that this threat group possibly launched an\r\nAPT attack against targets in Thailand.\r\nFigure 11. The encoded environment variable and the result after decoding it\r\nhttps://asec.ahnlab.com/en/56941/\r\nPage 8 of 11\n\nArgument Description\r\n#1 C2 server address\r\n#2 C2 server port number\r\n#3 Wait time\r\n#4 Environmental conditions to run\r\nTable 2. Configuration data of the customized BlueShell\r\nAdditionally, the BlueShells used in attack cases in both Korea and Thailand were built in the Go language\r\nenvironment version 1.18.4. Through the following source code information, it can be inferred that attacks would\r\nhave been ongoing from at least September 2022.\r\nLocation of\r\nUpload to\r\nVirusTotal\r\nTime of\r\nUpload to\r\nVirusTotal\r\nSource\r\nGo\r\nVersion\r\nThailand\r\n2022-09-01\r\n02:51:45 UTC\r\n/home/User/Desktop/client/main.go 1.18.4\r\nRepublic of\r\nKorea\r\n2023-02-08\r\n15:47:26 UTC\r\n/home/User/Desktop/20221209/client/main.go 1.18.4\r\nRepublic of\r\nKorea\r\n2023-03-07\r\n05:11:53 UTC\r\n/home/User/Desktop/20230202/client/main.go 1.18.4\r\nTable 3. Analysis of attack cases\r\n4. Conclusion\r\nBeing a backdoor, BlueShell can receive commands from the threat actor to perform actions in the infected\r\nsystem, such as command execution, file download/upload, and Socks5 proxy. As it is developed in Go, Linux\r\nenvironments can also become targets of attack along with Windows environments. Various threat actors are using\r\nit in attacks because it is available on GitHub as an open source.\r\nTo prevent such security threats, vulnerable settings must be reviewed, relevant systems must always be kept\r\nupgraded to the latest version to protect them against attacks. Also, V3 should be updated to the latest version so\r\nthat malware infection can be prevented.\r\nFile Detection\r\n– WebShell/JSP.Chopper.SC183868 (2022.10.15.01)\r\n– WebShell/JSP.Godzilla.S1719 (2021.12.03.00)\r\n– WebShell/JSP.Generic.S1363 (2021.01.27.03)\r\n– Backdoor/Win.BlueShell.C5272202 (2022.10.05.00)\r\nhttps://asec.ahnlab.com/en/56941/\r\nPage 9 of 11\n\n– Trojan/Win.BlueShell.C5280704 (2022.10.15.01)\r\n– Trojan/Win.ReverseShell.C5417728 (2023.04.25.00)\r\n– Trojan/Win.ReverseShell.C5417729 (2023.04.25.00)\r\n– Trojan/Win.FRP.C5417731 (2023.04.25.00)\r\n– HackTool/Win.Frpc.R543073 (2022.12.21.03)\r\n– HackTool/Win.Frpc.R543073 (2022.12.21.03)\r\n– HackTool/Script.Frpc (2022.12.17.00)\r\n– HackTool/Win.Fscan.C5230904 (2022.10.08.00)\r\n– HackTool/Win.Fscan.C5272189 (2022.10.05.00)\r\n– HackTool/Win.Lsassdump.R524859 (2022.10.05.00)\r\n– HackTool/Win.ProxyVenom.C5280699 (2022.10.15.01)\r\n– HackTool/Win.impacket.C4777703 (2021.11.19.03)\r\n– Dropper/Linux.BlueShell.2904696 (2023.09.04.02)\r\n– Dropper/Linux.BlueShell.2888120 (2023.09.04.02)\r\n– Trojan/Linux.BlueShell.XE216 (2023.02.20.03)\r\nMD5\r\n011cedd9932207ee5539895e2a1ed60a\r\n1a0c704611395b53f632d4f6119ed20c\r\n21c7b2e6e0fb603c5fdd33781ac84b8f\r\n2ed0a868520c31e27e69a0ab1a4e690d\r\n30fe6a0ba1d77e05a19d87fcf99e7ca5\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//121[.]127[.]241[.]117[:]20001/\r\nhttp[:]//lt[.]yxavkb[.]xyz/\r\nhttps[:]//20[.]214[.]201[.]166/\r\nhttps[:]//202[.]87[.]223[.]124/\r\nhttps[:]//aa[.]zxcss[.]com/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/56941/\r\nPage 10 of 11\n\nSource: https://asec.ahnlab.com/en/56941/\r\nhttps://asec.ahnlab.com/en/56941/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/56941/" ], "report_names": [ "56941" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bcf899bb-34bb-43e1-929d-02bc91974f2a", "created_at": "2023-02-18T02:04:24.050644Z", "updated_at": "2026-04-10T02:00:04.639142Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "ETDA:Dalbit", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "AntSword", "BadPotato", "BlueShell", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "EFSPotato", "FRP", "Fast Reverse Proxy", "Godzilla", "Godzilla Loader", "HTran", "HUC Packet Transmit Tool", "JuicyPotato", "LadonGo", "Metasploit", "Mimikatz", "NPS", "ProcDump", "PsExec", "Remcom", "RemoteCommandExecution", "RottenPotato", "SinoChopper", "SweetPotato", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "7cf4ec85-806f-4fd7-855a-6669ed381bf5", "created_at": "2023-11-08T02:00:07.176033Z", "updated_at": "2026-04-10T02:00:03.435082Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "MISPGALAXY:Dalbit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434451, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7faa8655733ce23d861df818f1ab5fd073d0b1f1.pdf", "text": "https://archive.orkl.eu/7faa8655733ce23d861df818f1ab5fd073d0b1f1.txt", "img": "https://archive.orkl.eu/7faa8655733ce23d861df818f1ab5fd073d0b1f1.jpg" } }