{ "id": "2efe8a63-8f9c-4167-9da6-d24a9db0737e", "created_at": "2026-04-06T00:21:46.247601Z", "updated_at": "2026-04-10T13:12:03.026561Z", "deleted_at": null, "sha1_hash": "834c70e868674c305eb608c505b0d9ca42c1a145", "title": "Warning Against Distribution of Malware Disguised as Research Papers (Kimsuky Group) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2077242, "plain_text": "Warning Against Distribution of Malware Disguised as Research\r\nPapers (Kimsuky Group) - ASEC\r\nBy ATCP\r\nPublished: 2025-06-11 · Archived: 2026-04-05 19:52:28 UTC\r\nRecently, the AhnLab SEcurity intelligence Center (ASEC) confirmed the phishing email attack case where the\r\nKimsuky group disguised their attack as a request for paper review from a professor. The email prompted the\r\nrecipient to open a HWP document file with a malicious OLE object attachment. The document was password-protected, and the recipient had to enter the password provided in the email body to view the document. Upon\r\nopening the document, six files were automatically created in the %TEMP% (temporary folder) path. To further\r\nprompt the user to check the content, the document body included a “More…” phrase, which contained a\r\nhyperlink that executed the “peice.bat” file, one of the six files created. The table below shows the list of files\r\ncreated upon opening the document.\r\nhttps://asec.ahnlab.com/en/88465/\r\nPage 1 of 7\n\nFigure 1. HWP document file containing malicious OLE object\r\n(The content of the HWP file describes main causes and purposes of the Russo-Ukraine War.)\r\nNo. File Name Feature\r\n1 app.db EXE File with a Valid Signature\r\n2 get.db\r\nPowerShell script that collects process lists, installed AV information,\r\nand downloads additional files\r\n3 hwp_doc.db Legitimate bait Korean document file\r\n4 mnfst.db Configuration file read by File 1 (app.db)\r\n5 sch_0514.db XML scheduler file that executes get.db twice every 12 minutes\r\n6 peice.bat Performing tasks on files 1 to 5\r\nTable 1. Created files\r\nWhen the “peice.bat” file is executed, it performs the behavior of copying the created files to a specific path. The\r\nexact behavior is as follows:\r\nhttps://asec.ahnlab.com/en/88465/\r\nPage 2 of 7\n\nDelete a HWP document file with a malicious OLE object\r\nChange the name of the file 3 to “Military Technology and Future War Direction Seen Through the\r\nRusso-Ukrainian War.hwp” and open the file.\r\nRegister the file 5 as a scheduler under the name “GoogleTransltatorExtendeds”\r\nCopy File 1 as “cool.exe” to the “C:\\Users\\Public\\Music\\” directory\r\nCopy the file 4 to the path “C:\\Users\\Public\\Music\\” and rename it to “cool.exe.manifest”\r\nCopy the file 2 as “template.ps1” to the “C:\\Users\\Public\\Music\\” directory.\r\nThe file 5, “sch_0514.db,” is a scheduler XML file configured to execute the file 1, “cool.exe,” every 12 minutes.\r\nWhen “cool.exe” is executed by the scheduler, the executable reads the fourth file, “cool.exe.manifest.” This file\r\ncontains BASE64-encoded data located between the “\u003c!–BEGIN_VBSEDIT_DATA” and\r\n“END_VBSEDIT_DATA–\u003e” strings. This data is extracted, decoded, and then executed. This process involves a\r\nVBScript that executes the file 2, “C:\\Users\\Public\\Music\\template.ps1.”\r\nFigure 2. (Top) Original configuration file (Bottom) Decoded configuration file\r\n“template.ps1” collects the process list and installed antivirus (AV) information on the user’s system, saves them\r\nin the format “park_year_month_day_hour_minute_info.ini”, and sends it to the threat actor’s Dropbox. The\r\nfile “park_test.db_sent” is then downloaded to the path “C:\\Users\\Public\\Music\\pol.bat” and executed.\r\nHowever, the file was not available for analysis.\r\nhttps://asec.ahnlab.com/en/88465/\r\nPage 3 of 7\n\nFigure 3. Part of the template.ps1 code\r\nA file named “template.ps1” was collected, which is different from the file used in the above case. This file\r\ndownloads the file named “jsg_test.db_sent” and saves it in the path “C:\\Users\\Public\\Music\\1.bat”. The\r\nanalysis revealed that the file named “1.bat” was successfully downloaded. The C2 then performed additional file\r\ndownload and copy behaviors. For more information, refer to Tables 2 and 3 below.\r\nNo. Behavior\r\n1\r\nDownload 6 files named “myapp, mnfst, attach, sch_0, vpost, bimage” from C2\r\nusing curl\r\n2\r\nRegister the “bimage” file to the scheduler under the name\r\nUser_Feed_Synchronization-{0DDC1BD9-E733-425C-B92B-ABAC149AB11232}”\r\n3\r\nCopy the files “myapp, mnfst, attach” to the following paths with the following names:\r\n%APPDATA%\\microsoft\\windows\r\nmyapp” : default_an.vbs\r\nmnfst” : default_an.ps1\r\nattach” : default_an.exe\r\nhttps://asec.ahnlab.com/en/88465/\r\nPage 4 of 7\n\nNo. Behavior\r\n4\r\nCopy the files “sch_0” and “vpost” to the %APPDATA%\\AnyDesk path with the\r\nfollowing names\r\nsch_0″ : service.conf\r\nvpost” : system.conf\r\nTable 2. Features of “1.bat”\r\nNumber\r\nFile Name\r\n(Changed File\r\nName)\r\nFeature\r\n1\r\nmyapp\r\n(default_an.vbs)\r\nVBScript that executes\r\nC:\\Users\\Public\\Videos\\default_an.ps1\r\n2\r\nmnfst\r\n(default_an.ps1)\r\nExecute default_an.exe every 5 seconds and hide the\r\nwindow and tray icon\r\n3\r\nattach\r\n(default_an.exe)\r\nNormal AnyDesk file\r\n4 sch_0 (service.conf)\r\nConfiguration file containing the key and salt required for\r\nAnyDesk connection and the hashed password with a hash\r\ntechnique\r\n5 vpost (system.conf) File containing AnyDesk connection ID and settings\r\n6 bimage Scheduler XML file that executes default_an.vbs\r\nTable 3. Features by file\r\nAlthough all files downloaded by the “1.bat” file are copied to the %APPDATA%\\Microsoft\\Windows path, the\r\ndownloaded files are actually set to the C:\\Users\\Public\\Videos path and are not executed flexibly. This suggests\r\nthat the file was created incorrectly according to the threat actor’s intentions. If all file paths are assumed to be set\r\nidentically, when the “default_an.ps1” file is executed by the scheduler, it executes the legitimate AnyDesk\r\nexecutable file, “default_an.exe”. At this point, the script hides the AnyDesk tray icon and window to prevent the\r\nuser from noticing it.\r\nWhen AnyDesk is launched, it creates configuration files such as “service.conf” and “system.conf” in the\r\n“%APPDATA%\\Anydesk” folder. The threat actor’s intention seems to be to replace these configuration files with\r\ntheir own files in order to access the user’s system.\r\nhttps://asec.ahnlab.com/en/88465/\r\nPage 5 of 7\n\nFigure 4. AnyDesk configuration files\r\nEven when AnyDesk is running normally, the tray icon and window are hidden by the PowerShell script, making\r\nit difficult for users to realize that remote control is taking place without directly checking the process list. The left\r\nimage in Figure 5 below shows the tray icon being displayed, and the right image shows the tray icon, connection\r\nwindow, and AnyDesk main screen not being displayed.\r\n※ In the image below, the connection ID in the configuration file is set to “1 699 290 623”, but the password\r\nis unknown. Therefore, the image shows the connection after changing the password arbitrarily.\r\nFigure 5. (Left) AnyDesk connection screen normally displayed (Right) Hidden AnyDesk connection screen\r\nThe Kimsuky group has been continuously launching APT attacks, impersonating others to target specific\r\nindividuals. Recently, there has been a growing trend of threat actors exploiting legitimate software in their attacks\r\nor using shared drives like Google and Dropbox as C2 (Command and Control) storage. As shown in this case,\r\nthese APT attacks are often disguised as topics related to the victim’s work or interests, increasing the risk of\r\nmalware infection to users. For this reason, users are advised to refrain from opening files from unknown sources\r\nand always check the file extension before opening them.\r\nMD5\r\n50d4e3470232d90718d61e760a7a62fb\r\nhttps://asec.ahnlab.com/en/88465/\r\nPage 6 of 7\n\n6a84a14dd79396f85abd0e7a536d97fc\r\n7183295e6311ebaaea7794d8123a715e\r\n79573759208d78816316546a9c1f0aec\r\n873579b92d618bf2ed3f67b7a01d7f7a\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//103[.]149[.]98[.]230/pprb/0220_pprb_man_1/an/d[.]php?newpa=myapp\r\nhttp[:]//103[.]149[.]98[.]230/pprb/0220_pprb_man_1/an/d[.]php?newpa=myappfest\r\nhttps[:]//niva[.]serverpit[.]com/anlab/d[.]php?newpa=attach\r\nhttps[:]//niva[.]serverpit[.]com/anlab/d[.]php?newpa=bimage\r\nhttps[:]//niva[.]serverpit[.]com/anlab/d[.]php?newpa=mnfst\r\nAdditional IOCs are available on AhnLab TIP.\r\nFQDN\r\nAdditional IOCs are available on AhnLab TIP.\r\nIP\r\n103[.]130[.]212[.]116\r\n103[.]149[.]98[.]230\r\nAdditional IOCs are available on AhnLab TIP.\r\nSource: https://asec.ahnlab.com/en/88465/\r\nhttps://asec.ahnlab.com/en/88465/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/88465/" ], "report_names": [ "88465" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434906, "ts_updated_at": 1775826723, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/834c70e868674c305eb608c505b0d9ca42c1a145.pdf", "text": "https://archive.orkl.eu/834c70e868674c305eb608c505b0d9ca42c1a145.txt", "img": "https://archive.orkl.eu/834c70e868674c305eb608c505b0d9ca42c1a145.jpg" } }