{ "id": "2b8234af-1479-4b02-912a-03a797cd656d", "created_at": "2026-04-06T00:12:11.53251Z", "updated_at": "2026-04-10T03:37:41.123612Z", "deleted_at": null, "sha1_hash": "8aceafada32998d60eb1c26278b11140b63fc12d", "title": "North Korean software supply chain attack targets stock investors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2348031, "plain_text": "North Korean software supply chain attack targets stock investors\r\nBy Ax Sharma\r\nPublished: 2021-01-05 · Archived: 2026-04-05 17:06:04 UTC\r\nNorth Korean hacking group Thallium has targeted users of a private stock investment messenger service in a software\r\nsupply chain attack, according to a report published this week.\r\nUp until now, the group mainly relied on phishing attacks, such as via Microsoft Office documents, to target its victims.\r\nThallium is now leveraging multiple ways, such as shipping tainted Windows installers and macro-laden Office\r\ndocuments to prey on investors.\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-software-supply-chain-attack-targets-stock-investors/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-software-supply-chain-attack-targets-stock-investors/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nAttackers alter the installer of a stock investment app\r\nThis week, ESTsecurity Security Response Center (ESRC) reported on North Korean hacking group altering a private stock\r\ninvestment messaging application to ship malicious code.\r\nThe group known as Thallium produced a Windows executable using Nullsoft Scriptable Install System (NSIS), a\r\npopular script-driven installer authoring tool for Microsoft Windows.\r\nThe executable contained malicious code in addition to the legitimate files from a legitimate stock investment application\r\nprogram.\r\nESTsecurity researchers have demonstrated at least two ways in which the attackers leverage the \"XSL Script Processing\"\r\ntechnique.\r\nWithin the legitimate installer of the stock investment platform, attackers injected specific commands that fetched a\r\nmalicious XSL script from a rogue FTP server, and executed it on Windows systems via the in-built wmic.exe utility.\r\nCommands pull malicious XSL script over FTP\r\nSource: ESTsecurity\r\nThe resultant installer, repackaged with Nullsoft's NSIS, would give off the impression as if the user was installing the real\r\nstock investment application while silently spinning up the malicious scripts in the background.\r\nThe next stage of attack executes a VBScript to create files and folders titled 'OracleCache', 'PackageUninstall', and\r\n'USODrive' among others in the %ProgramData% directory.\r\nThe payload then connects to the command-and-control (C2) server hosted on frog.smtper[.]co to receive additional\r\ncommands.\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-software-supply-chain-attack-targets-stock-investors/\r\nPage 3 of 5\n\nVBScript that retrieves commands from C2 server\r\nSource: ESTsecurity\r\nBy creating a rogue scheduled task called activate under a misleading directory 'Office 365__\\Windows\\Office', the\r\nmalware achieves persistence by instructing Windows Scheduler to run the dropped code every 15 minutes.\r\nThe threat actors perform reconnaissance of the infected system and after an initial screening, deploy a Remote Access\r\nTrojan (RAT) on the machine to further conduct their sinister activities.\r\nExcel macros also used to deliver the payload\r\nESTsecurity researchers also observed Microsoft Office documents, such as Excel spreadsheets which contained macros\r\nwere distributing the aforementioned XSL script payload.\r\n\"ESRC is paying attention to the fact that the Thallium organization is using the 'XSL Script Processing' technique not only\r\nin spear phishing attacks based on malicious documents, but also for niche attacks including supply chain attacks,\"\r\nstated ESTsecurity researchers in their translated report.\r\nAccording to the researchers, the threat actors' reasons for targeting users investing in stock remain unclear.\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-software-supply-chain-attack-targets-stock-investors/\r\nPage 4 of 5\n\nWhether the goal behind this attack was monetary gain or espionage on traders, supply chain attacks have become a\r\ncommon nuisance of these times.\r\nThe recent large-scale SolarWinds attack impacted over 18,000 entities including reputable government and private\r\norganizations.\r\nLast month, attackers targeted the open-source ecosystem RubyGems in a software supply chain attack to\r\nsteal cryptocurrency from infected machines.\r\nUpdate 7-Jan-2021: Removed reference to APT37.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/north-korean-software-supply-chain-attack-targets-stock-investors/\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-software-supply-chain-attack-targets-stock-investors/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/north-korean-software-supply-chain-attack-targets-stock-investors/" ], "report_names": [ "north-korean-software-supply-chain-attack-targets-stock-investors" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434331, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8aceafada32998d60eb1c26278b11140b63fc12d.pdf", "text": "https://archive.orkl.eu/8aceafada32998d60eb1c26278b11140b63fc12d.txt", "img": "https://archive.orkl.eu/8aceafada32998d60eb1c26278b11140b63fc12d.jpg" } }