{ "id": "0da9bff9-3108-4118-8523-177d5f85d1cf", "created_at": "2026-04-06T00:06:32.39954Z", "updated_at": "2026-04-10T03:37:40.985005Z", "deleted_at": null, "sha1_hash": "8cd8841bca878595b459ade5e9631e2680af7b4d", "title": "TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1474669, "plain_text": "TrollAgent That Infects Systems Upon Security Program\r\nInstallation Process (Kimsuky Group) - ASEC\r\nBy ATCP\r\nPublished: 2024-02-15 · Archived: 2026-04-05 18:49:03 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) recently discovered that malware strains are downloaded into\r\nsystems when users try to download security programs from a Korean construction-related association’s website.\r\nLogin is required to use the website’s services, and various security programs must be installed to log in. Among\r\nthe programs that must be installed for login, one of the installers had malware strains inside. When the user\r\ndownloads and installs the installer, the malware strains are also installed along with the security program. The\r\ntwo types of malware strains installed through this process are as follows: a backdoor malware that receives the\r\nthreat actor’s commands externally and then carry them out, and an Infostealer that collects information from the\r\ninfected systems. Therefore, users may be victims of user credentials theft, simply by installing security programs\r\nfrom the official website. 1. Distribution Method Upon accessing and attempting to log in to the organization’s\r\nwebsite, the website prompts the users to install security programs first (see Figure 1 below). Among the\r\nnecessary security programs, “NX_PRNMAN” downloads the installer that has the aforementioned malware\r\nstrains. This particular method is based on the time of analysis in mid-January 2024. Previously around December\r\n2023, the malware strains were included in the security program ‘TrustPKI’ and distributed through that program.\r\nAccording to internal test results, the modified installer is uploaded onto the website only at specific time frames,\r\nhttps://asec.ahnlab.com/en/61934/\r\nPage 1 of 7\n\nand only those who download the file during at this specific time frame are exposed to the attacks. Judging by the\r\nnumber of modified installers that AhnLab has collected, there have been over 3,000 cases of infection.\r\nFigure 1. The login process of a certain Korean website The installer is packed by VMProtect and is signed as a\r\nvalid certificate from “D2Innovation”, a Korean defense company (see Figure 2). It appears that the threat actor\r\nstole a valid certificate to bypass the anti-malware product’s detection during the web browser’s download stage\r\nor file execution stage.\r\nhttps://asec.ahnlab.com/en/61934/\r\nPage 2 of 7\n\nFigure 2. The signature information of the installer that includes malware strains The malicious installer not only\r\ninstalls malware but also the actual legitimate security program. The malware strains are run in the background,\r\nmaking it difficult for users to realize that their systems have been infected. Once the “NX_PRNMAN” installer is\r\nrun, the malware strains are installed along with legitimate files in the %APPDATA% directory and are executed\r\nby the rundll32.exe process (see Figure 3).\r\nFigure 3. The process tree of the malicious NX_PRNMAN installer Note that the “NX_PRNMAN” installer\r\nchanged into malware in January 2024. Previously at around December 2023, the “TrustPKI” installer was used to\r\ninstall the same malware strains. Both malicious installers were signed with the same certificate from\r\n“D2Innvation”.\r\nFigure 4. The malicious TrustPKI installer’s process tree “TrustPKI” is the first discovered malware that was\r\nsigned with the valid certificate of “D2Innovation”. It was a disguised malware created on December 12th, 2023,\r\nand the latest disguised malware is the “NX_PRNMAN” developed on January 11th, 2024.\r\nhttps://asec.ahnlab.com/en/61934/\r\nPage 3 of 7\n\nFigure 5. Signature information discovered since 2023 2. Analysis of Installed Malware 2.1. Infostealer\r\n(TrollAgent) The malicious installer and most of the malware strains that are actually installed are packed by\r\nVMProtect and developed in GoLang. Most notably, malware created in the %APPDATA% directory by\r\nmalicious installers is Infostealer, which is malware that steals data from infected systems. It is developed in\r\nGoLang and is executed through rundll32.exe due to its DLL format. With the source code information (written in\r\nGoLang) inside in the binary, malware named “troll” created by the threat actor was discovered. The TrollAgent\r\nInfostealer provides multiple features that not only steal system information, but also credentials, cookies,\r\nbookmarks, history, and extensions saved in web browsers such as Chrome and Firefox.\r\nFigure 6. Troll Infostealer’s source code 2.2. Backdoor (GoLang / C++) Most of the malicious installers install\r\nthe Troll Infostealer, but may also simultaneously install backdoor malware strains. The C\u0026C branching\r\ncommands of the backdoor malware strains used in these attacks are similar to the ones introduced in the\r\nfollowing articles: “AppleSeed Being Distributed to Nuclear Power Plant-Related Companies” [1] uploaded\r\nin November 2022, and “Kimsuky Targets South Korean Research Institutes with Fake Import\r\nDeclaration” [2] uploaded in November 2023.\r\nhttps://asec.ahnlab.com/en/61934/\r\nPage 4 of 7\n\nFigure 7. Branching commands of the backdoor malware strains (C++) For this attack, the threat actor also\r\nutilized Endoor backdoor malware strains developed in GoLang with a similar form to the previous backdoor\r\nmalware strains.\r\nFigure 8. Backdoor malware strains developed in GoLang 3. Conclusion Recently, malware disguised as a\r\nlegitimate security program was uploaded to a Korean construction-related association’s website. When users\r\ninstall security programs to log into the website, malware strains may also be installed along with the legitimate\r\nsecurity program. The malware strains can steal user information stored in infected systems and receive\r\ncommands from the threat actor via the C\u0026C server to perform various malicious activities. Users must update V3\r\nto the latest version so that malware infection can be prevented. File Detection –\r\nhttps://asec.ahnlab.com/en/61934/\r\nPage 5 of 7\n\nDropper/Win.TrollAgent.C5572219 (2024.01.12.02) – Dropper/Win.TrollAgent.C5572604 (2024.01.12.02) –\r\nDropper/Win.TrollAgent.C5572605 (2024.01.12.02) – Dropper/Win.TrollAgent.C5572607 (2024.01.12.02) –\r\nDropper/Win.TrollAgent.C5572629(2024.01.12.02) – Infostealer/Win.TrollAgent.C5572217 (2024.01.12.02) –\r\nInfostealer/Win.TrollAgent.C5572601 (2024.01.12.02) – Infostealer/Win.TrollAgent.R630772 (2024.01.12.02) –\r\nBackdoor/Win.D2Inv.C5572602 (2024.01.12.02) – Backdoor/Win.D2Inv.C5572603 (2024.01.12.02)\r\nMD5\r\n013c4ee2b32511b11ee9540bb0fdb9d1\r\n035cf750c67de0ab2e6228409ac85ea3\r\n19c2decfa7271fa30e48d4750c1d18c1\r\n27ef6917fe32685fdf9b755eb8e97565\r\n2aaa3f1859102aab35519f0d4c1585dd\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//ai[.]aerosp[.]p-e[.]kr/index[.]php\r\nhttp[:]//ai[.]bananat[.]p-e[.]kr/index[.]php\r\nhttp[:]//ai[.]daysol[.]p-e[.]kr/index[.]php\r\nhttp[:]//ai[.]kimyy[.]p-e[.]kr/index[.]php\r\nhttp[:]//ai[.]kostin[.]p-e[.]kr/index[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/61934/\r\nPage 6 of 7\n\nSource: https://asec.ahnlab.com/en/61934/\r\nhttps://asec.ahnlab.com/en/61934/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://asec.ahnlab.com/en/61934/" ], "report_names": [ "61934" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433992, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8cd8841bca878595b459ade5e9631e2680af7b4d.pdf", "text": "https://archive.orkl.eu/8cd8841bca878595b459ade5e9631e2680af7b4d.txt", "img": "https://archive.orkl.eu/8cd8841bca878595b459ade5e9631e2680af7b4d.jpg" } }