{ "id": "cdf1f21f-7b32-45a3-b3ff-11ba2c6dc183", "created_at": "2026-04-06T00:21:50.459379Z", "updated_at": "2026-04-10T03:37:40.987561Z", "deleted_at": null, "sha1_hash": "99e86909ea744d3d394aceada2db1519b3e52fd5", "title": "Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1263009, "plain_text": "Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)\r\n- ASEC\r\nBy ATCP\r\nPublished: 2023-11-30 · Archived: 2026-04-05 17:22:23 UTC\r\nOverview\r\nInitial Access\r\n…. 2.1. Spear Phishing Attack\r\n…. 2.2. LNK Malware\r\nRemote Control Malware\r\n…. 3.1. XRat (Loader)\r\n…. 3.2. Amadey\r\n…. 3.3. Latest Attack Cases\r\n…….. 3.3.1. AutoIt Amadey\r\n…….. 3.3.2. RftRAT\r\nPost-infection\r\n…. 4.1. Keylogger\r\n…. 4.2. Infostealer\r\n…. 4.3. Other Types\r\nConclusion\r\n1. Overview\r\nThe Kimsuky threat group, deemed to be supported by North Korea, has been active since 2013. At first, they\r\nattacked North Korea-related research institutes in South Korea before attacking a South Korean energy\r\ncorporation in 2014. Cases of attacks against countries other than South Korea have also been identified since\r\n2017. [1] The group usually employs spear phishing attacks against the national defense sector, defense industries,\r\nthe press, the diplomatic sector, national organizations, and academic fields to steal internal information and\r\ntechnology from organizations. [2] (This link is only available in Korean.)\r\nEven until recently, the Kimsuky group was still mainly employing spear phishing attacks to gain initial access.\r\nWhat makes the recent attacks different from the previous cases is that more LNK shortcut-type malware are\r\nbeing used instead of malware in Hangul Word Processor (HWP) or MS Office document format. The threat actor\r\nled users to download a compressed file through attachments or download links within spear phishing emails.\r\nWhen this compressed file is decompressed, it yields a legitimate document file along with a malicious LNK file.\r\nASEC is monitoring the Kimsuky group’s attacks using LNK-type malware and is continuously posting identified\r\ncases of attacks on the ASEC Blog. The Kimsuky group installs remote control malware to control the infected\r\nsystem after completing such steps to gain initial access. Malware used by the Kimsuky group not only include\r\ncustom-made such as AppleSeed and PebbleDash [3], but also open-source or commercial malware such as XRat\r\nhttps://asec.ahnlab.com/en/59590/\r\nPage 1 of 16\n\n[4], HVNC [5], Amadey [6], and Metasploit Meterpreter [7]. After gaining control, the threat actor ultimately uses\r\nRDP or installs Google’s Chrome Remote Desktop [8] to exfiltrate information from the infected system.\r\nHere we analyze Amadey and RftRAT which were recently found being distributed. Amadey and RftRAT were\r\nconstantly used throughout 2023 alongside XRat. However, recent types showed that they were created with\r\nAutoIt. This post also covers Infostealers additionally installed by the Kimsuky group using remote control\r\nmalware. While remote control-type malware continuously change, the malware installed through these have not\r\nchanged much in the attacks in 2023.\r\n2. Initial Access\r\n2.1. Spear Phishing Attack\r\nIn the year 2023, ASEC covered cases of LNK malware distribution in posts such as “Malicious LNK File\r\nDisguised as a Normal HWP Document” [9], “Malicious LNK File Being Distributed, Impersonating the National\r\nTax Service” [10], and “Distribution of Malicious LNK File Disguised as Producing Corporate Promotional\r\nMaterials” [11].\r\nBy attaching files or including download links in the emails, the threat actor prompted users to download the\r\ncompressed file and execute the LNK shortcut file inside.\r\nFigure 1. LNK malware included in compressed files\r\n2.2. LNK Malware\r\nThe LNK file contains an encrypted compressed file, which in turn holds various malware in script format.\r\nhttps://asec.ahnlab.com/en/59590/\r\nPage 2 of 16\n\nFigure 2. Malware in script format contained within LNK files\r\nExecuting the LNK file decompresses the file, and ultimately, the script malware is run. The BAT and VBS scripts\r\ninside can either be used for executing other scripts or contain an Infostealer responsible for collecting and\r\nexfiltrating information from the infected system. There is also a script for maintaining persistence as well as a\r\ndownloader that downloads and executes additional payloads from an external source.\r\nAs such, malware in script format that run in infected systems install additional malware from an external source,\r\nmajor examples of which are backdoors called XRat, Amadey, and RftRAT. While these malware are all packed\r\nwith VMP when in distribution, recently, Amadey and RftRAT variants created with AutoIt have been used. After\r\na remote control malware is installed, keyloggers and Infostealers are installed to steal internal information and\r\ntechnology from the organizations.\r\n3. Remote Control Malware\r\n3.1. XRat (QuasarRAT)\r\nXRat is a RAT malware developed in .NET and was created based on QuasarRAT published on GitHub. It was\r\nconfirmed that the Kimsuky group was using XRat from a much earlier point in time. Recently, instead of in\r\nindependent executable or DLL file formats, this is being used in attacks as an encrypted payload. It consists of\r\nthe file “ht.dll” which is the loader, the data file “htsetting.ini” holding the configuration data, and an encrypted\r\npayload. This method seems to be for the purpose of bypassing security products.\r\nThe loader reads, decrypts, and injects the htsetting.ini file located in the same path. All ht.dll loaders identified so\r\nfar were packed with VMP, and the decrypted binary contained the following strings used by the threat actor.\r\nhttps://asec.ahnlab.com/en/59590/\r\nPage 3 of 16\n\nFigure 3. Loader ht.dll packed with VMP\r\nThe configuration file contains the name of the actual encrypted malware, the RC4 decryption key, and\r\ninformation on the legitimate file to inject into. Ht.dll references this information to read and decrypt the\r\nencrypted file before injecting it into a legitimate process. The payload that is injected and run in the end can be\r\nanother malware besides XRat, depending on the encrypted file.\r\n3.2. Amadey\r\nThe Kimsuky group also used Amadey Bot in their attacks. Amadey is a malware that began being sold on illegal\r\nforums. It is a downloader that installs additional malware from the C\u0026C server. Besides such downloader\r\nfeatures, it can also transmit basic information about the system or exfiltrate screenshots and account credentials\r\nsaved in web browsers and email clients depending on the settings or whether certain plugins are installed.\r\nThe Kimsuky group uses a dropper to install Amadey. This dropper, in DLL format, creates a randomly named\r\nhidden folder in the %PUBLIC% path where it drops the files it holds. The compressed file containing the actual\r\nAmadey is among the created files, and examining the compression size shows this file to be large, exceeding 300\r\nMB. This is also presumed to be an attempt to evade security products by intentionally increasing the size.\r\nhttps://asec.ahnlab.com/en/59590/\r\nPage 4 of 16\n\nFigure 4. Amadey-related files created in the Public path\r\nAfterward, it creates the path “%ALLUSERSPROFILE%\\Startup” and registers it to the Startup folder. Here, a\r\nscript named “svc.vbs” is created, which is responsible for maintaining persistence. Amadey, which is loaded and\r\nexecuted through the Rundll32.exe process, goes through svchost.exe before being injected into the iexplore.exe\r\nprocess and run.\r\nFigure 5. The infected system’s information transmitted to the C\u0026C server\r\nEven in 2023, the threat actor installed Amadey in many of their attacks, and in most instances, it was installed by\r\nthe same type of dropper. Said dropper also included RftRAT besides Amadey. RftRAT, like Amadey, also has a\r\nfile size exceeding 300 MB.\r\nThe RftRAT instances identified in these attacks were all packed with VMP like Amadey and were found to\r\ncontain the keyword “RFTServer” in the decrypted strings. RftRAT is a backdoor that can receive commands from\r\nthe C\u0026C server and execute them.\r\nhttps://asec.ahnlab.com/en/59590/\r\nPage 5 of 16\n\nFigure 6. Decrytpted strings in RftRAT\r\n3.3. Latest Attack Cases\r\nIt was recently identified that the Kimsuky group has been using AutoIt to create malware. The Kimsuky group\r\nported Amadey which had been used from the past to AutoIt and also used it for the purpose of injecting RftRAT.\r\nIn past attack cases, only the debug string RFTServer was found, but in recent attacks, a malware containing a\r\nPDB path was found. The string within the PDB path shows that the threat actor named this malware “rft” as a\r\nRAT type. Accordingly, said malware is categorized as “RftRAT” here.\r\nFigure 7. RftRAT’s PDB information\r\nPDB String: E:_WORK\\My_Work\\Exploit\\Spyware_spy\\RAT\\RFT_Socket_V3.2\\Release\\rft.pdb\r\n3.3.1. AUTOIT AMADEY\r\nAs covered above, Amadey is one of the malware that has been constantly used by the Kimsuky group. The\r\nversion of Amadey used by the Kimsuky group is different from the type used by other threat actors: Kimsuky\r\ngroup’s Amadey uses Domain Generation Algorithms (DGA), and when it scans for antivirus software installed in\r\nthe infected system, it also searches for product names from South Korean companies.\r\nThe recently identified Amadey is ported into the AutoIt language and has the same format as the types identified\r\nin the past attack cases. The threat actor installed both a legitimate AutoIt executable file and a compiled AutoIt\r\nhttps://asec.ahnlab.com/en/59590/\r\nPage 6 of 16\n\nscript in the infected system. The compiled AutoIt script is 100 MB in size for the purpose of hindering analysis\r\nand contains dummy data as shown below.\r\nFigure 8. The compiled AutoIt script file used in the attacks\r\nAlthough written in a different language, the decrypted AutoIt script can be considered to be the Amadey\r\nmalware. The HTTP request structure for sending the system information collected from the infected system to the\r\nC\u0026C server is identical to that of the typical Amadey.\r\nFigure 9. The structure of the HTTP packet that Amadey sends to the C\u0026C server\r\nBesides this, it also has a routine for checking for products from South Korean companies when retrieving the list\r\nof antivirus products installed in the infected system. Furthermore, it supports the feature to download additional\r\npayloads in not only an exe format, but also dll, PowerShell, vbs, and js formats.\r\nhttps://asec.ahnlab.com/en/59590/\r\nPage 7 of 16\n\nFigure 10. The script where Amadey’s routine is implemented\r\nAs mentioned above, the Amadey used by the Kimsuky group supports DGA. DGA, also known as Domain\r\nGeneration Algorithm, dynamically generates a domain (C\u0026C server address) instead of a fixed form. After\r\ndynamically obtaining the C\u0026C server address based on the date, the Kimsuky group used this as a subsidiary\r\nC\u0026C server. When the connection to the C\u0026C server was down, the subsidiary C\u0026C server generated through\r\nDGA was used for communication.\r\nFigure 11. Amadey’s DGA\r\n3.3.2. RFTRAT\r\nThe AutoIt scripts used in the attacks include Amadey and RftRAT. The AutoIt executable file and the malicious\r\nAutoIt script are also created through a dropper. The following ASD log shows the execution log of\r\n“d015700.dll”, which is the dropper that installs RftRAT, and the log showing RftRAT ultimately creating an\r\nInfostealer after being injected into svchost.exe. Additionally, AppleSeed, another malware used by the Kimsuky\r\ngroup, was additionally installed in the same system afterward.\r\nhttps://asec.ahnlab.com/en/59590/\r\nPage 8 of 16\n\nFigure 12. Kimsuky group’s attack log\r\nThe RftRAT used in previous attacks is in DLL format and packed in VMP, so an exact comparison is difficult.\r\nHowever, it was categorized into the past version of RftRAT due to the fact that the same library file is used, that\r\nICMLuaUtil is used to bypass UAC, and that the path names used for saving C\u0026C communication and command\r\nresults are almost the same.\r\nhttps://asec.ahnlab.com/en/59590/\r\nPage 9 of 16\n\nFigure 13. Strings in a past version of RftRAT similar to the latest version\r\nThe compiled AutoIt script is similar to the Amadey in the case above, but it is actually an injector that executes\r\nsvchost.exe and injects RftRAT into it. The ultimate payload RftRAT cannot be executed independently. Data must\r\nbe read in from a mapped file named “A1CCA2EC-C09F-D33C-4317-7F71F0E2A976_0”. The injector AutoIt\r\nscript writes the paths of the AutoIt executable file and script into this file.\r\nFigure 14. The paths of AutoIt-related files transmitted through a file mapping process\r\nThe transmitted paths of the AutoIt executable file and script are used later on in the UAC bypassing stage.\r\nRftRAT uses the ICMLuaUtil interface of the CMSTPLUACOM component to bypass UAC and execute itself as\r\nhttps://asec.ahnlab.com/en/59590/\r\nPage 10 of 16\n\nadministrator. After being run as administrator, RftRAT collects basic information about the infected system and\r\nsends it to the C\u0026C server.\r\nOffset Data\r\n0x0000 Signature (0x963DA7EF)\r\n0x0004 Infected system’s ID\r\n0x0044 IP address\r\n0x014 Computer name\r\nTable 1. Data delivered to the C\u0026C server\r\nFigure 15. The packet used for communication with the C\u0026C server\r\nAfterward, it receives commands from the C\u0026C server. RftRAT writes the received commands to the path\r\n“%APPDATA%\\asc\\t1.pb” before decrypting them. Decryption yields the actual commands, which are written to\r\nthe same file and reread to be executed. The command, the execution results, and the additionally downloaded file\r\nare created in the paths below.\r\nPath Description\r\n%APPDATA%\\asc\\t1.pb Command downloaded from the C\u0026C server\r\n%APPDATA%\\asc\\t2.ax Command execution results\r\n%APPDATA%\\asc\\t3.br File downloaded through the download command\r\nTable 2. Files generated during the C\u0026C communication and command processes\r\nhttps://asec.ahnlab.com/en/59590/\r\nPage 11 of 16\n\nCommand Description\r\n0x00 Download file\r\n0x01 Upload file (zip compressed)\r\n0x02 Look up driver information\r\n0x04 Change file name\r\n0x05 Create directory\r\n0x06 Delete file\r\n0x07 Execute file (with UAC Bypass)\r\n0x08 Look up process information\r\n0x09 Terminate process\r\n0x0A Reverse shell\r\n0x0B Terminate process and delete file\r\n0x12 Terminate\r\n0x14 Wait\r\nTable 3. RftRAT’s commands\r\n4. Post-infection\r\nAfter taking control of the infected system, to exfiltrate information, the Kimsuky group installs various malware\r\nsuch as keyloggers and tools for extracting accounts and cookies from web browsers. The group also installs\r\nMimikatz and RDP Wrapper, which have both been steadily used for many years.\r\n4.1. Keylogger\r\nThe keylogger is usually installed in the path “%ALLUSERSPROFILE%\\startup\\NsiService.exe”. It persists in\r\nthe system and monitors key input from the user, which is saved in the path\r\n“%ALLUSERSPROFILE%\\semantec\\av\\C_1025.nls” or “%ALLUSERSPROFILE%\\Ahn\\av\\C_1025.nls”.\r\nAdditionally, “%ALLUSERSPROFILE%\\semantec” is a folder where the keylogger is installed, along with\r\nvarious malware covered in this article.\r\n4.2. Infostealer\r\nMalware for collecting information from web browsers were created in the\r\n“%ALLUSERSPROFILE%\\semantec\\” path under the names “GBIA.exe”, “GBIC.exe”, “GBS.exe”, and\r\nhttps://asec.ahnlab.com/en/59590/\r\nPage 12 of 16\n\n“GPIA.dll”. While most target account credentials and cookies saved in web browsers, there are types that collect\r\nfiles in the “Local Extension Settings” path, which is the configuration data related to Chrome extensions.\r\nFigure 16. Stealing account credentials from a web browser\r\nBesides these, the tool named “GPIA.exe” looks up all paths in the infected system and displays the files in each\r\nfolder. Because the file containing the paths of all files is naturally large, it also allows this file to be split-compressed.\r\nFigure 17. System path lookup tool\r\n4.3. Other Types\r\nA notable fact about the Kimsuky group is that it often abuses RDP for information theft. Accordingly, it either\r\ninstalls RDP Wrapper or uses a patcher malware for multiple sessions. Recently, there was a discovery of a\r\nmalware that monitors the login records of the user. This seems to be for the purpose of finding out when the user\r\nlogs in to use RDP to connect during idle times.\r\nhttps://asec.ahnlab.com/en/59590/\r\nPage 13 of 16\n\nThe file “taskhosts.exe” installed in the path “%ALLUSERSPROFILE%\\semantec\\” is an injector that injects\r\n“ipcheck.dll” into the “explorer.exe” and “runtimebroker.exe” processes. “ipcheck.dll” monitors the user’s log-on/log-off activities by hooking the “WinStationQueryInformationW()” and “ExitWindowsEx()” functions and the\r\nlog is saved in the path “%PUBLIC%\\Log64.txt”.\r\nFigure 18. Log-on and log-off records saved in the log file\r\nThe threat actor also used proxy malware. Proxy tools in the past were run by receiving command line arguments,\r\nbut the type used by Kimsuky reads and uses a configuration file named “setting.ini”. The port number 3389\r\nconfigured in the default address indicates that it is likely to establish an RDP connection to a private network.\r\nFigure 19. Proxy malware\r\n5. Conclusion\r\nThe Kimsuky threat group is continuously launching spear phishing attacks against South Korean users. Recently,\r\nmalicious LNK files have been distributed to South Korean users with various topics, so users are advised to\r\nhttps://asec.ahnlab.com/en/59590/\r\nPage 14 of 16\n\npractice particular caution.\r\nThe group usually employs the method of distributing malware through attachments or download links in emails.\r\nWhen a user executes them, the threat actor may be able to take control of the system that is currently in use. The\r\nKimsuky group has been newly creating and using various malware to control infected systems and steal\r\ninformation. Recently, the group has been using AutoIt to create malware to bypass security products.\r\nUsers must carefully check the senders of emails and refrain from opening files from unknown sources. It is also\r\nrecommended to apply the latest patch for OS and programs such as Internet browsers and update V3 to the latest\r\nversion to prevent such malware infection in advance.\r\nFile Detection\r\n– Downloader/Win.Amadey.R626032 (2023.11.30.00)\r\n– Backdoor/Win.Agent.R626033 (2023.11.30.00)\r\n– Downloader/Win.Amadey.C5462118 (2023.07.28.03)\r\n– Trojan/AU3.Loader (2023.11.22.01)\r\n– Dropper/Win.Agent.C5542993 (2023.11.17.02)\r\n– Trojan/Win.Agent.C5430096 (2023.05.20.00)\r\n– Infostealer/Win.Agent.R622445 (2023.11.17.02)\r\n– Downloader/Win.Amadey.C5479015 (2023.08.31.01)\r\n– Trojan/Win.Agent.C5485099 (2023.09.11.03)\r\n– Trojan/Win.Agent.C5479017 (2023.08.31.01)\r\n– Trojan/Win.Loader.C5479014 (2023.08.31.01)\r\n– Trojan/Win.Agent.C5465186 (2023.11.30.00)\r\n– Infostealer/Win.Agent.C5542999 (2023.11.17.02)\r\n– Infostealer/Win.Agent.C5542997 (2023.11.17.02)\r\n– Trojan/Win.Agent.C5451959 (2023.11.30.00)\r\n– Trojan/Win.Agent.Prevention.C5446554 (2023.11.30.00)\r\n– Trojan/Win.Agent.R589022 (2023.06.28.02)\r\n– Trojan/Win.Loader.R588248 (2023.11.30.00)\r\n– Trojan/Win.Agent.C5444839 (2023.11.30.00)\r\n– Trojan/Win.Stealer.C5441397 (2023.11.30.00)\r\n– Trojan/Win.KeyLogger.C5430090 (2023.05.20.00)\r\n– Malware/Win.Generic.C5430065 (2023.11.30.00)\r\n– Trojan/Win.Stealer.R579484 (2023.05.20.00)\r\n– Trojan/Win.Loader.C5430091 (2023.05.20.00)\r\n– Trojan/Win.KeyLogger.C5430092 (2023.05.20.00)\r\n– Trojan/Win.Loader.C5430099 (2023.05.20.00)\r\n– Trojan/Win.Proxy.C5430093 (2023.05.20.00)\r\n– Trojan/Win.Agent.C5430095 (2023.05.20.00)\r\nBehavior Detection\r\n– Persistence/MDP.AutoIt.M4766\r\n– Injection/MDP.Hollowing.M4767\r\nhttps://asec.ahnlab.com/en/59590/\r\nPage 15 of 16\n\nMD5\r\n068d395c60e32f01b5424e2a8591ba73\r\n0786984ab46482637c2d483ffbaf66dc\r\n093608a2d6eb098eb7ea917cc22e9998\r\n0bf558adde774215bb221465a4edd2fe\r\n0f5762be09db44b2f0ccf05822c8531a\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//152[.]89[.]247[.]57[:]52390/\r\nhttp[:]//172[.]93[.]201[.]248[:]52390/\r\nhttp[:]//172[.]93[.]201[.]248[:]8083/\r\nhttp[:]//192[.]236[.]154[.]125[:]50108/\r\nhttp[:]//209[.]127[.]37[.]40[:]52390/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/59590/\r\nhttps://asec.ahnlab.com/en/59590/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/59590/" ], "report_names": [ "59590" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434910, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/99e86909ea744d3d394aceada2db1519b3e52fd5.pdf", "text": "https://archive.orkl.eu/99e86909ea744d3d394aceada2db1519b3e52fd5.txt", "img": "https://archive.orkl.eu/99e86909ea744d3d394aceada2db1519b3e52fd5.jpg" } }