{
	"id": "4e9485a5-72aa-46c9-8fb0-b7061af57a12",
	"created_at": "2026-04-06T00:11:35.690287Z",
	"updated_at": "2026-04-10T13:11:38.150663Z",
	"deleted_at": null,
	"sha1_hash": "a5224c271580d986f69bb84e5e39df1f4a1b6e47",
	"title": "NKNShell Malware Distributed via VPN Website - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6995443,
	"plain_text": "NKNShell Malware Distributed via VPN Website - ASEC\r\nBy ATCP\r\nPublished: 2025-11-16 · Archived: 2026-04-02 11:59:26 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) has confirmed that malware has been uploaded to the website of a\r\nSouth Korean VPN provider. Based on the distribution method and characteristics of the malware used, this attack\r\nappears to be the work of the same threat actor who has been targeting South Korean VPN providers since 2023.\r\nIn previous cases, the attacker ultimately installed backdoors such as SparkRAT, MeshAgent, and Sliver to control\r\nthe infected systems. In the latest incident, MeshAgent with similar PDB paths was again observed, along with a\r\nnewly identified backdoor named NKNShell. NKNShell is notable for using NKN and MQTT protocols for\r\ncommunication with its C\u0026C server.\r\nSparkRAT Being Distributed Within a Korean VPN Installer\r\nAnalysis of Attack Cases: From Korean VPN Installations to MeshAgent Infections\r\nSliver C2 Being Distributed Through Korean Program Development Company\r\n1. Malware Distribution\r\nAs of November 2025, malware is still being downloaded from the Korean VPN provider’s website. When the\r\ndownloaded archive is extracted and executed, the legitimate VPN installation proceeds while simultaneously\r\nusing PowerShell to download and execute a PowerShell script. This script installs various malware, including the\r\nNKNShell backdoor, MeshAgent, and gs-netcat. This article will analyze the malware according to each flow.\r\nhttps://asec.ahnlab.com/en/91139/\r\nPage 1 of 13\n\nFigure 1. Downloaded from the Korean VPN provider’s website\r\n2. Malware Analysis\r\n2.1. Trojanized Installer\r\nhttps://asec.ahnlab.com/en/91139/\r\nPage 2 of 13\n\nFigure 2. Flowchart\r\nThe installer is written in Go and signed with an invalid certificate impersonating NVIDIA. It checks for virtual\r\nmachine environments using code borrowed from GoDefender [1]. [1] Afterward, it executes itself as a child\r\nprocess with a PowerShell download command as an argument. The child process downloads PowerShell, loads it\r\ninto memory, and runs Base64-encoded commands.\r\nPowerShell is a PowerShell console developed in C/C++, which disables security features such as AMSI. This\r\nallows attackers to  bypass detection by utilizing AMSI when executing commands using PowerShell. Commands\r\nexecuted through PowerShell are responsible for downloading and executing the “sql-auto.ps1” script from\r\nexternal sources.\r\n2.2. PowerShell Downloader Script – 1 (sql-auto.ps1)\r\nThe “sql-auto.ps1” script acts as a downloader for additional malware. Evidence suggests the attacker used\r\ngenerative AI to create the malware, which applies not only to executable malware but also to PowerShell scripts.\r\nhttps://asec.ahnlab.com/en/91139/\r\nPage 3 of 13\n\nFigure 3. Comment string that is suspected to have been written by AI\r\nThe “sql-auto.ps1” script has various features, but many of them are commented out and not working. The script\r\nattempts to disable Windows Defender, add exclusion paths, and execute the “Null-AMSI” script developed by\r\nBlackShell256 to bypass AMSI. [2] The most important feature of “sql-auto.ps1” is downloading additional\r\npayloads from external sources. There are two types of downloads: one for SQLMap malware (currently\r\ncommented out) and another downloader script called “install.ps1”.\r\n2.3. PowerShell Downloader Script – 2 (install.ps1)\r\nThis script includes functionality to disable Event Tracing for Windows (ETW) using “Invoke-NullAMSI” and\r\nregisters a WMI filter named “Cleanup” for persistence. The “Cleanup” filter allows executing the actual\r\ndownloader script it contains. After this process, it terminates the processes that will be injected with malware\r\nlater on and executes the script directly.\r\nFigure 4. Registered WMI filter and consumer\r\nThe script ultimately executed supports 15 UAC bypass techniques, but none of them are actually used. The\r\nsupported features include known UAC bypass methods such as fodhelper.exe, slui.exe, silentcleaunp task,\r\nsdclt.exe, perfmon.exe, eventvwr.exe, compmgmtlauncher.exe, computerdefaults.exe, token manipulation, and\r\ncmstp.exe.\r\nThe actual function of the script is to download and install the gs-netcat, MeshAgent, and NKNShell backdoors.\r\nAdditionally, the NKNShell backdoor executes and injects into Microsoft Edge, Notepad, Calculator, and Paint\r\nprocesses.\r\n2.4. MeshAgent\r\nMeshAgent, part of the open-source MeshCentral remote management tool, provides system control commands\r\nand remote desktop features (VNC, RDP). Threat actors have been using MeshAgent in their attacks for a long\r\nhttps://asec.ahnlab.com/en/91139/\r\nPage 4 of 13\n\ntime. MeshAgent used in attacks has been developed by the threat actors themselves and has the following PDB\r\ninformation:\r\nC:\\Users\\anfdh\\Downloads\\MeshAgent-master\\MeshAgent-master\\Release\\MeshService64.pdb\r\nC:\\Users\\anfdh\\Downloads\\MeshAgent-master (1)\\MeshAgent-master\\Release\\MeshService64.pdb\r\nC:\\Users\\anfdh\\Downloads\\MeshAgent-master (2)\\MeshAgent-master\\Release\\MeshService64.pdb\r\nThe “new-ms.ps1” script downloads MeshAgent to the “%LOCALAPPDATA%\\svchost\\services.exe” path and\r\nplaces the “services.msh” configuration file in the same path, so that it uses this configuration. The configuration\r\nfile contains the C\u0026C server address as shown below.\r\nFigure 5. Configuration file containing the C\u0026C server address\r\n2.5. gs-netcat\r\ngs-netcat, part of Global Socket tools, uses the Global Socket Relay Network (GSRN) for communication. gs-netcat is the GSRN version of netcat, and it can communicate using a configured password even when it is located\r\nin an internal network.\r\nThe “gsocks.ps1” script downloads the “file.zip” compressed file and decompresses it in the “c:\\windows\\linux”\r\ndirectory, including gs-netcat as “cached.exe”. It also creates “windows.sh” and executes it using bash.exe. The\r\npassword for gs-netcat is set in “windows.sh”. Threat actors can access the infected system from external sources\r\nusing this password. In other words, the “gsocks.ps1” script is responsible for installing the remote shell using gs-netcat.\r\nhttps://asec.ahnlab.com/en/91139/\r\nPage 5 of 13\n\nFigure 6. Installation path and execution script of gs-netcat\r\nAdditionally, the behavior of executing the “windows.sh” script using “bash.exe” is registered as a task named\r\n“Windows Linux System,” ensuring its persistence. Furthermore, the system’s basic information, including the\r\npassword for gs-netcat, is transmitted to the C\u0026C server (threat actor) via PowerShell commands.\r\nFigure 7. Log transmission routine\r\n2.6. NKNShell\r\nThe malware installed and executed under the name PX.exe is a backdoor written in the Go programming\r\nlanguage. Based on Go functions and strings such as “NKN Shell Client,” it is clear that the malware author\r\nnamed it NKNShell. NKN stands for New Kind of Network, a blockchain-based P2P networking protocol. In\r\npractice, the malware uses not only the NKN protocol but also MQTT (Message Queueing Telemetry Transport)\r\nfor communication with its C\u0026C server.\r\nhttps://asec.ahnlab.com/en/91139/\r\nPage 6 of 13\n\nOne notable characteristic of NKNShell is that it appears to have been developed using AI tools. Similar to the\r\npreviously analyzed PowerShell scripts, the binary contains Korean-language comments, and the presence of\r\nemojis suggests that the developer leveraged generative AI during its creation.\r\nFigure 8. Comment string included in the binary\r\nA. C\u0026C Communication\r\nNKNShell, developed in Go, uses the NKN and MQTT protocols to communicate with its C\u0026C server and\r\nreceive commands. The use of the blockchain-based P2P networking protocol NKN for C\u0026C communication has\r\nbeen seen before in malware such as NKAbuse and the open-source malware NGLite. The malware generates a\r\nunique ID, an NKN address, which is then used to connect to the Seed node. After establishing this connection,\r\nthe malware sends collected information to attacker-controlled addresses that are hardcoded into the binary.\r\nFigure 9. Request packet to the seed node\r\nNKNShell also uses the MQTT messaging protocol alongside NKN for communication with its C\u0026C server. It\r\nfirst connects to specific MQTT brokers, using the same Client ID generated during the NKN process. During the\r\nconnection, it sends a Will message (LTW: Last Will \u0026 Testament) to a designated topic. Similar to the NKN\r\nprotocol, the malware transmits system information collected from the infected host. As a result, any attacker\r\nsubscribed to that topic can later retrieve detailed information about the compromised system.\r\nMQTT Broker Address – 1: broker.emqx[.]io:1833\r\nMQTT Broker Address – 2: broker.hivemq[.]com:1833\r\nMQTT Broker Address – 3: broker.mqtt[.]cool:1833\r\nMQTT Broker Address – 4: broker.mosquitto[.]org:1833\r\nhttps://asec.ahnlab.com/en/91139/\r\nPage 7 of 13\n\nFigure 10. Packet in the process of connecting to the MQTT broker\r\nAdditionally, NKNShell utilizes the Client ID to compute an MD5 hash and subscribes to a topic named after that\r\nhash. The attacker, having received the Client ID from the Will message, can determine which MD5-based topic\r\nthe infected system is subscribed to. This allows the attacker to publish commands to that topic, effectively\r\ndelivering instructions to the compromised host.\r\nItem Information\r\narch Architecture\r\ncpuusage CPU usage\r\nhostinfo Computer name\r\nisadmin Administrator privileges\r\nlanip IP address\r\nmac MAC address\r\nnum_cpu Number of CPU cores\r\nos Operating system\r\nosinfo Operating system information (Windows version, etc.)\r\npathinfo Malware path\r\nram RAM information\r\nusername User name\r\nversion 1.0.7\r\nwanip External IP\r\nTable 1. List of information transmitted\r\nhttps://asec.ahnlab.com/en/91139/\r\nPage 8 of 13\n\nB. Supported Commands\r\nNKNShell receives the following commands via NKN and MQTT protocols. These commands include typical\r\nbackdoor functionalities such as information gathering and remote control, similar to what most backdoors\r\nsupport. However, some features appear to be only partially implemented or not fully functional.\r\nCommand Description\r\nps Retrieve process list\r\nbof Execute BOF (Beacon Object File)\r\nrem Remote proxy\r\nping Ping\r\nattack DDoS attack commands (tcp, udp, http flood)\r\nconfig Download configuration\r\ncommand Execute command\r\nsideload DLL sideloading\r\nspawndll Load DLL into memory\r\nfile_list Retrieve file list\r\ninjection Code injection\r\nmigration Not implemented\r\nclear_log Delete event, registry, and Prepatch logs\r\nexecution Execute command\r\ndisconnect Disconnect\r\nexecute_pe Execute PE from memory\r\nscreenshot Capture screenshot\r\ncodesigning Not implemented\r\nsteal_token Steal token\r\nfile_delete Delete file\r\nfile_upload Upload file\r\nfile_execute Execute file\r\nhttps://asec.ahnlab.com/en/91139/\r\nPage 9 of 13\n\nCommand Description\r\nclone_session Clone session\r\nfile_download Download file\r\ninject_process Inject into process\r\npostmsf_cshrp Not implemented\r\nset_encryption Enable message encryption\r\nexecute_csharp Execute assembly\r\npython Execute Python script\r\nget_systeminfo Collect system info (architecture, CPU, OS version, etc.)\r\nps_session_exec Execute PowerShell session\r\nexecute_assembly Execute assembly\r\nimpersonate_user Impersonate user\r\nps_session_start Start PowerShell session\r\nps_session_stop Stop PowerShell session\r\nexecute_shellcode Execute shellcode\r\nenumerate_sessions Enumerate sessions\r\nexecute_powershell Execute PowerShell\r\nhijack_codesigning Spoof code signing\r\nmigrate_cobaltstrike Not implemented\r\nprocess_manipulation\r\nProcess manipulation (inject DLL, memory dump, hijack token,\r\nkill, resume, suspend)\r\nexecute_charp_bypass Not implemented\r\ninject_system_process Inject into system process\r\nspoof_microsoft_signature Not implemented\r\nTable 2. Commands supported by NKNShell\r\nhttps://asec.ahnlab.com/en/91139/\r\nPage 10 of 13\n\nFigure 11. Receiving the ping command in the MQTT protocol\r\nC. Update\r\nInstead of using standard commands for updates, NKNShell leverages an alternative infrastructure. It uses\r\nadditional C\u0026C servers or anonymous blogging platforms such as Telegraph (telegra[.]ph, te.legra[.]ph,\r\ngraph[.]org). The malware periodically selects one of these domains at random, appends a URL, and connects to\r\nit.\r\nWhen accessed, the page displays a Base64-encoded string uploaded by the attacker. Decoding this Base64 string\r\nreveals the URL of the payload for the malware update.\r\nFigure 12. Update address uploaded to the Telegram\r\n2.7. SQLMap Malware\r\nhttps://asec.ahnlab.com/en/91139/\r\nPage 11 of 13\n\nAlthough it was commented out in the PowerShell script at the time of analysis, ‘main.exe’—that is, the SQLMap\r\nmalware—was actually used in the real attack. SQLMap is an open-source tool designed to test web applications\r\nfor SQL injection vulnerabilities on specified URLs provided as arguments. When the SQLMap malware runs, it\r\ncreates a folder named  named “sqlmap-win64” in the same directory and installs the SQLMap tool there.\r\nFigure 13. Log showing the execution of the SQLMap malware\r\nIt is likely that the scanning target addresses are then received from another C\u0026C server. The fact that messages\r\nare being published to a specific MQTT topic continuously suggests that the scanning results are being transmitted\r\nto this topic.\r\n3. Conclusion\r\nThe Larva-24010 threat actor is distributing malware through the website of a Korean VPN service provider. As a\r\nresult, when a user downloads and runs the installer from the VPN website, malware can be installed on the\r\nsystem. Since at least 2023, the Larva-24010 threat actor has been targeting Korean VPN users to spread malware,\r\nultimately installing various backdoors such as MeshAgent, gs-netcat, and NKNShell. Through this, the attacker\r\ncan control infected systems where the VPN is installed and steal sensitive information stored on those systems.\r\nMD5\r\n0696da5b242023308ad45c50666b2b96\r\n0dfea610a526b0d458e84c6cd604b2ab\r\n21067f677b8ac8d843a56cd2c19356ff\r\n2e9bf8bf256a0c60402e05d6f20c6e3d\r\n60f153778e843fc04c6ab239ca650a89\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps[:]//camo[.]hach[.]chat/?proxyUrl=https[:]//dnot[.]sh/\r\nhttps://asec.ahnlab.com/en/91139/\r\nPage 12 of 13\n\nhttps[:]//inspiring-monstera-5c3688[.]netlify[.]app/afsocks\r\nhttps[:]//microsoft[.]devq[.]workers[.]dev/newms[.]exe\r\nhttps[:]//openai-proxy[.]napdev[.]workers[.]dev/?url=https[:]//pub-fd29cd63fb8c4b7fb0c7d3fa893212b9[.]r2[.]dev/Protect[.]exe\r\nhttps[:]//proxy[.]wingram[.]org/?proxyUrl=https[:]//microsoft[.]devq[.]workers[.]dev/newms[.]exe\r\nAdditional IOCs are available on AhnLab TIP.\r\nFQDN\r\nkttelecom[.]duckdns[.]org\r\nspiffy-crepe-c667e8[.]netlify[.]app\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/91139/\r\nhttps://asec.ahnlab.com/en/91139/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/91139/"
	],
	"report_names": [
		"91139"
	],
	"threat_actors": [
		{
			"id": "d02e6c90-a076-420c-929e-670c968d1cde",
			"created_at": "2026-01-18T02:00:03.061946Z",
			"updated_at": "2026-04-10T02:00:03.899224Z",
			"deleted_at": null,
			"main_name": "Larva-24010",
			"aliases": [],
			"source_name": "MISPGALAXY:Larva-24010",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434295,
	"ts_updated_at": 1775826698,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a5224c271580d986f69bb84e5e39df1f4a1b6e47.pdf",
		"text": "https://archive.orkl.eu/a5224c271580d986f69bb84e5e39df1f4a1b6e47.txt",
		"img": "https://archive.orkl.eu/a5224c271580d986f69bb84e5e39df1f4a1b6e47.jpg"
	}
}