{ "id": "e8a05924-38e2-42f2-8630-89811a14c7a1", "created_at": "2026-04-06T00:18:36.208514Z", "updated_at": "2026-04-10T13:13:09.444038Z", "deleted_at": null, "sha1_hash": "a62b253b92cf71a474705fb056a8078a1a8aac7f", "title": "Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head? - VB2021 localhost", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44742, "plain_text": "Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on\r\nNewton’s head? - VB2021 localhost\r\nBy Jaeki Kim (S2W), Sojun Ryu (S2W) \u0026 Kyoung-ju Kwak (S2W)\r\nArchived: 2026-04-05 18:10:32 UTC\r\nJaeki Kim\r\nS2W\r\nJaeki Kim is a principal researcher at TALON, S2W. He graduated from the 'Next Generation of Top Security\r\nLeader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2013, and holds a\r\nMaster's degree from Korea University's Security Analysis and Evaluation Lab. Before joining the S2W, he\r\nworked as part of the Computer Emergency Analysis Team of the Financial Security Institute and was the main\r\nauthor of \"Campaign DOKKAEBI: Documents of Korean and Evil Binary\", published by FSI in 2018. In 2020,\r\nHe joined S2W and is currently working in TALON (the Cyber Threat Intelligence Group), and now also works as\r\nhttps://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/\r\nPage 1 of 3\n\na mentor for KITRI's BoB program. He has previously presented at Virus Bulletin (2018,2019) and ISCR\r\n(International Symposium on Cybercrime Response).\r\nSojun Ryu\r\nS2W\r\nSojun Ryu graduated from the 'Next Generation of Top Security Leader Program' (Best of Best, BoB) at the Korea\r\nInformation Technology Institute (KITRI) in 2013, and holds a Master's degree in information security from\r\nSungkyunkwan University in Korea. Sojun worked at KrCERT/CC for seven years, analysing malware and\r\nresponding to incidents, and is one of the authors of \"Operation Bookcodes\" published by KrCERT/CC in 2020.\r\nRecently, Sojun has been focusing on threat intelligence by expanding to DDW and cybercrime as well as APT at\r\nTALON, S2W.\r\nhttps://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/\r\nPage 2 of 3\n\nKyoung-ju Kwak\r\nS2W\r\nKyoung-ju Kwak is a director at TALON, CTI Group of S2W. Kyoung-ju currently works on threat intelligence.\r\nKyoung-ju was previously Adjunct Professor at Sungkyunkwan University and audited the National SCADA\r\nsystem and the Ministry of Land with “the Board of Audit and Inspection of Korea” as an Auditor General in\r\n2016. He currently acts as a member of the National Police Agency Cybercrime Advisory Committee. Kyoung-ju\r\nis the main author of the threat intelligence report “Campaign Rifle: Andariel, the Maiden of Anguish”, published\r\nin 2017. He has spoken at various international conferences such as BlackHat Europe, BlackHat Asia, Kaspersky\r\nSAS, HITCON, PACSEC, and more.\r\nSource: https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/\r\nhttps://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/\r\nPage 3 of 3\n\nOperation Newton’s Newton: head? - Hi Kimsuky? VB2021 localhost Did an Apple(seed) really fall on\nBy Jaeki Kim (S2W), Sojun Ryu (S2W) \u0026 Kyoung-ju Kwak (S2W) \nArchived: 2026-04-05 18:10:32 UTC \nJaeki Kim \nS2W \nJaeki Kim is a principal researcher at TALON, S2W. He graduated from the 'Next Generation of Top Security\nLeader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2013, and holds a\nMaster's degree from Korea University's Security Analysis and Evaluation Lab. Before joining the S2W, he\nworked as part of the Computer Emergency Analysis Team of the Financial Security Institute and was the main\nauthor of \"Campaign DOKKAEBI: Documents of Korean and Evil Binary\", published by FSI in 2018. In 2020,\nHe joined S2W and is currently working in TALON (the Cyber Threat Intelligence Group), and now also works as\n Page 1 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/" ], "report_names": [ "operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434716, "ts_updated_at": 1775826789, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a62b253b92cf71a474705fb056a8078a1a8aac7f.pdf", "text": "https://archive.orkl.eu/a62b253b92cf71a474705fb056a8078a1a8aac7f.txt", "img": "https://archive.orkl.eu/a62b253b92cf71a474705fb056a8078a1a8aac7f.jpg" } }