{ "id": "1c008e6c-2e44-43bb-9f1a-fb3f3e6e5973", "created_at": "2026-04-06T00:12:09.81458Z", "updated_at": "2026-04-10T03:37:40.69449Z", "deleted_at": null, "sha1_hash": "aa85a44970b034d2f0f3a8ab0989b3ce49eb00de", "title": "Account Credential-Stealing Malware Detected by AhnLab MDS (Web Browsers, Email, FTP) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1648958, "plain_text": "Account Credential-Stealing Malware Detected by AhnLab MDS\r\n(Web Browsers, Email, FTP) - ASEC\r\nBy ATCP\r\nPublished: 2024-01-23 · Archived: 2026-04-05 16:00:33 UTC\r\nFor convenience, users frequently use automatic login feature provided by programs like web browsers, email\r\nclients, and FTP clients. This allows programs to store user account credentials in their settings data. Therefore,\r\ndespite being a convenient feature, this poses a security risk because threat actors are then able to leak the users’\r\naccount credentials easily.\r\nIf malware or threat actors gain control of an infected system, they can employ various tools to extract users’\r\naccount credentials. Additionally, there are specifically designed Infostealers crafted for the sole purpose of\r\nextorting account credentials. If the malware is already known, anti-malware software installed on the endpoint\r\ncan effectively respond to it. However, in order to handle unknown malware, AhnLab Malware Defense System\r\n(MDS) is necessary.\r\nAhnLab MDS is a sandbox-based file analysis solution that executes files in a virtual environment to analyze their\r\nbehavior. Since even new files exhibit known malicious behaviors, AhnLab MDS can effectively detect them.\r\nAhnLab MDS comes equipped with an assortment of analysis engines that are utilized to analyze file behavior or\r\nthe files themselves, enabling an accurate detection of advanced threats.\r\n1. Overview\r\nWeb browsers are one of the most commonly and frequently used programs by PC users. This not only includes\r\npersonal users but also employees who are performing corporate tasks. Web browsers are utilized for accessing\r\nweb services, including search functions and email communication. Furthermore, various other tasks such as\r\ndocument work can be done through web browsers if the necessary web interface is provided.\r\nAs for emails, although they can be checked through web browsers, employees often prefer to install and use\r\ndedicated email clients such as Microsoft Outlook and Mozilla Thunderbird on their PCs. Although cloud services\r\nhave become more popular for sharing files in recent years, there are still many cases where FTP is used.\r\nThe commonality among these programs is that users log in to access services with their own accounts. While\r\nusers can log in each time they start their computers, most applications, including web browsers, support\r\nautomatic login. This means that once logged in, the account credentials are stored in each application’s settings\r\ndata, allowing seamless usage without the need for repeated logins.\r\nhttps://asec.ahnlab.com/en/61082/\r\nPage 1 of 8\n\nHowever, such convenience comes with risks. If a threat actor gains control of a user’s system or if malware is\r\ninstalled on the system, this stored account information can be easily stolen. Typically, users only use a few\r\naccounts for various services, so even if a small number of logged-in account credentials are stolen, various user\r\ninformation can fall into the hands of the threat actor.\r\nIt is worth noting that if an email address is used to log in, the email address itself is also exposed to the threat\r\nactor. This threat actor can then leverage this information to send threatening emails. Below is an example of a\r\nthreatening email sent by a threat actor to an email address collected from a system that was infected with an\r\nInfostealer. Along with a captured screenshot and gathered information, the email threatens to produce explicit\r\ncontent using the collected information and send it to acquaintances via email and social media. The email also\r\ninstructs the recipient to send $1,200 to the threat actor’s Bitcoin wallet address if the recipient does not wish for\r\nthis to happen.\r\nhttps://asec.ahnlab.com/en/61082/\r\nPage 2 of 8\n\n2. Known Malware Cases\r\nInfostealer is a type of information-stealing malware with the goal of stealing user information, such as the\r\naccount credentials and history saved in applications like web browsers and email clients. Threat actors often\r\nemploy techniques like packing and obfuscation before distributing their malware to bypass file detection by anti-malware software. However, even if their outer appearances are changed, the behaviors of malware include known\r\nmalicious activities – these activities can be detected by AhnLab MDS.\r\nHere, we compiled cases of AhnLab MDS being used to detect the information exfiltration behavior of major\r\nInfostealers widely used in attacks.\r\nA. AgentTesla\r\nAgentTesla is an Infostealer that is primarily distributed via spam emails. This malware targets and collects\r\ninformation from a variety of applications, including most web browsers, email/FTP clients, and VNC programs.\r\nThe collected information is then sent to a C\u0026C server through SMTP, FTP, or the Telegram API [1].\r\nAmong the various information exfiltration behaviors, this section outlines instances where AhnLab MDS\r\ndetected the theft of user account credentials stored in web browsers and VNC by the AgentTesla Infostealer.\r\nhttps://asec.ahnlab.com/en/61082/\r\nPage 3 of 8\n\nB. Lokibot\r\nSimilar to AgentTesla, Lokibot is an Infostealer that targets a wide range of applications to steal account\r\ncredentials, including web browsers, email/FTP clients, file/password management programs, and terminal\r\nemulators [2].\r\nAmong the various information exfiltration behaviors, this section outlines instances where AhnLab MDS\r\ndetected the theft of user account credentials stored in email and FTP clients by the Lokibot Infostealer.\r\nhttps://asec.ahnlab.com/en/61082/\r\nPage 4 of 8\n\n3. Cases of APT Attacks\r\nUp to this point, we have discussed well-known malware that are distributed indiscriminately to the public.\r\nHowever, stealing user account credentials is a crucial step in the attack process that can provide threat actors with\r\nsignificant advantages. For example, even if the target is an ordinary user, threat actors can leverage stolen\r\ncredentials to obtain more information later. For corporate users, stolen credentials can be used not only to infect\r\nsystems but also to move laterally within the organization’s internal network and seize control.\r\nTherefore, obtaining credentials is an essential step even for APT attack groups. It is important to note that due to\r\nthe nature of APT attackers, they often create their own malware instead of using well-known ones. However,\r\neven if they create new malware, the behavior of stealing information is often similar to that of known malware.\r\nAhnLab MDS executes and analyzes file behaviors in a virtual environment. Therefore, unlike other anti-malware\r\nsoftware, it is able to detect and respond to information theft performed by unknown malware even when the\r\nappearance of the file cannot be diagnosed. Here, we cover cases where AhnLab MDS was used to detect various\r\ninformation-stealing malware used by APT groups to acquire user account credentials in the past.\r\nA. Andariel\r\nThe Andariel threat group primarily targets South Korean corporations and institutions and is known to\r\ncollaborate with or operate as a subsidiary organization of the Lazarus threat group. The group was first identified\r\ntargeting South Korean entities in 2008, with major targets including national defense, political organizations,\r\nshipbuilding, energy, telecommunications, and other security-related entities. Additionally, universities,\r\ntransportation, ICT companies, and various other corporations and agencies located in South Korea have also been\r\ntargeted.\r\nThe Andariel threat group mainly utilizes spear phishing attacks, watering hole attacks, and supply chain attacks\r\nduring the initial access process. There are also cases where the group exploits centralized management solutions\r\nduring the malware installation process [3]. This post will cover the Infostealer that was installed in the past by the\r\nAndariel group using TigerRAT.\r\nTigerRAT is a backdoor, so it does not have extensive features related to information theft. In order to gather\r\nadditional information, the group used malware similar to other Infostealers to steal user account credentials\r\nstored in web browsers and Outlook clients. This malware is capable of stealing user account credentials from\r\nChrome, Firefox, Internet Explorer, Opera, and Naver Whale web browsers, as well as the Outlook client. It then\r\noutputs them as command line outputs.\r\nhttps://asec.ahnlab.com/en/61082/\r\nPage 5 of 8\n\nThe results presented below shows the outcomes of utilizing AhnLab MDS to identify the activities associated\r\nwith the theft of user account credentials from web browsers and the Outlook client. This pertains to the\r\nInfostealer utilized in the APT attacks orchestrated by the Andariel group. This means that in environments where\r\nAhnLab MDS is installed, the information-stealing behavior is detected when the threat actor attempts to\r\nadditionally install an Infostealer. This allows users to prevent threat actors from seizing control of the\r\norganization’s network via lateral movement and stealing internal information.\r\nB. Kimsuky\r\nKimsuky is a threat group known to be supported by North Korea and has been active since 2013. At first, they\r\nattacked North Korea-related research institutes in South Korea before attacking a Korean energy corporation in\r\n2014. Since 2017, their attacks have been targeting countries other than South Korea as well. They primarily\r\ntarget national defense, defense industries, media, diplomacy, government agencies, and academic fields via spear\r\nphishing attacks with the purpose of stealing internal information and technology [4].\r\nThe Kimsuky group employs various malware for remote control, including customized malware like AppleSeed\r\nand AlphaSeed, as well as tools like TinyNuke (HVNC) and TightVNC. However, since these malware lack any\r\ndirect feature for stealing account credentials, they are often supplemented with Infostealer which is responsible\r\nfor such a feature. The following is an Infostealer that was used in recent attacks to steal various user information,\r\nincluding account credentials, cookies, and browsing history stored in web browsers before creating a json file in\r\nthe same directory.\r\nhttps://asec.ahnlab.com/en/61082/\r\nPage 6 of 8\n\nAhnLab MDS can also detect when the Infostealer used in the Kimsuky group’s APT attacks steals user account\r\ncredentials stored in web browsers. This allows for the detection and prevention of information theft on infected\r\nsystems in advance, enabling administrators to be aware of the attack and prevent the next stage of the attack.\r\n4. Conclusion\r\nThreat actors can steal user account credentials through various methods and use the stolen information to laterally\r\nmove and ultimately take control of an organization’s network. Therefore, stealing user credentials is a crucial step\r\nin the attack process, and threat actors use both known malware and customized Infostealer for this purpose.\r\nAhnLab MDS is a sandbox-based file analysis solution that executes files in a virtual environment to analyze their\r\nbehavior. Both already known malware and new ones crafted by threat actors in APT attacks invariably engage in\r\ninformation-stealing behavior during their execution. By detecting these information-stealing behaviors, AhnLab\r\nMDS enables administrators to become aware of the attack and preemptively block the threat actor’s next move.\r\nBehavior Detection\r\n– Infostealer/MDP.Behavior.M10087\r\n– CredentialAccess/MDP.infostealer.M10258\r\n– CredentialAccess/MDP.infostealer.M10266\r\n– CredentialAccess/MDP.Outlook.M11577\r\nhttps://asec.ahnlab.com/en/61082/\r\nPage 7 of 8\n\n– CredentialAccess/MDP.IExplore.M11582\r\n– Execution/MDP.Lokibot.M10952\r\n– Execution/MDP.AgentTesla.M11002\r\nTo learn more about AhnLab MDS's sandbox-based behavioral analysis, please click the banner below.\r\nSource: https://asec.ahnlab.com/en/61082/\r\nhttps://asec.ahnlab.com/en/61082/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://asec.ahnlab.com/en/61082/" ], "report_names": [ "61082" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434329, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa85a44970b034d2f0f3a8ab0989b3ce49eb00de.pdf", "text": "https://archive.orkl.eu/aa85a44970b034d2f0f3a8ab0989b3ce49eb00de.txt", "img": "https://archive.orkl.eu/aa85a44970b034d2f0f3a8ab0989b3ce49eb00de.jpg" } }