{ "id": "fe08efd6-df08-4459-8072-0fbffbbf9a1d", "created_at": "2026-04-06T00:12:49.570756Z", "updated_at": "2026-04-10T03:37:41.223774Z", "deleted_at": null, "sha1_hash": "c5bbe09a6d3ada643082681cc44f6583f166aa71", "title": "The “Kimsuky” Operation: A North Korean APT?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 688129, "plain_text": "The “Kimsuky” Operation: A North Korean APT?\r\nBy Dmitry Tarakanov\r\nPublished: 2013-09-11 · Archived: 2026-04-05 13:38:49 UTC\r\nFor several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started\r\none day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via\r\na public e-mail server. This approach is rather inherent to many amateur virus-writers and these malware attacks\r\nare mostly ignored.\r\nHowever, there were a few things that attracted our attention:\r\nThe public e-mail server in question was Bulgarian – mail.bg.\r\nThe compilation path string contained Korean hieroglyphs.\r\nThese two facts compelled us take a closer look at this malware — Korean compilers alongside Bulgarian e-mail\r\ncommand-and-control communications.\r\nThe complete path found in the malware presents some Korean strings:\r\nD:rsh공격UAC_dll(완성)Releasetest.pdb\r\nThe “rsh” word, by all appearances, means a shortening of “Remote Shell” and the Korean words can be\r\ntranslated in English as “attack” and “completion”, i.e.:\r\nD:rshATTACKUAC_dll(COMPLETION)Releasetest.pdb\r\nAlthough the full list of victims remains unknown, we managed to identify several targets of this campaign.\r\nAccording to our technical analysis, the attackers were interested in targeting following organizations”.\r\nThe Sejong Institute\r\nThe Sejong Institute is a non-profit private organization for public interest and a leading think tank in South\r\nKorea, conducting research on national security strategy, unification strategy, regional issues, and international\r\npolitical economy.\r\nKorea Institute For Defense Analyses (KIDA)\r\nKIDA is a comprehensive defense research institution that covers a wide range of defense-related issues. KIDA is\r\norganized into seven research centers: the Center for Security and Strategy; the Center for Military Planning; the\r\nCenter for Human Resource Development; the Center for Resource Management; the Center for Weapon Systems\r\nStudies; the Center for Information System Studies; and the Center for Modeling and Simulation. KIDA also has\r\nan IT Consulting Group and various supporting departments. KIDA’s mission is to contribute to rational defense\r\npolicy-making through intensive and systematic research and analysis of defense issues.\r\nhttps://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/\r\nPage 1 of 13\n\nMinistry of Unification\r\nThe Ministry of Unification is an executive department of the South Korean government responsible for working\r\ntowards the reunification of Korea. Its major duties are: establishing North Korea Policy, coordinating inter-Korean dialogue, pursuing inter-Korean cooperation and educating the public on unification.\r\nHyundai Merchant Marine\r\nHyundai Merchant Marine is a South Korean logistics company providing worldwide container shipping services.\r\nSome clues also suggest that computers belonging to “The supporters of Korean Unification”\r\n(http://www.unihope.kr/) were also targeted. Among the organizations we counted, 11 are based in South Korea\r\nand two entities reside in China.\r\nPartly because this campaign is very limited and highly targeted, we have not yet been able to identify how this\r\nmalware is being distributed. The malicious samples we found are the early stage malware most often delivered by\r\nspear-phishing e-mails.\r\nInfecting a system\r\nThe initial Trojan dropper is a Dynamic Link Library functioning as a loader for further malware. It does not\r\nmaintain exports and simply delivers another encrypted library maintained in its resource section. This second\r\nlibrary performs all the espionage functionality.\r\nWhen running on Windows 7, the malicious library uses the Metasploit Framework’s open-source code\r\nWin7Elevate to inject malicious code into explorer.exe. In any case, be it Windows 7 or not, this malicious code\r\ndecrypts its spying library from resources, saves it to disk with an apparently random but hardcoded name, for\r\nexample, ~DFE8B437DD7C417A6D.TMP, in the user’s temporary folder and loads this file as library.\r\nThis next stage library copies itself into the System32 directory of the Windows folder after the hardcoded file\r\nname — either KBDLV2.DLL or AUTO.DLL, depending on the malware sample. Then the service is created for\r\nthe service dll. Service names also can differ from version to version; we discovered the following names —\r\nDriverManage, WebService and WebClientManager. These functions assure malware persistence in a\r\ncompromised OS between system reboots.\r\nAt this stage, the malware gathers information about the infected computer. This includes an output of the\r\nsysteminfo command saved in the file oledvbs.inc by following the hardcoded path: C:Program FilesCommon\r\nFilesSystemOle DBoledvbs.inc. There is another function called – the malware creates a string containing\r\ncomputer and user names but this isn’t used anywhere. By all appearances, this is a mistake by the malware\r\nauthor. Later on, we will come to a function where such a string could be pertinent but the malware is not able to\r\nfind this data in the place where it should be. These steps are taken only if it’s running on an infected system for\r\nthe first time. At system startup, the malicious library performs spying activities when it confirms that it is loaded\r\nby the generic svchost.exe process.\r\nhttps://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/\r\nPage 2 of 13\n\nSpying modules\r\nThere are a lot of malicious programs involved in this campaign but, strangely, they each implement a single\r\nspying function. Besides the basic library (KBDLV2.DLL / AUTO.DLL) that is responsible for common\r\ncommunication with its campaign master, we were able to find modules performing the following functions:\r\nKeystroke logging\r\nDirectory listing collection\r\nHWP document theft\r\nRemote control download and execution\r\nRemote control access\r\nDisabling firewall\r\nAt system startup, the basic library disables the system firewall and any AhnLab firewall (a South Korean security\r\nproduct vendor) by zeroing out related values in registry:\r\nSYSTEMCurrentControlSetServicesSharedAccessParameters\r\nhttps://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/\r\nPage 3 of 13\n\nFirewallPolicyStandardProfile\r\n   EnableFirewall = 0\r\nSYSTEMCurrentControlSetServicesSharedAccessParameters\r\nFirewallPolicyPublicProfile\r\n   EnableFirewall = 0\r\nHKLMSOFTWAREAhnLabV3IS2007InternetSec\r\n   FWRunMode = 0\r\nHKLMSOFTWAREAhnlabV3IS80is\r\n   fwmode = 0\r\nIt also turns off the Windows Security Center service to prevent alerting the user about the disabled firewall.\r\nIt is not accidental that the malware author has singled out AhnLab’s security product. During our Winnti research,\r\nwe learnt that one of the Korean victims was severely criticized by South Korean regulators for using foreign\r\nsecurity products. We do not know for sure how this criticism affected other South Korean organizations, but we\r\ndo know that many South Korean organizations install AhnLab security products. Accordingly, these attackers\r\ndon’t even bother evading foreign vendors’ products, because their targets are solely South Korean.\r\nOnce the malware disables the AhnLab firewall, it checks whether the file taskmgr.exe is located in the hardcoded\r\nC:WINDOWS folder. If the file is present, it runs this executable. Next, the malware loops every 30 minutes to\r\nreport itself and wait for response from its operator.\r\nCommunications\r\nCommunication between bot and operator flows through the Bulgarian web-based free email server (mail.bg). The\r\nbot maintains hardcoded credentials for its e-mail account. After authenticating, the malware sends e-mails to\r\nanother specified e-mail address, and reads e-mails from the inbox. All these activities are performed via the\r\n“mail.bg” web-interface with the use of the system Wininet API functions. From all the samples that we managed\r\nto obtain, we extracted the following email accounts used in this campaign:\r\nbeautifl@mail.bg\r\nennemyman@mail.bg\r\nfasionman@mail.bg\r\nhappylove@mail.bg\r\nlovest000@mail.bg\r\nhttps://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/\r\nPage 4 of 13\n\nmonneyman@mail.bg\r\nsportsman@mail.bg\r\nveryhappy@mail.bg\r\nHere are the two “master” email addresses to which the bots send e-mails on behalf of the above-mentioned\r\naccounts. They report on status and transmit infected system information via attachments:\r\niop110112@hotmail.com\r\nrsh1213@hotmail.com\r\nRegular reporting\r\nTo report infection status, the malware reads from C:Program FilesCommon FilesSystemOle DBoledvbs.inc\r\nwhich contains the systeminfo command output. If the file exists, it is deleted after reading.\r\nThen, it reads user-related info from the file sqlxmlx.inc in the same folder (we can see strings referencing to\r\n“UserID” commentary in this part of the code). But this file was never created. As you recall, there is a function\r\nthat should have collected this data and should have saved it into this sqlxmlx.inc file. However, on the first\r\nlaunch, the collected user information is saved into “xmlrwbin.inc”. This effectively means that the malware\r\nwriter mistakenly coded the bot to save user information into the wrong file. There is a chance for the mistaken\r\ncode to still work — user information could be copied into the send information heap. But not in this case – at the\r\ntime of writing, the gathered user information variable which should point to the xmlrwbin.inc filename has not\r\nyet been initialized, causing the file write to fail. We see that sqlxmlx.inc is not created to store user information.\r\nNext, the intercepted keystrokes are read from the file and sent to the master. Keystrokes are logged and kept in an\r\nordinary and consistent format in this file – both the names of windows in which keys were typed and the actual\r\nsequence of keyboard entry. This data is found in the file C:Program FilesCommon FilesSystemOle\r\nDBmsolui80.inc created by the external key logger module.\r\nAll this data is merged in one file xmlrwbin.inc, which is then encrypted with RC4. The RC4 key is generated as\r\nan MD5 hash of a randomly generated 117-bytes buffer. To be able to decipher the data, the attacker should\r\ncertainly know either the MD5 hash or the whole buffer content. This data is also sent, but RSA encrypted. The\r\nmalware constructs a 1120 bit public key, uses it to encrypt the 117-bytes buffer. The malware then concatenates\r\nall the data to be sent as a 128-bytes block. The resulting data is saved in C:Program FilesCommon\r\nFilesSystemOle DB to a file named according to the following format:\r\n“\u003csystem time\u003e_\u003caccount at Bulgarian email server\u003e.txt”, for example, “08191757_beautifl@mail.bg.txt”.\r\nThe file is then attached to an e-mail and sent to the master’s e-mail account. Following transmission, it is\r\nimmediately deleted from the victim system.\r\nhttps://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/\r\nPage 5 of 13\n\nGetting the master’s data\r\nThe malware also retrieves instructions from the mail server. It checks for mails in its Bulgarian e-mail account\r\nwith a particular subject tag. We have identified several “subject tags” in the network communication: Down_0,\r\nDown_1, Happy_0, Happy_2 and ddd_3. When found and the e-mail maintains an attachment, the malware\r\ndownloads this attachment and saves it with filename “msdaipp.cnt” in C:Program FilesCommon FilesSystemOle\r\nDB. The attacker can send additional executables in this way. The executables are RC4 encrypted and then\r\nattached. The key for decryption is hardcoded in the malicious samples. It’s interesting that the same “rsh!@!#”\r\nstring is maintained across all known samples and is used to generate RC4 keys. As described earlier, the malware\r\ncomputes the MD5 of this string and uses the hash as its RC4 key to decrypt the executable. Then, the plain\r\nexecutable is dropped onto disk as “sqlsoldb.exe” and run, and then moved to the C:Windows folder with the file\r\nname “taskmgr.exe”. The original e-mail and its attachment are then deleted from the Bulgarian e-mail inbox.\r\nKey logger\r\nThe additional key logger module is not very complex — it simply intercepts keystrokes and writes typed keys\r\ninto C:Program FilesCommon FilesSystemOle DBmsolui80.inc, and also records the active window name where\r\nthe user pressed keys. We saw this same format in the Madi malware. There is also one key logger variant that\r\nlogs keystrokes into C:WINDOWSsetup.log.\r\nDirectory listing collector\r\nThe next program sent to victims enumerates all the drives on the infected system and executes the following\r\ncommand on them:\r\ndir \u003cdrive letter\u003e: /a /s /t /-c\r\nIn practice, this command is written to C:WINDOWSmsdatt.bat and executed with output redirected to\r\nC:WINDOWSmsdatl3.inc. As a result, the latter maintains a listing of all files in all the folders on the drive. The\r\nmalware later reads that data and appends it to content of the file C:Program FilesCommon FilesSystemOle\r\nDBoledvbs.inc. At this point, “oledvbs.inc “already stores systeminfo output.\r\nIt’s interesting that one sample of the directory listing collector was infected with the infamous “Viking” virus of\r\nChinese origin. Some of this virus’ modifications were wandering in the wild for years and its authors or operators\r\nwould never expect to see it end up in a clandestine APT-related spying tool. For the attackers, this is certainly a\r\nbig failure. Not only does the original spying program have marks of well-known malware that can be detected by\r\nanti-malware products; moreover the attackers are revealing their secret activities to cyber-criminal gangs.\r\n However, by all appearances, the attackers noticed the unwanted addition to their malware and got rid of the\r\ninfection. This was the only sample bearing the Viking virus.\r\nDue to expensive work of malware with variety of additional files, it’s not out of place to show these\r\n“relationships” in a diagram:\r\nhttps://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/\r\nPage 6 of 13\n\nHWP document stealer\r\nThis module intercepts HWP documents on an infected computer. The HWP file format is similar to Microsoft\r\nWord documents, but supported by Hangul, a South Korean word processing application from the Hancom Office\r\nbundle. Hancom Office is widely used in South Korea. This malware module works independently of the others\r\nand maintains its own Bulgarian e-mail account. The account is hardcoded in the module along with the master’s\r\ne-mail to which it sends intercepted documents. It is interesting that the module does not search for all the HWP\r\nfiles on infected computer, but reacts only to those that are opened by the user and steals them. This behavior is\r\nvery unusual for a document-stealing component and we do not see it in other malicious toolkits.\r\nThe program copies itself as \u003cHangul full path\u003eHncReporter.exe and changes the default program association in\r\nthe registry to open HWP documents. To do so, it alters following registry values:\r\nHKEY_CLASSES_ROOTHwp.Document.7shellopencommand\r\nhttps://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/\r\nPage 7 of 13\n\nor\r\nHKEY_CLASSES_ROOTHwp.Document.8shellopencommand\r\nBy default, there is the registry setting “\u003cHangul full path\u003eHwp.exe” “%1” associating Hangul application\r\n“Hwp.exe” with .HWP documents. But the malicious program replaces this string with the following: “\u003cHangul\r\nfull path\u003eHncReporter.exe ” “%1”. So, when the user is opening any .HWP document, the malware program\r\nitself is executed to open the .HWP document. Following this registry edit, any opened .HWP document is read\r\nand sent as an e-mail attachment with the subject “Hwp” to the attackers. After sending, the malware executes the\r\nreal Hangul word processing application “Hwp.exe” to open the .HWP document as the user intended. The means\r\nthe victim most likely will not notice the theft of the .HWP file. The module’s sending routine depends on the\r\nfollowing files in C:Program FilesCommon FilesSystemOle DB folder: xmlrwbin.inc, msdaipp.cnt, msdapml.cnt,\r\nmsdaerr.cnt, msdmeng.cnt and oledjvs.inc.\r\nRemote control module downloader\r\nAn extra program is dedicated exclusively to download attachments out of incoming e-mails with a particular\r\nsubject tag. This program is similar to the pivot module but with reduced functionality: it maintains the hardcoded\r\nBulgarian e-mail account, logs in, reads incoming e-mails and searches for the special subject tag “Team“. When\r\nfound, it loads the related attachment, drops it onto the hard drive as C:Program FilesCommon FilesSystemOle\r\nDBtaskmgr.exe and executes. This particular executable arrives without any encryption.\r\nRemote control module\r\nIt is also interesting that the malware author did not custom develop a backdoor program. Instead, the author\r\nmodified TeamViewer client version 5.0.9104. The initial executable pushed by attackers in e-mails related to the\r\nremote control module consists of three more executables. Two of them are Team Viewer components themselves,\r\nand another is some sort of backdoor loader. So, the dropper creates three files in the C:WindowsSystem32\r\ndirectory:\r\nnetsvcs.exe - the modified Team Viewer client;\r\nnetsvcs_ko.dll - resources library of Team Viewer client;\r\nvcmon.exe - installer/starter;\r\nand creates the service “Remote Access Service“, adjusted to execute C:WindowsSystem32vcmon.exe at system\r\nstartup. Every time the vcmon.exe is executed, it disables AhnLab’s firewall by zeroing out following registry\r\nvalues:\r\nHKLMSOFTWAREAhnLabV3 365 ClinicInternetSec\r\nhttps://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/\r\nPage 8 of 13\n\nUseFw = 0\r\n    UseIps = 0\r\nThen, it modifies the Team Viewer registry settings. As we said, the Team Viewer components used in this\r\ncampaign are not the original ones. They are slightly modified. In total, we found two different variants of\r\nchanged versions. The malware author replaced all the entries of “Teamviewer” strings in Team Viewer\r\ncomponents. In the first case with the “Goldstager” string and with the string “Coinstager” in the second.\r\nTeamViewer client registry settings are then HKLMSoftwareGoldstagerVersion5 and\r\nHKLMSoftwareCoinstagerVersion5 correspondingly. The launcher sets up several registry values that control how\r\nthe remote access tool will work. Among them is SecurityPasswordAES. This parameter represents a hash of the\r\npassword with which a remote user has to connect to Team Viewer client. This way, the attackers set a pre-shared\r\nauthentication value. After that, the starter executes the very Team Viewer client netsvcs.exe.\r\nWho’s Kim?\r\nIt’s interesting that the drop box mail accounts iop110112@hotmail.com and rsh1213@hotmail.com are registered\r\nwith the following “kim” names: kimsukyang and “Kim asdfa”.\r\nOf course, we can’t be certain that these are the real names of the attackers. However, the selection isn’t frequently\r\nseen. Perhaps it also points to the suspected North Korean origin of attack. Taking into account the profiles of the\r\ntargeted organizations — South Korean universities that conduct researches on international affairs, produce\r\ndefense policies for government, national shipping company, supporting groups for Korean unification — one\r\nmight easily suspect that the attackers might be from North Korea.\r\nThe targets almost perfectly fall into their sphere of interest. On the other hand, it is not that hard to enter arbitrary\r\nregistration information and misdirect investigators to an obvious North Korean origin. It does not cost anything\r\nto concoct fake registration data and enter kimsukyang during a Hotmail registration. We concede that this\r\nregistration data does not provide concrete, indisputable information about the attackers.\r\nHowever, the attackers’ IP-addresses do provide some additional clues. During our analysis, we observed ten IP-addresses used by the Kimsuky operators. All of them lie in ranges of the Jilin Province Network and Liaoning\r\nProvince Network, in China.\r\nhttps://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/\r\nPage 9 of 13\n\nNo other IP-addresses have been uncovered that would point to the attackers’ activity and belong to other IP-ranges. Interestingly, the ISPs providing internet access in these provinces are also believed to maintain lines into\r\nNorth Korea. Finally, this geo-location supports the likely theory that the attackers behind Kimsuky are based in\r\nNorth Korea.\r\nAppendix\r\nFiles used by malware:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n        %windir%system32kbdlv2.dll\r\n        %windir%system32auto.dll\r\n        %windir%system32netsvcs.exe\r\n        %windir%system32netsvcs_ko.dll\r\n        %windir%system32vcmon.exe\r\n        %windir%system32svcsmon.exe\r\n        %windir%system32svcsmon_ko.dll\r\n        %windir%system32wsmss.exe\r\nhttps://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/\r\nPage 10 of 13\n\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n        %temp%~DFE8B437DD7C417A6D.TMP\r\n        %temp%~DFE8B43.TMP\r\n        %temp%~tmp.dll\r\n        C:Windowstaskmgr.exe\r\n        C:Windowssetup.log\r\n        C:Windowswinlog.txt\r\n        C:Windowsupdate.log\r\n        C:Windowswmdns.log\r\n        C:Windowsoledvbs.inc\r\n        C:Windowsweoig.log\r\n        C:Windowsdata.dat\r\n        C:Windowssys.log\r\n        C:WindowsPcMon.exe\r\n        C:WindowsGoogle Update.exe\r\n        C:WindowsReadMe.log\r\n        C:Windowsmsdatt.bat\r\n        C:Windowsmsdatl3.inc\r\n        C:Program FilesCommon FilesSystemOle DBmsdmeng.cnt\r\n        C:Program FilesCommon FilesSystemOle DBxmlrwbin.inc\r\n        C:Program FilesCommon FilesSystemOle DBmsdapml.cnt\r\n        C:Program FilesCommon FilesSystemOle DBsqlsoldb.exe\r\n        C:Program FilesCommon FilesSystemOle DBoledjvs.inc\r\n        C:Program FilesCommon FilesSystemOle DBoledvbs.inc\r\n        C:Program FilesCommon FilesSystemOle DBmsolui80.inc\r\n        C:Program FilesCommon FilesSystemOle DBmsdaipp.cnt\r\n        C:Program FilesCommon FilesSystemOle DBmsdaerr.cnt\r\nhttps://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/\r\nPage 11 of 13\n\n35\r\n36\r\n        C:Program FilesCommon FilesSystemOle DBsqlxmlx.inc\r\n        \u0026lt;Hangul full path\u0026gt;HncReporter.exe\r\nRelated MD5:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n        3baaf1a873304d2d607dbedf47d3e2b4\r\n        3195202066f026de3abfe2f966c9b304\r\n        4839370628678f0afe3e6875af010839\r\n        173c1528dc6364c44e887a6c9bd3e07c\r\n        191d2da5da0e37a3bb3cbca830a405ff\r\n        5eef25dc875cfcb441b993f7de8c9805\r\n        b20c5db37bda0db8eb1af8fc6e51e703\r\n        face9e96058d8fe9750d26dd1dd35876\r\n        9f7faf77b1a2918ddf6b1ef344ae199d\r\n        d0af6b8bdc4766d1393722d2e67a657b\r\n        45448a53ec3db51818f57396be41f34f\r\n        80cba157c1cd8ea205007ce7b64e0c2a\r\n        f68fa3d8886ef77e623e5d94e7db7e6c\r\n        4a1ac739cd2ca21ad656eaade01a3182\r\n        4ea3958f941de606a1ffc527eec6963f\r\n        637e0c6d18b4238ca3f85bcaec191291\r\n        b3caca978b75badffd965a88e08246b0\r\n        dbedadc1663abff34ea4bdc3a4e03f70\r\n        3ae894917b1d8e4833688571a0573de4\r\n        8a85bd84c4d779bf62ff257d1d5ab88b\r\n        d94f7a8e6b5d7fc239690a7e65ec1778\r\n        f1389f2151dc35f05901aba4e5e473c7\r\nhttps://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/\r\nPage 12 of 13\n\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n        96280f3f9fd8bdbe60a23fa621b85ab6\r\n        f25c6f40340fcde742018012ea9451e0\r\n        122c523a383034a5baef2362cad53d57\r\n        2173bbaea113e0c01722ff8bc2950b28\r\n        2a0b18fa0887bb014a344dc336ccdc8c\r\n        ffad0446f46d985660ce1337c9d5eaa2\r\n        81b484d3c5c347dc94e611bae3a636a3\r\n        ab73b1395938c48d62b7eeb5c9f3409d\r\n        69930320259ea525844d910a58285e15\r\nNames of services created by malware:\r\n        DriverManage\r\n        WebService\r\n        WebClientManager\r\n        Remote Access Service\r\nWe detect these threats as Trojan.Win32.Kimsuky except modified Team Viewer client components which are\r\ndetected as Trojan.Win32.Patched.ps.\r\nSource: https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/\r\nhttps://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/\r\nPage 13 of 13\n\n https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/ \n9 %temp%~DFE8B437DD7C417A6D.TMP \n10 %temp%~DFE8B43.TMP \n11 %temp%~tmp.dll \n12 C:Windowstaskmgr.exe \n13 C:Windowssetup.log \n14 C:Windowswinlog.txt \n15 C:Windowsupdate.log \n16 C:Windowswmdns.log \n17 C:Windowsoledvbs.inc \n18 C:Windowsweoig.log \n19 C:Windowsdata.dat \n20 C:Windowssys.log \n21 C:WindowsPcMon.exe \n22 C:WindowsGoogle Update.exe \n23 C:WindowsReadMe.log \n24 C:Windowsmsdatt.bat \n25 C:Windowsmsdatl3.inc \n26 C:Program FilesCommon FilesSystemOle DBmsdmeng.cnt\n27 C:Program FilesCommon FilesSystemOle DBxmlrwbin.inc\n28 C:Program FilesCommon FilesSystemOle DBmsdapml.cnt\n29 C:Program FilesCommon FilesSystemOle DBsqlsoldb.exe\n30 C:Program FilesCommon FilesSystemOle DBoledjvs.inc\n31 C:Program FilesCommon FilesSystemOle DBoledvbs.inc\n32 C:Program FilesCommon FilesSystemOle DBmsolui80.inc\n33 C:Program FilesCommon FilesSystemOle DBmsdaipp.cnt\n34 C:Program FilesCommon FilesSystemOle DBmsdaerr.cnt\n Page 11 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "ETDA", "Malpedia" ], "references": [ "https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/" ], "report_names": [ "57915" ], "threat_actors": [ { "id": "322a0ef1-136b-400e-89d0-0d62ee2bd319", "created_at": "2023-01-06T13:46:38.662109Z", "updated_at": "2026-04-10T02:00:03.05924Z", "deleted_at": null, "main_name": "Madi", "aliases": [], "source_name": "MISPGALAXY:Madi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "b07fec96-80cd-4d92-aa52-a26a0b25b7c2", "created_at": "2022-10-25T16:07:23.826594Z", "updated_at": "2026-04-10T02:00:04.760416Z", "deleted_at": null, "main_name": "Madi", "aliases": [ "Mahdi" ], "source_name": "ETDA:Madi", "tools": [ "Madi" ], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434369, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c5bbe09a6d3ada643082681cc44f6583f166aa71.pdf", "text": "https://archive.orkl.eu/c5bbe09a6d3ada643082681cc44f6583f166aa71.txt", "img": "https://archive.orkl.eu/c5bbe09a6d3ada643082681cc44f6583f166aa71.jpg" } }