{ "id": "5242d800-9a1b-4613-a2f0-f43d84eb23d2", "created_at": "2026-04-06T00:18:57.765558Z", "updated_at": "2026-04-10T03:37:40.74435Z", "deleted_at": null, "sha1_hash": "cd314c1718815e83244d59a0754cf30dd0edf70f", "title": "Back to the Future: Inside the Kimsuky KGH Spyware Suite", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2592150, "plain_text": "Back to the Future: Inside the Kimsuky KGH Spyware Suite\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-02 12:17:58 UTC\r\nResearch by: Assaf Dahan, Lior Rochberger, Daniel Frank and Tom Fakterman\r\nThe Cybereason Nocturnus Team has been tracking various North Korean threat actors, among them the cyber espionage\r\ngroup known as Kimsuky, (aka: Velvet Chollima, Black Banshee and Thallium), which has been active since at least 2012\r\nand is believed to be operating on behalf of the North Korean regime. The group has a rich and notorious history of\r\noffensive cyber operations around the world, including operations targeting South Korean think tanks, but over the past few\r\nyears they have expanded their targeting to countries including the United States, Russia and various nations in Europe.\r\nSome of their observed targets include:\r\n• Pharmaceutical/Research companies working on COVID-19 vaccines and therapies\r\n• UN Security Council\r\n• South Korean Ministry of Unification \r\n• Various Human Rights Groups\r\n• South Korean Institute for Defense Analysis\r\n• Various Education and Academic Organizations\r\n• Various Think Tanks\r\n• Government Research Institutes\r\n• Journalists covering Korean Peninsula relations\r\n• South Korean Military\r\nOn October 27th, the US-CERT published a report summarizing Kimusky’s recent activities and describing the group’s\r\nTTPs and infrastructure.\r\nCombining the information in the report with the intelligence accumulated by Cybereason Nocturnus over time, the\r\nresearchers discovered a previously undocumented modular spyware suite dubbed KGH_SPY that provides Kimsuky with\r\nstealth capabilities to carry out espionage operations. \r\nIn addition, Cybereason Nocturnus uncovered another new malware strain dubbed CSPY Downloader that was observed to\r\nbe a sophisticated tool with extensive anti-analysis and evasion capabilities, allowing the attackers to determine if  “the coast\r\nis clear” before downloading additional payloads. \r\nLastly, the Cybereason Nocturnus team identified new server infrastructure used by Kimsuky that overlaps with previously\r\nidentified Kimsuky infrastructure.\r\nKGH backdoor caught by Cybereason Platform\r\nTable of Contents\r\n- Key Findings\r\n- Kimsuky Infrastructure Overlap\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 1 of 22\n\n- New Toolset Infrastructure\r\n- Back to the Future: Suspected Anti-Forensics\r\n- KGH Spyware Suite\r\n- Infection Vector: Weaponized Word Documents\r\n- KGH Spyware Payloads Overview\r\n- Analysis of the KGH Installer (M1.dll)\r\n- Analysis of the KGH Backdoor Loader (msic.exe)\r\n- KGH Backdoor Commands\r\n- KGH Infostealer Module (m.dll)\r\n- CSPY Downloader - A New Downloader in the Arsenal\r\n- Anti-analysis Techniques\r\n- Conclusion\r\n- MITRE ATTACK Breakdown\r\n- Indicators of Compromise\r\nKey Findings\r\n• Discovery of a New Modular Spyware Suite: “KGH_SPY” is a modular suite of tools that provides the threat actors with\r\nreconnaissance, keylogging, information stealing and backdoor capabilities\r\n• Discovery of a Stealthy New Malware: “CSPY Downloader” is a tool designed to evade analysis and download\r\nadditional payloads\r\n• New toolset Infrastructure: Newly discovered toolset infrastructure registered between 2019-2020 that overlaps with\r\nanother Kimsuky’s malware called BabyShark that was used in the past to target US-based Think tanks \r\n• Anti-Forensics: The creation/compilation timestamps of malware in the report appear to have been tampered with and\r\nbackdated to 2016 in an attempt to thwart forensic investigation\r\n• Behavioral and Code Similarities to Other Kimsuky Malware: The newly discovered malware shares various\r\nbehavioral and code similarities to known Kimsuky malware, including: code signing with EGIS revoked certificate; shared\r\nstrings; file naming convention; string decryption algorithms; PDB paths referencing authors / projects\r\n• Undetected by Antivirus: At the time of writing this report, some of the mentioned payloads  are not detected by any\r\nantivirus vendors\r\nKimsuky Infrastructure Overlap\r\nKimsuky is known for their complex infrastructure that uses free-registered domains, compromised domains, as well as\r\nprivate domains registered by the group. Tracking down the infrastructure, the Nocturnus team was able to detect overlaps\r\nwith BabyShark malware and other connections to different malware such as AppleSeed backdoor:\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 2 of 22\n\nInfrastructure graph for different Kimsuky’s domains and the overlaps between them\r\nThroughout the years, Kimsuky has been using an array of malware in their operations. The infrastructure of some of the\r\nmalware used by Kimsuky can be tracked using pattern analysis of the URI structures used by some of their tools. The\r\nfollowing table maps commonly observed URI patterns to their respective malware:\r\nMalware\r\nname\r\nDescription C2 URL Pattern\r\nAppleSeed  Backdoor\r\nhttp://hao.aini.pe[.]hu/init/image?i=ping\u0026u=8dc1078f1639d34c\u0026p=wait..\r\nhttp://mernberinfo[.]tech/wp-data/?\r\nm=dunan\u0026p=de3f6e263724\u0026v=win6.1.0-sp1-x64\r\nhttp://eastsea.or[.]kr/?m=a\u0026p1=00000009\u0026p2=Win6.1.7601x64-Spy-v2370390\r\nFlowerPower\r\nPowershell based\r\nprofiling tool\r\nhttp://dongkuiri.atwebpages[.]com/venus02/venus03/venus03.ps1\r\nhttp://attachchosun.atwebpages[.]com/leess1982/leess1982.ps1\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 3 of 22\n\nGold Dragon Backdoor\r\nhttp://portable.epizy[.]com/img/png/download.php?filename=images01\r\nhttp://foxonline123.atwebpages[.]com/home/jpg/download.php?\r\nfilename=flower03\r\nBabyShark\r\nVBS-based backdoor\r\nand reconnaissance\r\ntool\r\nhttp://nhpurumy.mireene[.]com/theme/basic/skin/member/basic/\r\nupload/download.php?param=res2.txt\r\nhttp://jmable.mireene[.]com/shop/kcp/js/com/expres.php?op=2\r\nNew toolset Infrastructure\r\nBy tracking the previous infrastructure and correlating the data regarding the URI patterns used by different Kimsuky tools,\r\nthe Cybereason Nocturnus Team was able to uncover a new infrastructure that was used by the new malware toolset: \r\nMalware name Description C2 URL Pattern\r\nKGH malware suite\r\nDifferent\r\ncomponents in the\r\nKGH malware suite\r\nhttp://csv.posadadesantiago[.]com/home?id=\r\n[Machine_name]\u0026act=sbk\u0026ver=x64\r\nhttp://csv.posadadesantiago[.]com/home/up.php?id=\r\n[Machine_name]\r\nCSPY Downloader Downloader\r\nhttp://wave.posadadesantiago[.]com/home/dwn.php?\r\nvan=10860\r\nhttp://wave.posadadesantiago[.]com/home/dwn.php?\r\nvan=101\r\nhttp://wave.posadadesantiago[.]com/home/dwn.php?\r\nvan=102\r\nKGH_Backdoor\r\nwinload.x\r\nBackdoor and\r\nKeylogger\r\ncomponent, VBS\r\ndownloader\r\nhttp://csv.posadadesantiago[.]com/home?act=news\u0026id=\r\n[Machine_name]\r\nhttp://csv.posadadesantiago[.]com/home?\r\nid=ֿ[Machine_name]\u0026act=upf\u0026ver=x64\r\nhttp://csv.posadadesantiago[.]com/home?id=\r\n[Machine_name]\u0026act=tre\u0026ver=x64\r\nhttp://csv.posadadesantiago[.]com/home?id=\r\n[Machine_name]\u0026act=wbi\u0026ver=x64\r\nhttp://csv.posadadesantiago[.]com/home?id=\r\n[Machine_name]\u0026act=cmd\u0026ver=x64\r\nhttp://csv.posadadesantiago[.]com/home?id=\r\n[Machine_name]\u0026act=pws\u0026ver=x64\r\nPM_Abe_draft_letter\r\n_on_UN_NK_20200130.doc\r\nPhishing document\r\nhttp://myaccounts.posadadesantiago[.]com/test/Update.\r\nphp?wShell=201\r\nThe new domains are all registered to the same IP address that was reported in previous Kimsuky-related attacks involving\r\nthe Baby Shark malware: \r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 4 of 22\n\nIP Address Domain Name Kimsuky Activity\r\n173.205.125.124\r\ncsv.posadadesantiago[.]com KGH Backdoor\r\nwave.posadadesantiago[.]com CSPY Downloader\r\nmyaccounts.posadadesantiago[.]com Malicious Phishing Document\r\nwww.eventosatitlan[.]com Baby Shark / Autumn Aperture Campaign\r\nPhishing Themes related to the New Infrastructure\r\nWhen analyzing the weaponized phishing documents that were connected to the new tools infrastructure, one can notice the\r\ntopic of human rights in the North Korea repeated in at least two documents:\r\nPM_Abe_draft_letter_on_UN_NK_20200130.doc - This document contains what appears to be a letter in English\r\nand Japanese that was addressed to the (now former) Prime minister of Japan, Shinzo Abe, regarding the subject of\r\nhuman rights in North Korea. The document’s malicious macro code communicates with the domain\r\nmyaccounts.posadadesantiago[.]com \r\nInterview with a north korean defector.doc - This document contains an interview with a North Korean defector\r\nwho escaped to Japan and discusses problems with life in North Korea. This document drops a malware that\r\ncommunicates with the domain wave.posadadesantiago[.]com\r\nThe topic of human rights violations in North Korea previously appeared in multiple phishing documents attributed to\r\nKimsuky. \r\nPhishing Documents containing DPRK-related human rights issues\r\nBack to the Future: Suspected Anti-Forensics \r\nBackdating, or timestomping, is a technique used by many threat actors which involves the manipulation of the creation\r\ntimestamps or compilation date of a file in order to thwart analysis attempts (anti-forensics). It is suspected that the creation\r\ndate of most of the files mentioned in this report were tampered with by the threat actors and backdated to 2016:\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 5 of 22\n\nName SHA-256\r\nCreation\r\nDate\r\n(likely\r\nfake)\r\nVT\r\nUpload\r\nDate\r\nm1.dll\r\ncur_install_x64.dll\r\naf13b16416760782ec81d587736cb4c9b2e7099afc10cb764eeb4c\r\n922ee8802f\r\n2016-10-02\r\n07:35:25\r\n2020-10-\r\n07\r\n13:03:45\r\nmsic.exe\r\nE4d28fd7e0fc63429fc199c1b683340f725f0bf9834345174ff0b6a\r\n3c0b1f60e\r\n2016-09-28\r\n02:08:00\r\n2020-10-\r\n07\r\n13:03:530\r\nmsfltr32.dll\r\n66fc8b03bc0ab95928673e0ae7f06f34f17537caf159e178a452c2\r\nc56ba6dda7\r\n2016-10-02\r\n07:23:16\r\n2020-10-\r\n07\r\n13:03:56\r\nm.dll\r\nf989d13f7d0801b32735fee018e816f3a2783a47cff0b13d70ce2f \r\n1cbc754fb9\r\n2016-09-28\r\n08:41:36\r\n2020-10-\r\n07\r\n13:03:56\r\n0807.dotm\r\n97d4898c4e70335f0adbbace34593236cb84e849592e5971a797\r\n554d3605d323\r\n2016-08-07\r\n11:31:00\r\n2020-08-\r\n19\r\n09:46:33\r\n0928.dotm\r\nd88c5695ccd83dce6729b84c8c43e8a804938a7ab7cfeccaa0699\r\nd6b1f81c95c\r\n2016-09-28\r\n02:08:00\r\n2020-10-\r\n06\r\n07:53:38\r\nwinload.exe\r\n7158099406d99db82b7dc9f6418c1189ee472ce3c25a3612a5ec\r\n5672ee282dc0\r\n2016-07-30\r\n01:20:23\r\n2020-06-\r\n12\r\n01:48:02\r\nThe assumption is backed by the registration dates of the domains that were hardcoded in all the above mentioned malware\r\nsamples. According to the domain registration information in RiskIQ PassiveTotal, these domains were first registered\r\nbetween January 2019 to August 2020, years after the seemingly manipulated creation dates: \r\nDomain IP Resolution\r\nFirst\r\nObserved\r\nEarliest Observed Certificate Issue Date\r\ncsv.posadadesantiago[.]com 173.205.125.124\r\n2020-08-\r\n09\r\nSHA-1:\r\n87b35e1998bf00a8b7e32ed391c217deaec408ad \r\nDate: 2020-08-19\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 6 of 22\n\nwave.posadadesantiago[.]com 173.205.125.124\r\n2020-02-\r\n27\r\nSHA-1:\r\nF846981567760d40b5a90c8923ca8c2e7c881c5f \r\nDate: 2020-03-24\r\nmyaccounts.posadadesantiago[.]com 173.205.125.124\r\n2019-01-\r\n25\r\nSHA-1:\r\n90d00ecb1e903959a3853e8ee1c8af89fb82a179 \r\nDate: 2019-01-25\r\nKGH Spyware Suite\r\nThe connection between different components of the KGH malware suite\r\nDuring our analysis, Cybereason Nocturnus discovered a new malware suite dubbed “KGH” which contains several\r\nmodules used as spyware. The name “KGH” is derived from the PDB path and internal names found in the malware\r\nsamples: \r\n“KGH” in an internal name of the backdoor\r\n“m.dll” pdb path\r\nA possible link to North Korean attacks referencing the name “KGH” was mentioned in 2017 in a research by Ahnlab,\r\nhowever it is unclear whether it is related to the same malware authors. \r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 7 of 22\n\nInfection Vector: Weaponized Word Documents\r\nThe infection vector seems to originate from a Word documents containing malicious macros: \r\nName SHA-256 Domain\r\nCreation\r\nDate\r\n(likely\r\nfake)\r\nVT\r\nUpload\r\nDate\r\n0807.dotm\r\n97d4898c4e70335f0adbbace34593236cb\r\n84e849592e5971a797554d3605d323\r\ncsv.posadadesantiago.com\r\n2016-08-07\r\n11:31:00\r\n2020-08-\r\n19\r\n09:46:33\r\n0928.dotm\r\nd88c5695ccd83dce6729b84c8c43e8a804\r\n938a7ab7cfeccaa0699d6b1f81c95c\r\ncsv.posadadesantiago.com\r\n2016-09-28\r\n02:08:00\r\n2020-10-\r\n06\r\n07:53:38\r\nWe observed two Word documents that communicate with the domains above which contain code similarities to each other\r\nand to the previously mentioned “Interview with a north korean defector.doc”. The macros of the malicious documents do\r\nthe following: \r\n0807.dotm:\r\n1. Drops a script named “winload.x” and a wscript.exe binary renamed as “cs.exe” to\r\n“%appdata%\\Micorosoft\\Templates”.\r\n2. Sets the reg key “HKCU\\Environment\\UserInitMprLogonScript” to run a cmd command that copies “winload.x”\r\nas “a.vbs”, executes it and deletes “a.vbs”.  The mentioned registry key is used to execute Logon Scripts, and will\r\nexecute what is written to it at startup. The document is using this key to achieve persistence for the file “winload.x”:\r\nPersistence using UserInitMprLogonScript Registry keys\r\n3. Collects system, network and drive information and installed applications, saves it to a file named “info” and sends\r\nit to the C2 using iexplorer.exe\r\n4. When “winload.x” (“a.vbs”) is executed, it tries to download and execute code from\r\n“csv.posadadesantiago[.]com/home?act=news\u0026id=[Machine_name]”:\r\nWinload.x (a.vbs) contents deobfuscated\r\n0928.dotm:\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 8 of 22\n\n1. Collects information about the infected system, network, drives, and installed applications.\r\n2. Saves the collected information to a file named “info” in “%appdata%\\Micorosoft\\Templates” and sends it to the\r\nC2.\r\n3. Downloads m1.dll (KGH Installer) from “csv.posadadesantiago[.]com/home?id=\r\n[Machine_name]\u0026act=sbk\u0026ver=x64”\r\n4. Downloads m.dll (KGH-Browser Stealer) from “csv.posadadesantiago[.]com/home?id=\r\n[Machine_name]\u0026act=wbi\u0026ver=x64”\r\n5. Executes the KGH installer:\r\nURLs creation from 0928.dotm macro code\r\nBoth documents use similar function names and variable names:\r\n0928.dotm VB code (left) \u0026 0807.dotm VB code (right)\r\nOnce the macro collected all the information, it sends the data to the C2 server over an HTTP POST request: \r\nExfiltration of the collected system information stored in “info”\r\nKGH Spyware Payloads Overview\r\nThe following payloads were observed to be downloaded and dropped by the previously mentioned malicious documents:\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 9 of 22\n\nFile\r\nName(s)\r\nPurpose\r\nCreation Date\r\n(likely fake)\r\nVT Upload\r\nDate\r\nm1.dll \r\nDrops KGH backdoor and creates persistence to msic.exe\r\nand drops: \r\n - C:\\Users\\user\\AppData\\Local\\AreSoft\\msic.exe\r\n - C:\\Users\\user\\AppData\\Local\\AreSoft\\msfltr32.dll\r\n2016-10-02\r\n07:35:25\r\n2020-10-07\r\n13:03:45\r\nmsic.exe\r\nLoads and executes msfltr32.dll\r\nC:\\Users\\user\\AppData\\Local\\AreSoft\\msfltr32.dll\r\n2016-09-28\r\n02:08:00\r\n2020-10-07\r\n13:03:53\r\nmsfltr32.dll\r\nKGH backdoor capabilities: \r\n - Persistence\r\n - Keylogger\r\n - Downloads additional payloads\r\n- Executes arbitrary commands (cmd.exe / powershell)\r\n2016-10-02\r\n07:23:16\r\n2020-10-07\r\n13:03:56\r\nm.dll\r\nKGH-Browser Stealer \r\nSteals stored data from Chrome, Edge, Firefox, Thunderbird,\r\nOpera, Winscp. \r\n2016-09-28\r\n08:41:36\r\n2020-10-07\r\n13:03:56\r\nThe following files were downloaded / dropped by the macro as caught by the Cybereason platform: \r\nCybereason defense platform presenting the creation of the files\r\nAnalysis of the KGH Installer (M1.dll)\r\nThe KGH installer was uploaded to VirusTotal in October 2020 and at the time of writing this report is not detected by any\r\nAntivirus engines: \r\n KGH installer detections in VT\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 10 of 22\n\nThe file is a DLL that executes the installation / dropper code located in the “outinfo” export:\r\n KGH installer exports\r\nThe DLL contains two encrypted blobs in its resource section. It can be noticed that there are traces of Korean language in\r\nthose resources: \r\n KGH installer resources\r\nThese encrypted blobs are dropped to C:\\Users\\user\\AppData\\Local\\Temp\\3f34a.tmp one after the other. Once they are\r\ndropped, the dropper also decrypts them and writes them to a newly created folder and creates persistence:\r\nC:\\Users\\user\\AppData\\Local\\AreSoft\\msic.exe\r\nC:\\Users\\user\\AppData\\Local\\AreSoft\\msfltr32.dll\r\nDropped files location on an infected machine\r\nThe backdoor achieves persistence by creating the following registry autoruns keys: \r\nKey: HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load\r\nValue: C:\\Users\\user\\AppData\\Local\\AreSoft\\msic.exe\r\nAnalysis of the KGH Backdoor Loader (msic.exe)\r\nThe KGH loader (msic.exe) is responsible for loading and executing the KGH backdoor DLL (msfltr32.dll) in memory: \r\nMsic.exe loads msfltr32.dll to memory\r\nThe file itself is unsigned and masquerades as a legitimate Microsoft Windows tool:\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 11 of 22\n\nMsfltr32.dll Signature Info\r\nKGH Backdoor - Main Module (msfltr32.dll)\r\nThe msfltr32.dll module is the core module of the KGH backdoor. The backdoor contains the following functionality: \r\n• Persistence using autorun keys\r\n• Keylogger\r\n• Directory and file listing\r\n• Downloading secondary payloads from the C2 server\r\n• Exfiltrating collected information from the host to the C2 server\r\n• Executing arbitrary commands via cmd.exe or PowerShell\r\nKGH Backdoor: Keylogger Functionality\r\nThe KGH backdoor has a keylogger functionality built into its code, which is achieved by a common technique of polling\r\nthe GetAsyncKeyState() function:\r\nExcerpt from KGH’s Keylogger function\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 12 of 22\n\nThe recorded keystrokes are stored in the “lg” folder in %appdata% with the file extension “.x”\r\nKGH Backdoor Secondary Payloads\r\nThe KGH backdoor contacts the C2 with URL “csv.posadadesantiago[.]com/home?act=news\u0026id=[Machine_name]” and\r\nsaves the response to “C:\\Users\\user\\AppData\\Local\\Temp\\n.x”:\r\nURL string in KGH Backdoor\r\nThe KGH backdoor will then parse the contents of “n.x”. The “n.x” file may contain an “SHL”, “DLL” or “EXE” file.\r\nIn case it is a “DLL” or an “EXE” the KGH backdoor will execute the file. In case the downloaded file contains an “SHL”\r\nfile, the KGH backdoor will parse the file to retrieve commands sent by the C2:\r\nCheck “n.x” file type code from KGH backdoor \r\nKGH Backdoor Commands\r\nThe KGH backdoor has a predefined set of commands that it receives from the server: \r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 13 of 22\n\nKGH’s backdoor commands\r\nCommand Purpose\r\nupf Uploads files to the C2\r\ntre\r\nCreate a list of all files in the system using the “tree” command, save to a file named “c.txt” and upload\r\nthe file to the C2\r\nwbi Download “m.dll” browser stealer module and exfiltrates stolen data\r\ncmd Execute a cmd shell command\r\npws Execute a powershell command \r\nList of files generated by or downloaded by the KGH backdoor: \r\nFile Purpose\r\nC:\\Users\\user\\AppData\\Roaming\\lg\\\r\n[year_month_day].x\r\nKeylogger stolen data storage\r\nC:\\Users\\user\\AppData\\Local\\Temp\\n.x Payload downloaded from the server\r\nC:\\Users\\user\\AppData\\Local\\Temp\\C.txt\r\nOutput of tree command (directory and files listing)\r\nC:\\Windows\\System32\\cmd.exe /c tree /f C:\\ \u003e\u003e\r\nC:\\Users\\user\\AppData\\Local\\Temp\\C.txt\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 14 of 22\n\nC:\\Users\\user\\Documents\\w.x Stolen browser data (from m.dll module)\r\nsig.x Likely checks write permission to the disk\r\nC:\\test1.txt N/A\r\nKGH Infostealer Module (m.dll)\r\nAnother component of the KGH suite is the m.dll module, which is an information stealer that harvest data from browsers,\r\nWindows Credential Manager, WINSCP and mail clients. The infostealer module is not detected by any AV vendor at the\r\ntime of writing this report: \r\nKGH infostealer module is undetected by any Antivirus vendors\r\nThe PDB path embedded in the m.dll module further shows a clear connection to the KGH backdoor, as it is named\r\n“KGH_Browser-Master”:\r\nE:\\SPY\\WebBrowser\\KGH_Browser-Master\\x64\\Release\\KGH_Browser-Master.pdb\r\nThe “SPY” user was also observed in PDB of the “CSPY Downloader”, which is also mentioned in this report: \r\nPDB Path of the CSPY Downloader\r\nThe infostealer module steals information stored (cookies, credentials) in the following applications: \r\n• Browsers: Chrome, IE / Edge, Firefox, Opera\r\n• WinSCP Client\r\n• Windows Credential Manager\r\n• Mozilla Thunderbird Mail Client\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 15 of 22\n\nMain Infostealing routine\r\nThe stolen information is written to a file called “w.x”: \r\nCreation of the “w.x” file that stores the stolen data\r\nCSPY Downloader - A New Downloader in the Arsenal\r\nWhen hunting for some of the URI patterns mentioned in the US-CERT report (“/home/dwn.php?van=101”), another\r\nmalicious executable was found communicating with the C2 wave.posadadesantiago[.]com, named winload.exe.\r\nThis sample was delivered by a malicious document named “Interview with a north Korean defector”. The macro embedded\r\ninside unpacks and executes winload.exe.\r\nUpon analysis, the Nocturnus determined that winload.exe is a new type of a downloader, dubbed “CSPY” by Cybereason,\r\nthat is packed with robust evasion techniques meant to ensure that the “coast is clear” and that the malware does not run in a\r\ncontext of a virtual machine or analysis tools before it continues to download secondary payloads: \r\nVirusTotal uploads of winload.exe communicating with the above mentioned C2\r\nThis file is mentioned in the report by ESTSecurity. In alignment with the findings there, it is packed with UPX, has\r\nresources in Korean, Anti-VM functionality and a timestamp that is tempered to July 30, 2016:\r\nThe PDB Path of the CSPY Downloader\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 16 of 22\n\nPDB Path and resources of the malware\r\nThe file is also signed with the following revoked certificate. As can be seen, the signing date may be fake as well. EGIS\r\nCo., Ltd certificate issuer was previously reported to be used by Kimsuky:\r\nKimsuky’s typical revoked certificate\r\nWhen further examining the file, some interesting functionality can be found. Indicative strings and API calls can be\r\ndecrypted by deducting 1 from each character, similar to the KGH backdoor whose strings can be decrypted by deducting 5\r\nfrom each character. When decrypting the strings, the malware’s full logs are revealed. The log file is stored in\r\n%appdata%\\microsoft\\NTUSERS.log:\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 17 of 22\n\nDecrypted logging strings of CSPY Downloader\r\nIt is interesting to note that some of the abovementioned log strings are grammatically incorrect, which can suggest that the\r\nmalware author is not a native English speaker.\r\nThe above logs imply that this sample might be a debug version of the malware. In many cases, debug versions are used by\r\nthe malware authors for testing new malware or new features. This can also suggest that the malware is newly developed\r\nand has not been fully operationalized yet. Another clue that points to this assumption is that some parts of the malware code\r\nseem to be buggy or incomplete.\r\nAnti-analysis Techniques\r\nPrior to downloading secondary payloads, CSPY Downloader initiates an extensive series of checks to determine if it is\r\nbeing debugged or running in a virtual environment, by searching for specific virtualization-related loaded modules, the\r\nprocess PEB structure, various file paths, registry keys, and memory:\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 18 of 22\n\nA list of methods performing anti-analysis checks by the malware\r\nIt is worth mentioning that the document which unpacks CSPY Downlader, runs an almost identical series of Anti-VM\r\ntechniques prior to dropping the downloader, which highlights the attackers’ efforts to avoid detection and remain under-the-radar.\r\nAfter the anti-analysis checks are complete, the loader starts preparing the infected environment for the downloading of\r\nadditional payloads. There are 3 download attempts (and thus 3 GET requests trailing by a different numeric ID), the\r\npayloads are downloaded subsequently to the user’s %temp% folder.\r\nPayloads download method\r\nAfter downloading the payloads, they are moved and renamed. The whole process can be summarized as follows:\r\nDownload URI Filename Copied To Purpose\r\ndwn.php?van=10860 dwn.dat0 %temp%\\Appx.exe Main executable\r\ndwn.php?van=101 dwn.dat1 C:\\Users\\Public\\Documents\\AppxUp\\BSup.hf Possible module\r\ndwn.php?van=102 dwn.dat2 C:\\Users\\Public\\Documents\\AppxUp\\BCup.hf Possible module\r\nTo execute the main downloaded payload, the loader tries to masquerade as a legitimate Windows service, claiming in its\r\nfake description, that it is used to support packed applications:\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 19 of 22\n\nRegistering the freshly downloaded malware as a service\r\nIn order to avoid raising suspicions from the victim, CSPY Downloader exploits a known UAC bypass technique that uses\r\nthe SilentCleanup task to execute the binary with elevated privileges.\r\nUsing schtasks utility to disable UAC\r\nAs part of the exploitation process, the above value will be written to the registry under the %windir% variable, and deleted\r\nafter execution. Appx.exe is moved once again, this time to %programdata%\\Microsoft\\Windows and registered as a service.\r\nFinally, CSpy will initiate its self-deletion method.\r\nConclusion\r\nIn this report we uncovered a new toolset infrastructure that is used by the Kimsuky group, a notorious activity group that\r\nhas been operating on behalf of the North Korean regime since 2012. A close examination of the new infrastructure\r\ncombined with pattern-analysis led Cybereason’s Nocturnus team to the discovery of the “KGH Spyware Suite”, a modular\r\nmalware likely involved in recent espionage operations, and the “CSPY Downloader” - both were previously\r\nundocumented. \r\nIn addition, our report shows certain interesting overlaps between older Kimsuky malware and servers and the newly\r\ndiscovered malware and infrastructure. Moreover, the report highlights several behavior-based and code similarities between\r\nthe new malware samples and older known Kimsuky malware and TTPs. \r\nThroughout the report it is noticeable that the threat actors invested efforts in order to remain under the radar, by employing\r\nvarious anti-forensics and anti-analysis techniques which included backdating the creation/compilation time of the malware\r\nsamples to 2016, code obfuscation, anti-VM and anti-debugging techniques. At the time of writing this report, some of the\r\nsamples mentioned in the report are still not detected by any AV vendor. \r\nWhile the identity of the victims of this campaign remains unclear, there are clues that can suggest that the infrastructure\r\ntargeted organizations dealing with human rights violations. At the time of writing this report, there is not enough\r\ninformation available to Cybereason to determine this with a high certainty, and in any case, there could be a wide range of\r\nindustries, organizations and individuals that were targeted by Kimsuky using this infrastructure.\r\nMITRE ATT\u0026CK BREAKDOWN\r\nReconnaissance\r\nInitial\r\nAccess\r\nExecution Persistence\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery Collection E\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 20 of 22\n\nGather Victim\r\nHost\r\nInformation\r\nPhishing\r\nCommand\r\nand\r\nScripting\r\nInterpreter\r\nRegistry\r\nRun Keys \r\nMasquerading\r\nCredentials\r\nfrom Web\r\nBrowsers\r\nFile and Directory\r\nDiscovery\r\nKeylogging\r\nE\r\nO\r\nC\r\nGather Victim\r\nNetwork\r\nInformation\r\n \r\nUser\r\nExecution\r\nLogon\r\nScript\r\n(Windows)\r\nBypass User\r\nAccount\r\nControl\r\nKeylogging\r\nSystem Information\r\nDiscovery\r\n   \r\n     \r\nWindows\r\n Service\r\nTimestomp\r\nSteal Web\r\nSession\r\nCookie\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\n   \r\n       \r\nSoftware\r\nPacking\r\n \r\nVirtualization/Sandbox\r\nEvasion\r\n   \r\nIndicators of Compromise\r\nURLs:\r\nhttp://csv.posadadesantiago[.]com/home?act=news\u0026id=[Machine_name]\r\nhttp://csv.posadadesantiago[.]com/home?id=[Machine_name]\u0026act=upf\u0026ver=x64\r\nhttp://csv.posadadesantiago[.]com/home?id=[Machine_name]\u0026act=tre\u0026ver=x64\r\nhttp://csv.posadadesantiago[.]com/home?id=[Machine_name]\u0026act=wbi\u0026ver=x64\r\nhttp://csv.posadadesantiago[.]com/home?id=[Machine_name]\u0026act=cmd\u0026ver=x64\r\nhttp://csv.posadadesantiago[.]com/home?id=[Machine_name]\u0026act=pws\u0026ver=x64\r\nhttp://csv.posadadesantiago[.]com/home?id=[Machine_name]\u0026act=sbk\u0026ver=x64\r\nhttp://csv.posadadesantiago[.]com/home/up.php?id=[Machine_name]\r\nhttp://myaccounts.posadadesantiago[.]com/test/Update.php?wShell=201\r\nhttp://wave.posadadesantiago[.]com/home/dwn.php?van=10860\r\nhttp://wave.posadadesantiago[.]com/home/dwn.php?van=101\r\nhttp://wave.posadadesantiago[.]com/home/dwn.php?van=102\r\nDomains\r\ncsv.posadadesantiago[.]com\r\nwave.posadadesantiago[.]com\r\nmyaccounts.posadadesantiago[.]com\r\nwww.eventosatitlan[.]com\r\nIPs\r\n173.205.125.124\r\nMalicious Documents\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 21 of 22\n\n97d4898c4e70335f0adbbace34593236cb84e849592e5971a797554d3605d323\r\nd88c5695ccd83dce6729b84c8c43e8a804938a7ab7cfeccaa0699d6b1f81c95c\r\n7af3930958f84e0b64f8297d1a556aab359bb65691208dc88ea4fc9698250c43\r\n252d1b7a379f97fddd691880c1cf93eaeb2a5e5572e92a25240b75953c88736c\r\nKGH SPYWARE SUITE\r\nBcf4113ec8e888163f1197a1dd9430a0df46b07bc21aba9c9a1494d2d07a2ba9\r\naf13b16416760782ec81d587736cb4c9b2e7099afc10cb764eeb4c922ee8802f\r\nE4d28fd7e0fc63429fc199c1b683340f725f0bf9834345174ff0b6a3c0b1f60e\r\n66fc8b03bc0ab95928673e0ae7f06f34f17537caf159e178a452c2c56ba6dda7\r\nf989d13f7d0801b32735fee018e816f3a2783a47cff0b13d70ce2f1cbc754fb9\r\nFa282932f1e65235dc6b7dba2b397a155a6abed9f7bd54afbc9b636d2f698b4b\r\n65fe4cd6deed85c3e39b9c1bb7c403d0e69565c85f7cd2b612ade6968db3a85c\r\nCSPY Downloader\r\n7158099406d99db82b7dc9f6418c1189ee472ce3c25a3612a5ec5672ee282dc0\r\ne9ea5d4e96211a28fe97ecb21b7372311a6fa87ce23db4dd118dc204820e011c\r\nSource: https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nhttps://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "ETDA", "Malpedia" ], "references": [ "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" ], "report_names": [ "back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434737, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cd314c1718815e83244d59a0754cf30dd0edf70f.pdf", "text": "https://archive.orkl.eu/cd314c1718815e83244d59a0754cf30dd0edf70f.txt", "img": "https://archive.orkl.eu/cd314c1718815e83244d59a0754cf30dd0edf70f.jpg" } }