{ "id": "665834b8-8173-4759-b8cd-5a954fb73dd4", "created_at": "2026-04-06T00:13:27.478617Z", "updated_at": "2026-04-10T13:13:07.512784Z", "deleted_at": null, "sha1_hash": "cef46a746c6ba178df7a2bbf0a4d0140b3e78070", "title": "Malware Disguised as Installer from Korean Public Institution (Kimsuky Group) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1597400, "plain_text": "Malware Disguised as Installer from Korean Public Institution\r\n(Kimsuky Group) - ASEC\r\nBy ATCP\r\nPublished: 2024-03-18 · Archived: 2026-04-05 17:49:51 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) recently discovered the Kimsuky group distributing malware\r\ndisguised as an installer from a Korean public institution. The malware in question is a dropper that creates the\r\nEndoor backdoor, which was also used in the attack covered in the previous post, “TrollAgent That Infects\r\nSystems Upon Security Program Installation Process (Kimsuky Group)”. [1]\r\nWhile there are no records of the dropper being used in actual attacks, there was an attack case that involved the\r\nbackdoor created by the dropper at around the same period as when the dropper was collected. The threat actor\r\nused the backdoor to download additional malware or install screenshot-taking malware. Endoor is constantly\r\nemployed in other attacks as well; in the past, it has been used alongside Nikidoor, which is distributed via spear\r\nphishing attacks.\r\n1. Dropper Disguised as Installer from Korean Public Institution\r\nThe dropper was disguised as an installer for a certain public institution in South Korea. It used the logo of the\r\ninstitution for its icon, and relevant keywords could be found in the version information and setup page. To add\r\non, there is no legitimate program with a version identical to this. This suggests that the malware was simply made\r\nhttps://asec.ahnlab.com/en/63396/\r\nPage 1 of 6\n\nto look like any other legitimate program with no intention of disguising itself as an existing program. Even in the\r\ninstallation process, the malware is the only program that is installed in a normal way.\r\nThe dropper fabricated its version information and is also signed with a valid certificate from a Korean company.\r\nWhen the dropper is executed, it creates a compressed file named “src.rar” and the tool WinRAR under the name\r\n“unrar.exe” that were inside the dropper. Afterward, it uses WinRAR to decompress the file with the password\r\n“1q2w3e4r” to create and execute the backdoor.\r\n2. Endoor Backdoor\r\nThe dropper executes the backdoor with the argument “install”. Given the argument, the backdoor copies itself\r\ninto the “%USERPROFILE%\\svchost.exe” path and registers itself to the Task Scheduler under the name\r\n“Windows Backup”. The Task Scheduler executes the backdoor with the “backup” argument, after which the\r\nbackdoor accesses the C\u0026C server to be ready to receive commands.\r\nThe backdoor is developed in Golang and is obfuscated, but it is the same type as the one found in the previous\r\ncase. It was signed with the same certificate as TrollAgent covered in the post “TrollAgent That Infects Systems\r\nUpon Security Program Installation Process (Kimsuky Group)”. In this post, it is classified as Endoor because it\r\ncontains the following keyword.\r\nhttps://asec.ahnlab.com/en/63396/\r\nPage 2 of 6\n\nEndoor is a backdoor that sends basic information about the infected system, with features such as command\r\nexecution, file upload and download, process-related tasks, and Socks5 proxy. QiAnXin China’s Threat\r\nIntelligence Center released a detailed analysis of this malware in the past, although it was not separately\r\nclassified. [2]\r\n3. Attack Case #1\r\nThe AhnLab Smart Defense (ASD) infrastructure showed a record of Endoor having been used in an attack, but it\r\nis not certain whether the backdoor was installed using the dropper covered above or through a different route.\r\nThe following logs are presumed to show the Kimsuky group updating Endoor to another binary. It was\r\ndownloaded from an external source using Curl, under the name “rdpclip.dat”. While the file was not identified,\r\nbecause the “install” argument was given upon execution and also the file size, it is believed to be a different\r\nversion of Endoor.\r\nhttps://asec.ahnlab.com/en/63396/\r\nPage 3 of 6\n\nAside from these, the threat actor installed Mimikatz in the “%ALLUSERSPROFILE%\\cache.exe” path before\r\nusing it, and the argument “sekurlsa::logonpasswords” was identified in the execution logs shown below.\r\nAmong the installed malware, there is one that captures and exfiltrates screenshots from the infected systems. This\r\nmalware was created using Kbinani’s screenshot library [3], and the threat actor implemented the feature of taking\r\nscreenshots and even leaking them. The exfiltration address is a local host (“hxxp://127.0.0.1:8080/recv”). This\r\nmay signify that the threat actor already installed a proxy in the infected system and is using this to exfiltrate data\r\nto an external source.\r\n4. Attack Case #2 (Nikidoor)\r\nThe recently distributed Endoor uses “ngrok-free[.]app” for its C\u0026C server, which is Ngrok’s free domain\r\naddress. After the case above was identified in February 2024, the version of Endoor that was additionally\r\ndiscovered in March 2024 also used the same arguments “install” and “backup” and “ngrok-free[.]app” as the\r\nC\u0026C server.\r\nhttps://asec.ahnlab.com/en/63396/\r\nPage 4 of 6\n\nAdditionally, the address above was also used to distribute Nikidoor, which shares the C\u0026C server address as\r\nwell. Nikidoor is a backdoor used by the Kimsuky group and was mentioned in the post “Kimsuky Targets South\r\nKorean Research Institutes with Fake Import Declaration” [4]. This backdoor can steal information about the\r\ninfected system and perform malicious actions through the commands it receives like other malware such as\r\nAppleSeed and Endoor. It is notable for its repeated use of “Niki” in the PDB path.\r\nPDB path: C:\\Users\\niki\\Downloads\\Troy\\Dll.._Bin\\Dll.pdb\r\n5. Conclusion\r\nRecently, we have been continuously observing the Kimsuky group distributing malware signed with a valid\r\ncertificate from a Korean company. The threat actor installs a backdoor at the last stage of the attack and can use\r\nthis to extort information about the users in the infected systems.\r\nGiven this information, users must update V3 to the latest version to prevent malware infection.\r\nFile Detection\r\n– Dropper/Win.Endoor.C5593202 (2024.02.25.01)\r\n– Backdoor/Win.Endoor.C5593201 (2024.02.25.01)\r\n– Backdoor/Win.KimGoBack.C5385331 (2024.02.20.03)\r\n– Backdoor/Win.Endoor.C5598434 (2024.03.09.00)\r\n– Backdoor/Win.Nikidoor.C5598774 (2024.03.10.00)\r\nBehavior Detection\r\n– Execution/MDP.Event.M18\r\nMD5\r\n7034268d1c52539ea0cd48fd33ae43c4\r\n7beaf468765b2f1f346d43115c894d4b\r\nb74efd8470206a20175d723c14c2e872\r\nb8ffb0b5bc3c66b7f1b0ec5cc4aadafc\r\nf03618281092b02589bca833f674e8a0\r\nhttps://asec.ahnlab.com/en/63396/\r\nPage 5 of 6\n\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//210[.]16[.]120[.]210/rdpclip[.]dat\r\nhttp[:]//minish[.]wiki[.]gd/c[.]pdf\r\nhttp[:]//minish[.]wiki[.]gd/eng[.]db\r\nhttp[:]//minish[.]wiki[.]gd/index[.]php\r\nhttp[:]//minish[.]wiki[.]gd/upload[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/63396/\r\nhttps://asec.ahnlab.com/en/63396/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/63396/" ], "report_names": [ "63396" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434407, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cef46a746c6ba178df7a2bbf0a4d0140b3e78070.pdf", "text": "https://archive.orkl.eu/cef46a746c6ba178df7a2bbf0a4d0140b3e78070.txt", "img": "https://archive.orkl.eu/cef46a746c6ba178df7a2bbf0a4d0140b3e78070.jpg" } }