{ "id": "fc344361-caef-4a73-9a0a-9dc4edd8def0", "created_at": "2026-04-06T00:19:09.126936Z", "updated_at": "2026-04-10T13:12:52.337022Z", "deleted_at": null, "sha1_hash": "d0ab1a3bc6366979519254173709d347ff3e43a3", "title": "STOLEN PENCIL Campaign Targets Academia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 80240, "plain_text": "STOLEN PENCIL Campaign Targets Academia\r\nBy ASERT team\r\nPublished: 2018-12-05 · Archived: 2026-04-05 23:34:05 UTC\r\nExecutive Summary\r\nASERT has learned of an APT campaign, possibly originating from DPRK, we are calling STOLEN PENCIL that\r\nis targeting academic institutions since at least May 2018. The ultimate motivation behind the attacks is unclear,\r\nbut the threat actors are adept at scavenging for credentials. Targets are sent spear phishing e-mails that lead them\r\nto a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome\r\nextension. Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including\r\nRemote Desktop Protocol (RDP) to maintain access.\r\nNOTE: NetScout AED/APS enterprise security products detect, and block activity related to STOLEN PENCIL\r\nusing our ATLAS Intelligence Feed (AIF).\r\nKey Findings \r\nA wide variety of phishing domains imply other targets, but those focused on academia were intended to\r\ninstall a malicious Chrome extension.\r\nA large number of the victims, across multiple universities, had expertise in biomedical engineering,\r\npossibly suggesting a motivation for the attackers targeting.\r\nhttps://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/\r\nPage 1 of 6\n\nPoor OPSEC led to users finding open web browsers in Korean, English-to-Korean translators open, and\r\nkeyboards switched to Korean .\r\nThe threat actors use built-in Windows administration tools and commercial off-the-shelf software to “live\r\noff the land”. The threat actor at the keyboard uses RDP to access compromised systems rather than a\r\nbackdoor or Remote Access Trojan (RAT).\r\nPost-exploitation persistence is maintained by harvesting passwords from a wide variety of sources such\r\nas process memory, web browsers, network sniffing, and keyloggers.\r\nThere is no evidence of data theft, leaving the motivation behind STOLEN PENCIL largely uncertain.\r\nSpear Phishing\r\nThreat\r\nChain\r\nIn keeping with tried and true tactics, the operators behind the STOLEN PENCIL campaign used\r\nspear-phishing as their initial intrusion vector (left Figure 1). First reported by Twitter user\r\n@MD0ugh, a target of STOLEN PENCIL receives a spear-phishing message containing a link to\r\none of several domains controlled by the threat actor. We’ve identified several domains used for\r\nphishing (below). client-message[.]com\r\nworld-paper[.]net\r\ndocsdriver[.]com\r\ngrsvps[.]com\r\ncoreytrevathan[.]com\r\ngworldtech[.]com\r\nIn addition to the Top-Level Domains (TLDs), we’ve uncovered a number of sub-domains used by\r\nthe actors (below):\r\naswewd.docsdriver[.]com\r\nfacebook.docsdriver[.]com\r\nfalken.docsdriver[.]com\r\nfinder.docsdriver[.]com\r\ngovernment.docsdriver[.]com\r\nkeishancowan.docsdriver[.]com\r\nkorean-summit.docsdriver[.]com\r\nmofa.docsdriver[.]com\r\nnorthkorea.docsdriver[.]com\r\no365.docsdriver[.]com\r\nobservatoireplurilinguisnorthkorea.docsdriver[.]com\r\noodwd.docsdriver[.]com\r\ntwitter.docsdriver[.]com\r\nwhois.docsdriver[.]com\r\nwww.docsdriver[.]com\r\nhttps://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/\r\nPage 2 of 6\n\nMany of the subdomains contain basic phishing pages, consisting of saved HTML of common web login\r\nproperties. Some of the pages contain the “MarkOfTheWeb” artifact inserted by the web browser when the threat\r\nactor clicked “Save As” on the page they intend to impersonate. RiskIQ discussed this technique, although we do\r\nnot believe the campaigns are related. The more sophisticated phishing pages targeting academia display a benign\r\nPDF in an IFRAME. It then redirects the user to install a “Font Manager” extension from the Chrome Web Store,\r\nas seen in Figure 2.  \r\nHTML Source of Phishing Page\r\nFigure 2: HTML Source of Phishing Page The malicious extensions, now removed from the Chrome Web Store,\r\ncontain reviews left by the threat actor using compromised Google+ accounts. The text of the reviews were\r\ncopy/pasted from other extensions and were all rated “five-stars”, even if the copied text was negative. It’s likely\r\nthe compromised accounts used to leave reviews were from individuals the threat actors assume the target would\r\nknow and trust.  It should be noted however, that some users reported deleting the extension immediately because\r\nit prevented the Chrome browser from functioning properly.  This could suggest mistakes or poorly written code\r\nthat utilized too many resources to remain functional and stealthy, at least for some users. The malicious Chrome\r\nextensions declare permissions to run on every URL in the browser, as seen in Figure 3.\r\nmanifest.json with \u003call_urls\u003e\r\nFigure 3: manifest.json with \u003call_urls\u003e The extensions load JavaScript from a separate site, shown in Figure 4.\r\nThe name of the loaded JavaScript file is jQuery.js. When retrieving this file at the time of our analysis, the\r\ncontent was a legitimate jQuery file. We speculate that the attacker replaced the malicious JavaScript with a\r\nbenign payload to deter analysis. Loading jQuery.js from an external site makes no sense, since the latest version\r\nof extension has a legitimate jQuery.js included in the extension bundle.\r\nmanage.js snippet, beautified\r\nFigure 4: Given the threat actor’s propensity for password theft, and the fact that the malicious Chrome\r\nextensions were situated to read data from every website, it's likely that the intent is to steal browser cookies and\r\npasswords.  Email forwarding was also observed on some compromised accounts. While GDPR requirements\r\nprevented us from pivoting on Registrant information, the actors reused IP space, reused a certificate, and the\r\naforementioned domain mimicking technique allowed for some pivoting.  A variety of infrastructure was\r\ndiscovered. Those IOCs are included below.\r\nToolset\r\nOnce gaining a foothold on a user’s system, the threat actors behind STOLEN PENCIL use Microsoft’s Remote\r\nDesktop Protocol (RDP) for remote point-and-click access.  This means a human is behind the keyboard\r\ninteracting with a compromised system, and not using a RAT (Remote Access Trojan) with a command-and-control site acting as a proxy between the threat actor and the compromised system. RDP access occurred daily\r\nfrom 06:00-09:00 UTC (01:00-04:00 EST).  In one case, we noted that the threat actor changed the victim’s\r\nkeyboard layout to Korean. A compromised or stolen certificate was used to sign several PE files used in\r\nSTOLEN PENCIL for two sets of tools:\r\nhttps://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/\r\nPage 3 of 6\n\nMECHANICAL\r\nLogs keystrokes to %userprofile%\\appdata\\roaming\\apach.{txt,log} and also functions as a\r\n“cryptojacker” that replaces Ethereum wallet addresses with\r\n0x33883E87807d6e71fDc24968cefc9b0d10aC214E. This Ethereum wallet address currently has a\r\nzero balance and no transactions.\r\nGREASE\r\na tool to add a Windows administrator account with a specific username/password and enable RDP,\r\ncircumventing any firewall rules. We’ve observed the following list of username/password\r\ncombinations, though the significance of “1215” is unknown:\r\nLocalAdmin/Security1215!\r\ndieadmin1/waldo1215!\r\ndnsadmin/waldo1215!\r\nDefaultAccounts/Security1215!\r\ndefaultes/1qaz2wsx#EDC\r\nThe certificate chain used in the majority of both MECHANICAL and GREASE samples is shown in Figure 5.\r\nFigure 5:\r\nCertificate used to sign MECHANICAL/GREASE While the threat actors did use a few tools to automate\r\nintrusions, we also found a ZIP archive of tools that demonstrate their propensity for password theft to propagate.\r\nInside the archive we found the following tools:\r\nKPortScan – a GUI-based portscanner\r\nPsExec – a tool to remotely execute commands on Windows systems\r\nBatch files for enabling RDP and bypassing firewall rules\r\nhttps://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/\r\nPage 4 of 6\n\nProcdump – a tool to dump process memory, along with a batch file to dump the lsass process for password\r\nextraction\r\nMimikatz – a tool to dump passwords and hashes\r\nThe Eternal suite of exploits, along with batch files for rapid scanning and exploitation\r\nNirsoft Mail PassView – a tool to dump saved mail passwords\r\nNirsoft Network Password Recovery – a tool to dump saved Windows password\r\nNirsoft Remote Desktop PassView – a tool to dump saved RDP passwords\r\nNirsoft SniffPass – a tool to sniff the network for passwords sent over insecure protocols\r\nNirsoft WebBrowserPassView – a tool to dump passwords stored in a variety of browsers\r\nClearly this toolset can be used to scavenge passwords stored in a wide array of locations. Using a combination of\r\nstolen passwords, backdoor accounts, and a forced-open RDP service, the threat actors are likely to retain a\r\nfoothold on a compromised system.\r\nRecommendations\r\nAdvise users not to click on any suspicious links in an e-mail, both at work and at home, even if they are\r\nfrom people they trust.\r\nAdvise users to be wary of any prompts to install browser extensions, even if they are hosted on an official\r\nextension site.\r\nWatch for e-mails containing links to the phishing domains.\r\nLimit RDP access with a firewall to only those systems that require it. Monitor for suspicious RDP\r\nconnections where there should be none.\r\nLook for suspicious, newly created administrative accounts.\r\nConclusion\r\nWhile we were able to gain insight into the threat actor’s TTPs (Tools, Techniques, \u0026 Procedures) behind\r\nSTOLEN PENCIL, this is clearly just a small window into their activity. Their techniques are relatively basic, and\r\nmuch of their toolset consists of off-the-shelf programs and living off the land.  This, along with the presence of\r\nthe cryptojacker, is typical of DPRK tradecraft.  Additionally, the operators’ poor OPSEC exposes their Korean\r\nlanguage, in both viewed websites and keyboard selections. They spent significant time and resources doing\r\nreconnaissance on their targets, as evidenced by the comments left on the Chrome extension page. Their main goal\r\nappears to be gaining access to compromised accounts and systems via stolen credentials and holding on to it. We\r\nwere not able to find any evidence of data theft – their motives for targeting academia remains murky.\r\nIOCs\r\nMECHANICAL hashes 9d1e11bb4ec34e82e09b4401cd37cf71 8b8a2b271ded23c40918f0a2c410571d GREASE\r\nhashes 2ec54216e79120ba9d6ed2640948ce43 6a127b94417e224a237c25d0155e95d6\r\nfd14c377bf19ed5603b761754c388d72 1d6ce0778cabecea9ac6b985435b268b\r\nab4a0b24f706e736af6052da540351d8 f082f689394ac71764bca90558b52c4e\r\necda8838823680a0dfc9295bdc2e31fa 1cdb3f1da5c45ac94257dbf306b53157\r\n2d8c16c1b00e565f3b99ff808287983e 5b32288e93c344ad5509e76967ce2b18\r\nhttps://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/\r\nPage 5 of 6\n\n4e0696d83fa1b0804f95b94fc7c5ec0b af84eb2462e0b47d9595c21cf0e623a5\r\n75dd30fd0c5cf23d4275576b43bbab2c 98de4176903c07b13dfa4849ec88686a\r\n09fabdc9aca558bb4ecf2219bb440d98 1bd173ee743b49cee0d5f89991fc7b91\r\ne5e8f74011167da1bf3247dae16ee605 0569606a0a57457872b54895cf642143\r\n52dbd041692e57790a4f976377adeade DOMAINS: bizsonet.ayar[.]biz bizsonet[.]com client-message[.]com\r\nclient-screenfonts[.]com *.coreytrevathan[.]com  (possibly compromised legitimate site) docsdriver[.]com\r\ngrsvps[.]com *.gworldtech[.]com  (possibly compromised legitimate site) itservicedesk[.]org pqexport[.]com\r\nscaurri[.]com secozco[.]com sharedriver[.]pw sharedriver[.]us tempdomain8899[.]com world-paper[.]net\r\nzwfaxi[.]com IPs: 104.148.109[.]48 107.175.130[.]191 132.148.240[.]198 134.73.90[.]114 172.81.132[.]211\r\n173.248.170[.]149 5.196.169[.]223 74.208.247[.]127 92.222.212[.]0  \r\nPosted In\r\nAdvanced Persistent Threats\r\nIndicators of Compromise\r\nthreat analysis\r\nSource: https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/\r\nhttps://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" ], "report_names": [ "stolen-pencil-campaign-targets-academia" ], "threat_actors": [ { "id": "a02bb810-5dd2-46c1-a609-b44d984d96d0", "created_at": "2022-10-25T15:50:23.505735Z", "updated_at": "2026-04-10T02:00:05.398328Z", "deleted_at": null, "main_name": "Stolen Pencil", "aliases": [ "Stolen Pencil" ], "source_name": "MITRE:Stolen Pencil", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434749, "ts_updated_at": 1775826772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d0ab1a3bc6366979519254173709d347ff3e43a3.pdf", "text": "https://archive.orkl.eu/d0ab1a3bc6366979519254173709d347ff3e43a3.txt", "img": "https://archive.orkl.eu/d0ab1a3bc6366979519254173709d347ff3e43a3.jpg" } }