{ "id": "b1faca20-5df9-4f04-aacf-acf962c999b9", "created_at": "2026-04-06T00:18:58.750665Z", "updated_at": "2026-04-10T13:12:58.763937Z", "deleted_at": null, "sha1_hash": "d36c0090c55ce07243f99f35e316863a217255a9", "title": "North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2751828, "plain_text": "North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets\r\nBy Asheer Malhotra\r\nPublished: 2021-11-10 · Archived: 2026-04-05 12:46:14 UTC\r\nCisco Talos has observed a new malware campaign operated by the Kimsuky APT group since June 2021.\r\nKimsuky, also known as Thallium and Black Banshee, is a North Korean state-sponsored advanced persistent threat\r\n(APT) group active since 2012.\r\nThis campaign utilizes malicious blogs hosted on Blogspot to deliver three types of preliminary malicious content:\r\nbeacons, file exfiltrators and implant deployment scripts.\r\nThe implant deployment scripts, in turn, can infect the endpoint with additional implants such as system information-stealers, keyloggers and credential stealers.\r\nThese implants are derivatives of the Gold Dragon/Brave Prince family of malware operated by Kimsuky since at\r\nleast 2017 — now forked into three separate modules.\r\nThis campaign targets South Korea-based think tanks whose research focuses on political, diplomatic and military\r\ntopics pertaining to North Korea, China, Russia and the U.S.\r\nWhat’s new?\r\nCisco Talos recently discovered a campaign operated by the North Korean Kimsuky APT group delivering malware to high-value South Korean targets — namely geopolitical and aerospace research agencies. This campaign has been active since at\r\nleast June 2021 deploying a constantly evolving set of implants derived from the Gold Dragon/Brave Prince family of\r\nimplants.\r\nThe attackers used Blogspot in this campaign to host their malicious artifacts. Talos coordinated with Google to alert them\r\nof these blog posts. Google removed these posts and related IOCs prior to publication of this blog post. We also shared this\r\ninformation with appropriate national security partners as well as our industry partners, including the Cyber Threat Alliance\r\n(CTA).\r\nHow did it work?\r\nTalos has found a new set of malicious blogs operated by Kimsuky delivering three previously unknown preliminary\r\ncomponents: an initial beacon script, a file exfiltrator and an implant instrumentor. One of these components, the implant\r\ninstrumentor, delivered an additional three types of malware:\r\nAn information gathering module.\r\nA keylogger module.\r\nA file injector module that injects a specified payload into a benign process.\r\nThe injected payload is a trojanized version of the Nirsoft WebBrowserPassview tool meant to extract login credentials for\r\nvarious websites.\r\nOur research builds on earlier findings from security firm AhnLAB. As noted in their June 2021 report, this campaign begins\r\nwith malicious Microsoft Office documents (maldocs) containing macros being delivered to victims. The infection chain\r\nresults in the malware reaching out to malicious blogs set up by the attackers. These blogs provide the attackers the ability to\r\nupdate the malicious content posted in the blog depending on whether a victim is of value to the attackers.\r\nSo what?\r\nKimsuky employs a wide variety of malware such as Gold Dragon, Babyshark, Appleseed, etc. Kimsuky primarily targets\r\nentities in South Korea ranging from defense, to education and think tanks.\r\nThis campaign is a typical example of an advanced adversary utilizing a public web content publishing service to serve\r\nmalicious implants to their targets. The use of Blogspot might be intended to thwart attribution or periodically update the\r\ncontent to serve new implants to victims of interest.\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 1 of 21\n\nThe implants deployed by Kimsuky in this campaign consist of file exfiltrators, information gathers and credential stealers\r\n— all geared toward reconnaissance, espionage and credential harvesting. The module meant for exfiltrating files from the\r\nendpoint uses a distinct filepath list specified by the threat actors.\r\nOrganizations must remain vigilant against motivated adversaries that conduct targeted attacks.\r\nAttribution and targeting\r\nAttribution to Kimsuky\r\nWe assess with high confidence that this campaign is operated by Kimsuky, based on the code similarities, TTPs and\r\ninfrastructure overlap with previous Kimsuky implants and campaigns.\r\nThe implants used in this campaign share code with the Gold Dragon and Brave Prince family of implants. For example,\r\nfrom early 2021 through August, the attackers utilized mailbox-based exfiltration components that are derived from the\r\nBrave Prince malware family that’s been attributed to Kimsuky in the past.\r\nOther maldocs used in parallel to Kimsuky campaigns contain similar macros to the ones abusing malicious Blogspot posts.\r\nOne specific malicious VBA function commonly seen between both sets of maldocs would collect preliminary information\r\nand construct a query-based URL to convey the sysinfo to the attackers.\r\nLeft: Known Kimsuky maldocs vs. Right: Maldocs abusing Blogspot.\r\nIdentical functions have been seen in Kimsuky maldocs throughout this year.\r\nIn one such maldoc, apart from shared macro code, this maldoc also shared identical metadata as the maldocs abusing\r\nBlogspot with identical creation times and unique author names.\r\nThe malicious URL used by this maldoc hxxp://eucie09111[.]myartsonline[.]com/0502/v.php is a known Kimsuky IOC in\r\nuse since late 2020.\r\nMacros seen in similar maldocs (left) using the same infrastructure as previous Kimsuky maldocs from 2020 (right).\r\nTargeting\r\nKimsuky is a highly motivated APT that has traditionally targeted entities in South Korea. The APT group has used a variety\r\nof malware such as Gold Dragon, Babyshark and Appleseed to target entities ranging from defense to education and think\r\ntanks. The current campaign aims to further these goals by targeting high-value targets belonging to geopolitical research\r\ninstitutions and think tanks. We’ve also observed targeting of aerospace research agencies by Kimsuky in this campaign\r\nusing modular reconnaissance and exfiltration implants.\r\nUsually, file exfiltrator components used in crimeware and APT operations perform a wide sweep of the infected endpoint to\r\ngain insight into the kind of data and research artifacts the system holds. Some file enumerators will exfiltrate all files with\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 2 of 21\n\nspecific extensions. In other cases, the attackers will obtain a comprehensive file listing of specific directories and then\r\nexfiltrate hand-picked data from the victims.\r\nIn this campaign, the attackers used a file exfiltrator component with an interesting implementation. Instead of performing a\r\nwide sweep of the system (seen very rarely in this campaign), the attackers focussed on finding and exfiltrating specific files\r\nof interest to the attackers — specified by the attackers via filelists hosted on a remote server. What’s interesting here,\r\nhowever, is that the attackers knew exactly which files they were looking for. This indicates that the attackers have a deep\r\nunderstanding of their targets’ endpoints, likely obtained from previous compromises.\r\nThe identified entities targeted in this campaign include research institutions and universities conducting research on\r\npolitical, military, and diplomatic topics pertaining to North Korea, China, the U.S., and Russia. The research topics of\r\ninterest to the attackers in this campaign appear to be:\r\nNorth Korea.\r\nNorth Korean denuclearization.\r\nUS-China relations.\r\nIncreased China-Russia collaboration.\r\nAn example of one of the files the attackers were looking for is:\r\n\u003cdirectory_path\u003e\\탈북자 면담.hwp which roughly translates to “North Korean defector interview.hwp”\r\n\u003cdirectory_path\u003e\\[redacted]_비핵화.hwp is also a document related to North Korean denuclearization.\r\nThere is an unusually high degree of focus on finding documents associated with North Korea in this campaign. Topics such\r\nas Korean unification, North Korean defectors, the recent increasing collaboration between China and Russia, and\r\ndenuclearization align with the continued efforts by the DPRK to maintain a political advantage in East Asia.\r\nOur research also showed that the attackers had a special interest in research into aerospace and aeronautical technologies\r\nconducted by South Korean entities. These entities mostly consist of labs and research institutes associated with the South\r\nKorean government and aerospace industry. In this campaign, the attackers appear to be looking for restricted research\r\npapers, theses and project design documents to exfiltrate. Specific topics of interest to the attackers in this domain include:\r\nRocket design.\r\nMaterial science.\r\nAviation fuel research.\r\nFluid mechanics.\r\nThis focus on aerospace and aeronautical research by Kimsuky aligns with the DPRK’s continued efforts towards increasing\r\ntheir traditional and nuclear arsenal. Although active since 1984, the rapid increase in missile testing by North Korea since\r\n2019 has been accompanied by an acceleration in their espionage efforts to gather classified research on such technologies.\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 3 of 21\n\nTargeting information for this campaign.\r\nMaldocs\r\nThe maldocs used in this campaign typically contain a malicious VBA macro that downloads and activates the next stage of\r\nthe infection chain. Although the VBA macro contains an auto open subroutine, it uses several VBA functions registered to\r\ntrigger if the “Typing replaces selection” property is enabled in Microsoft Word. The VBA functions trigger when the victim\r\ntypes any content into the maldoc. Therefore, to trick victims into typing content in the maldoc, the attackers disguise the\r\nmaldocs as forms.\r\nMalicious macro functions triggered when the target enters text in the maldoc form.\r\nThe pivotal function of the malicious VBA code simply base64 decodes and drops a malicious VBScript to a file specified in\r\nthe macro.\r\nE.g. %Appdata%\\desktop.ini\r\nThe next stage of the VBS is run using wscript.exe using a command such as:\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 4 of 21\n\n%windir%\\System32\\wscript.exe //e:vbscript //b \u003cpath_to_Stage_2\u003e\r\nMacros dropping VBS to disk and running via wscript.exe.\r\nStage 2 VBS\r\nThe Stage 2 VBS is meant to replace itself with another base64-decoded VBScript (Stage 3). The Stage 2 VBS is also\r\nresponsible for setting up persistence for Stage 3 by creating a shortcut for it in the current user’s Startup directory, which\r\nwill be important to remember later.\r\nStage 2 setting up Stage 3 VBS on the endpoint.\r\nStage 3 VBS\r\nThe Stage 3 VBS is the one responsible for downloading malicious content from a Blogspot blog setup by the attackers. This\r\nblog contains a base64-encoded VBScript that is decoded and executed by Stage 3.\r\nThe blog is parsed for specific tags to identify its body and this content is then decoded and run on the endpoint:\r\nStage 3 downloading and parsing the blogpost’s body for the next VBScript to be run on the endpoint.\r\nMalicious Blogspot content — Post-compromise activities\r\nTalos has discovered three different types content hosted on multiple malicious blog posts since June 2021:\r\nInitial beacon scripts.\r\nFile exfiltration modules.\r\nImplant instrumentor modules.\r\nI’m alive! — Initial Beacon\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 5 of 21\n\nTypically, the post body contains VBS code to send a beacon to an attacker-controlled remote location indicating successful\r\ncompromise of the victim.\r\nMalicious blogpost from July 2021.\r\nDecoded content of the post from July 2021.\r\nThe Stage 3 VBS scripts are configured to run at Startup (via the LNK in Startup directory installed by Stage 2 scripts) when\r\nthe victim restarts or logs into their system. This means that every time the victim logs back into the infected endpoint, the\r\nStage 3 VBScript will query the malicious Blogspot location for content to execute on the victim’s system. This gives the\r\nattackers ample time to modify the content of the blog post with new malicious content that can be executed on the endpoint.\r\nFile exfiltration module\r\nTypical file exfiltration modules deployed by threat actors usually consist of the ability to enumerate and exfiltrate files.\r\nThese implants enumerate files in specific drives or directories and exfiltrate the file lists first. Once the attackers identify\r\nthe files of interest, the module is instrumented for exfiltration of the files.\r\nThe VBScript-based file recon module used by the attackers is somewhat different. It downloads a file listing from a remote\r\nlocation that contains the file paths of specific files of interest to the attackers. The file listing is so precise that the attackers\r\nknow the exact file paths of the files they’re looking for on an infected endpoint. This indicates that the attackers have a\r\ndeep knowledge of their targets’ systems likely from previous compromises of the targets.\r\nIf any of the files listed are found by the implant, it will copy them over to another directory such as %temp%. The directory\r\nwill be zipped up into a ZIP file and exfiltrated to a remote location specified by the file exfiltration module. The uploaded\r\nfiles are identified by a victim ID in the HTTP POST request while uploading the ZIP file to the attacker-specified URL.\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 6 of 21\n\nFile recon and exfiltration module.\nMark as exfiltrated: The attackers also perform a preliminary check to verify if the victim has already been compromised\nand files exfiltrated. This prevents re-infection of the target.\nA marker file is created in an attacker-specified folder and is checked before the exfiltration module begins its malicious\nactivities. If found, the module will simply exit. If the marker file is not found, the module will proceed with its recon and\nexfiltration activities.\nIn August 2021, we saw a minor variation of the same script being deployed in the wild. This variation consisted of the\nability to send the initial beacon (described previously) to the attackers and the file exfiltration.\nAnother modification in this variant was the use of a victim specific query field in the beacon’s HTTP GET request. The\nURL constructed had the following format:\nhttp://report.php?filename=-alive\nInterestingly, the victim_id is not generated by the VB script. Instead, it’s hardcoded into the scripts showing that the\nattackers already know the identities of the targets that they are trying to infect. This indicates that this is a highly targeted\nattack.\nIn October 2021, we observed another update in the file exfiltration scripts. This time, the attackers decided to perform a\nwide scan of a specific drive on the system against a target.\nThe scan is done using a batch file created on the fly containing the command format:\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\nPage 7 of 21\n\ndir \u003cdrive_letter\u003e /s \u003e\u003e \u003cfilename\u003e\r\nWide range scanning of a drive.\r\nThe Instrumentor\r\nTalos also observed the usage of a third VBS based module being deployed via Blogspot. This time, an instrumentor script\r\nfor deploying additional implants on a victim’s system. Interestingly, this script also includes the exact same capabilities of\r\nthe file exfiltration module illustrated earlier along with other functionality. It is therefore likely that the attackers have\r\nstitched together and deployed various components in their attack chains. This is a characteristic typical of Kimsuky and\r\nother related groups, such as Lazarus.\r\nGather preliminary information\r\nThe instrumentor script begins by collecting the following information about the infected endpoint:\r\nGather the names of all services running on the system.\r\nGather a list of the names of all processes running on the endpoint.\r\nGather the list of all files names listed in the Recent Items folder i.e. “%Appdata%\\Microsoft\\Windows\\Recent”.\r\nGather all names of files listed in the Desktop folder of the current user.\r\nGather names of all files and programs listed in the Taskbar i.e. “%AppData%\\Microsoft\\Internet Explorer\\Quick\r\nLaunch\\User Pinned\\Taskbar”.\r\nGet the bitness of the Operating System : “x86” or “x64”.\r\nGet Username, OS name and version,.NET Framework version.\r\nGet Microsoft Version Number from the registry, specifically from reg key/value:\r\nHKEY_CLASSES_ROOT\\Excel.Application\\CurVer|Default.\r\nThe instrumentor script also enables all macros for Office by setting the VBAWarnings registry value to 0x1 at:\r\nHKCU\\Software\\Microsoft\\Office\\\u003cOfficeVersionNumber\u003e.0\\Word\\Security\\VBAWarnings = 0x1\r\nThis system information is then recorded to a file on disk in the format:\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 8 of 21\n\nSysinfo recorded file format.\r\nThe instrumentor is responsible for zipping and exfiltrating this preliminary information gathered from the endpoint. The\r\ninstrumentor also sends all logs used by various implants for recording information from the victim’s system to the\r\nattacker’s server. The instrumentor script is solely responsible for the exchange of information and any outbound traffic from\r\nthe endpoint, not the individual implants.\r\nDeploying the implants\r\nOnce the preliminary system information has been gathered by the instrumentor, it will usually download and deploy three\r\nkey implants on the endpoint. All these implants are DLL files meant to serve very specific purposes.\r\nA marker file “qwer.txt” is created by the instrumentor script prior to downloading and deploying any of the implants. This\r\nfile acts as an infection marker for the implants that check for the presence of this file before performing any malicious\r\nactivities. The instrumentor script downloads the DLL implants and then creates a temporary PowerShell script to deploy the\r\nDLL on the infected system.\r\nThe DLL implants downloaded to a file on disk usually have their first byte modified. This is used as an evasion mechanism\r\nto prevent recognition of the executable file format. Once the DLL is downloaded, the PowerShell script resets its first byte\r\nto 0x4D. The DLL is then deployed on the endpoint using rundll32.exe.\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 9 of 21\n\nPowerShell script modifying and running the DLL implant using rundll32.exe.\r\nCleanup capabilities\r\nThe instrumentor script also performs a cleanup of the cookies for Google Chrome and Microsoft Edge browsers. This\r\nactivity is performed after the implants are in place to force users to reauthenticate. This is done by simply terminating any\r\nbrowser processes running on the system and then deleting the cookie files on disk. The commands used are:\r\ntaskkill /f /im chrome.exe\r\ncmd.exe /c del /f \"\"%localappdata%\\Google\\Chrome\\User Data\\Default\\Cookies\"\"\r\ntaskkill /f /im msedge.exe\r\ncmd.exe /c del /f \"\"%localappdata%\\microsoft\\edge\\User Data\\Default\\Cookies\"\"\r\nThe infection chain is illustrated as follows:\r\nImplants\r\nThe implants deployed by the attackers are:\r\nInformation-gathering DLL.\r\nFile injector.\r\nKeylogger.\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 10 of 21\n\nThese implants check if a specific file “%AppData%\\qwer.txt” exists on the endpoint. If the file does not exist, then\r\nexecution quits. If the file does exist, the modules carry out their respective malicious activities.\r\nInformation-gathering module\r\nTo start, the implant looks for the AHNLAB V3 Antivirus software’s class name “49B46336-BA4D-4905-9824-\r\nD282F05F6576”. If the software is found, the implant will hide the AV software window from the view of the infected user.\r\nAdditional information gathering\r\nIn addition to the preliminary information gathered by the instrumentor script, this implant gathers additional information:\r\nGather all network configuration information and record to a file on disk in a folder created by the implant using the\r\ncommand:\r\ncmd.exe /c ipconfig/all \u003e\u003e\"%s\" \u0026 arp -a \u003e\u003e\"%s\"\r\nwhere %s = \u003cfile_path\u003e\r\nImplant gathering network information from the victim.\r\nGather all system information using the “systeminfo” command and record to a file:\r\ncmd.exe /c systeminfo \u003e\u003e\"%s\"\r\nwhere %s = \u003cfile_path\u003e\r\nGather process information for all running processes on the system using:\r\ncmd.exe /c tasklist \u003e\u003e\\\"%s\\\"\r\nwhere %s = \u003cfile_path\u003e\r\nRecord into a file the file information of all files residing in specific locations in each drive on the disk:\r\n“Documents and Settings” folder\r\n“users” folder.\r\n“Program Files” folder.\r\nThe file information recorded is:\r\nFile name.\r\nFile creation time is format : YYYY/MM/DD HH:MM [AM|PM]\r\nCurrent file size.\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 11 of 21\n\nImplant enumerating drives and gathering file information from specific folders.\r\nThe VBS-based instrumentor script is responsible for zipping up the folder that gathers this data from the victims and\r\nsending it to an attacker-controlled URL.\r\nFile injector DLL and encrypted payloads\r\nTo deploy the file injector, the instrumentor downloads additional payloads to be injected into a benign process. The injector\r\nis responsible for spawning a benign process on the system (such as “svchost.exe” or “iexplore.exe”) and injecting the\r\nmalicious payload into it via process hollowing.\r\nApart from stealing research, another overarching theme of the campaign is to gather credentials using trojanized tools\r\nagainst entities of interest. The payload observed in this campaign was a trojanized version of the Nirsoft\r\nWebBrowserPassView tool (specifically v2.11). The attackers modified the password viewer application to dump the\r\npasswords obtained into a specific file on disk.\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 12 of 21\n\nMalicious function used to record credentials to a file on disk.\r\nThe legitimate tool extracts all credential data from the system and sends it to the GUI to be displayed to the user. The\r\ntrojanized version used in this campaign sends the data to a log file instead.\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 13 of 21\n\nLeft - Legitimate function for sending data to the GUI vs Right - trojanized function that sends data to a log file instead.\r\nThe instrumentor script (VBS from earlier) is configured to zip up the contents of the password dump directory and\r\nexfiltrate it to the C2.\r\nKeylogger DLL\r\nThe Keylogger is responsible for recording specific keystrokes from the victim into a log file located at:\r\n%Appdata%\\Microsoft\\pubs\\desktop.ini.\r\nIt begins recording keystrokes as soon as it is deployed on the infected endpoint via rundll32.exe.\r\nKeystrokes recorded by the implant using the GetAsyncKeyState API.\r\nThe key log is not exfiltrated by the keylogger Dll. Instead, the instrumentor VB script is the one responsible for zipping up\r\nthe key log and sending it over to the C2 specified in the VB script.\r\nInstrumentor VB script zipping and exfiltrating the key log directory to the C2.\r\nThe instrumentation of the three key implants is as follows:\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 14 of 21\n\nInstrumentor’s orchestration of implants.\r\nEvolution of implants\r\nThe final payloads deployed by the instrumentor script consist of implants derived from the Gold Dragon/Brave Prince\r\nfamily of implants. These two families share multiple code similarities and have been developed and operated by Kimsuky\r\nat least since 2017. The key difference between the two malware is that while Gold Dragon uses HTTP requests to exfiltrate\r\ndata, Brave Prince uses attacker owned mailboxes to perform exfiltration.\r\nIn this section we illustrate the evolution of these malware families over the past year into the three derivative implants\r\ndeployed by Kimsuky in this specific campaign.\r\nThe version of the injector implant from 2020 consists of the payload which is to be injected into a benign process such as\r\nsvchost.exe or iexplore.exe, that is embedded in the injector module. The payload is decoded (xorred) and then\r\ndecompressed and finally injected into the benign process. This payload is yet another downloader for running additional\r\nimplants on the infected endpoint. Based on historical analysis it is likely that this infection chain deploys a credential\r\nstealer and mailbox based exfiltration component, in a manner similar to Brave Prince.\r\nIn January 2021, we observed the deployment of a module that consists of both the information gathering and injector\r\nmodules combined into a single DLL. This DLL carries out certain additional functionality that was removed from\r\nsubsequent versions:\r\nCopy files from the “Recent Items” folder with extensions: lnk, doc, docx, pdf, hwp.\r\nDownload additional payloads from a remote URL and deploy these on the endpoint via rundll32.\r\nThis module also decompresses the keylogger module from its resources and injects it into a benign process. The keylogger\r\nmodule in this case has an additional capability to decompress yet another module, the file exfiltrator, and inject this into\r\nanother benign process. Consistent with Brave Prince, the file exfiltrator is responsible for sending the information gathered\r\nand keylogs from the system to attacker controlled mailboxes.\r\nWe observed continued use of such modules throughout 2021 into August.\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 15 of 21\n\nThe file injector module deploying a keylogger seen throughout most of 2021.\r\nIn early September 2021, we observed the removal of a lot of functionality from the implants. This time the injectors\r\ndeployed against targets consisted of the trojanized copies of the Nirsoft WebBrowserPassView tool. This iteration also\r\nincludes the information gathering functionality as well as the file injector.\r\nCombined info gathering and file injector module from early September 2021.\r\nThis amalgamation of the information gathering and file injection modules continued into mid-September. However, this\r\niteration of the implant saw another change. This time, the implant didn’t have the injectable payload embedded as a\r\nresource in the injector module. This version of the implant reaches out to two remote URLs to download,\r\ndecode/decompress and deploy the payload on the infected system. One of these payloads consists of a trojanized version of\r\nthe Nirsoft WebBrowserPassView tool. The other payload is unknown, however, it is likely that the attackers are using\r\nanother hacktool to steal browser cookie information from the victims.\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 16 of 21\n\nRemote locations for downloading the payload in the implant from mid-September 2021.\r\nFour days later, the attackers changed their implementation again. This time, the injector module only consisted of the\r\nability to read an existing compressed payload from a file on disk and inject it into a benign process. The information\r\ngathering capabilities were separated out into an independent module, the information gathering module described above.\r\nThe separate information gathering module (described previously) was in fact created one day before this new iteration of\r\nthe injector module was created.\r\nTimeline of evolution:\r\nConclusion\r\nKimsuky is a highly motivated threat actor targeting a number of entities in South Korea. This group has been relentlessly\r\ncreating new infection chains to deliver different types of malware to their victims. This campaign relies on the abuse of\r\nBlogspot to host attacker-operated blogs serving malicious VB based scripts to their targets. We’ve found preliminary\r\nmalicious components from initial access beacons to file exfiltrators being deployed to victims. In many cases, the content\r\nof these preliminary components was combined to serve special scripts to victims.\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 17 of 21\n\nThe final implants utilized by the actors in this campaign are derivatives of the Gold Dragon/Brave Prince malware families.\r\nSince late 2020, the actors have introduced multiple capabilities (and removed some) in the implants eventually\r\nmodularizing them into three distinct malware.\r\nApart from stealing research using bespoke file exfiltrators, another goal of the campaign is to gather credentials using\r\ntrojanized tools such as Nirsoft’s WebBrowserPassView and use implants to establish continued unauthorized access into\r\nentities of interest. Such targeted attacks can result in the leak of restricted research, unauthorized access for espionage and\r\neven destructive attacks against target organizations.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in\r\nthis post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their\r\ncampaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense\r\nVirtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 18 of 21\n\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts\r\nusers of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure\r\nproducts.\r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests\r\nsuspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org.\r\nThe Snort SIDs for this threat are: 58496-58497.\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are\r\ninfected with this specific threat. For specific OSqueries on this threat, click below:\r\nKimsuky Implants\r\nKeylogger\r\nKimsuky’s trojanized Nirsoft WebBrowserPassView tool\r\nThe malicious blogs hosted on Blogspot have been taken down already at the time of publication of this research.\r\nIOCs\r\nHashes\r\nMaldocs\r\n811b42bb169f02d1b0b3527e2ca6c00630bebd676b235cd4e391e9e595f9dfa8\r\nVBA\r\n4b244ac09e4b46792661754bd5d386e8b1a168cb1d5ed440df04c1c2928cb84d\r\nStage 2 script\r\n99b516acd059a4b88f281214d849c5134aa1cea936d69e8eb7393b22be0508a0\r\nStage 3 script\r\n048f3564d5c4d3e0e3b879f33f3b8d340b692f505515e81f192544b98e269ccf\r\nImplants\r\n873b8fb97b4b0c6d7992f6af15653295788526def41f337c651dc64e8e4aeebd\r\nbb0a3c784e55bd25f845644b69c57e3e470af51983617fdfe7ba5d253019ed24\r\n395eebf586d5fc033e22235f7a4224e91ad5dce8570023669c6dee97d04aa21d\r\n5e3907e9e2ed8ff12bb4e96b52401d871526c5ed502d2149dd4f680da4925590\r\n85f6db3a74a4f1a367cc0b60b190c5da56cd0116c1d6a20fd7b51cda8f8948d8\r\nDownloader modules\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 19 of 21\n\nf4d06956085d2305c19dd78c6d01b06f17ab43e9dd4808885fd08d5da08dd9d2\r\nInformation Gathering Module\r\ne929f23c242cc102a16f5466163622585455aee7b6ed3f98d12787086b14e721\r\nc43475601f330a5a17a50f075696e058429656db54cdfcbdccb0fb93446f6ac9\r\nInjector\r\nde0932206c4d531ab4325c0ec8f025108a6807478eb5d744905560ae119fc6fa\r\n4b0e2244f82170f4e569bb6b100890ec117458bf5cc835fd7bd991f0d334318b\r\nKeylogger\r\ndddc57299857e6ecb2b80cbab2ae6f1978e89c4bfe664c7607129b0fc8db8b1f\r\n36187cd4bc18e4d6ddc5c96dc0ed038bfec751dac4f5354398fdaa89d9fcacd1\r\n5563599441935e3c0c8bdd42ec2c35b78f8376b6c9560898ef6401531058eb87\r\nTrojanized Nirsoft tool\r\n595be57cb6f025ec5753fbe72222e3f7c02b8cb27b438d48286375adbcf427c6\r\n5498c3eb2fb335aadcaf6c5d60560c5d2525997ba6af39b191f6092cb70a3aa6\r\nNetwork IOCs\r\nImplant download locations\r\nhxxps://bigfile[.]mail[.]naver[.]com/bigfileupload/download?\r\nfid=Qr+CpzlTWrd9HqKjK6wnFxEXKxKdHqUmKoumaxUdKxumaxgdHqurKqEmaAb9axvjFoFCFzUqKopCKxEXMoElMrpoF6J4KoCoFq\r\nhxxps://bigfile[.]mail[.]naver[.]com/bigfileupload/download?\r\nfid=QrFCpzlTWrd9HqUjK6wnFxEXKxKdHqUmKoumaxUdKxumaxgdHqurKqEmaAb9axvjpx3CKxi4K4tdMrp4axioFzpSFzUrFovqpotlpx+\r\nhxxps://bigfile[.]mail[.]naver[.]com/bigfileupload/download?\r\nfid=QrRCpzlTWrd9HqtjK6wnFxEXKxKdHqUmKoumaxUdKxumaxgdHqurKqEmaAb9axvjFxbwFqiSpztXF630pxFCFqM9F6UZaAi4MrFC\r\nhxxps://bigfile[.]mail[.]naver[.]com/bigfileupload/download?\r\nfid=Q9eCpzlTWrd9HqujK6wnFxEXKxKdHqUmKoumaxUdKxumaxgdHqurKqEmaAb9axvjMrMqMoErpo2wFx3SFquXa6MXKqICM6M/F\r\npcsecucheck[.]scienceontheweb[.]net\r\nBeacon URLs\r\nC2 URLs\r\nhxxp[://]o61666ch[.]getenjoyment[.]net/post[.]php\r\nMalicious blogs\r\nhxxps[://]4b758c2e938d65bee050[.]blogspot[.]com/2021/10/1[.]html\r\nhxxps[://]gyzang681[.]blogspot[.]com/2021/08/1[.]html\r\nhxxps[://]gyzang681[.]blogspot[.]com/2021/08/2[.]html\r\nhxxps[://]tvrfekxqrtvpqzr5tvrfdu5evt0[.]blogspot[.]com/2021/08/1[.]html\r\nhxxps[://]tvrfeuxqrtfnqzr4t0m0ee5utt0[.]blogspot[.]com/2021/08/1[.]html\r\nhxxps[://]gyzang58[.]blogspot[.]com/2021/08/1[.]html\r\nhxxps[://]gyzang58[.]blogspot[.]com/2021/08/2[.]html\r\nhxxps[://]gyzang1[.]blogspot[.]com/2021/08/1[.]html\r\nhxxps[://]gyzang682[.]blogspot[.]com/2021/08/1[.]html\r\nhxxps[://]gyzang0826[.]blogspot[.]com/2021/08/1[.]html\r\nhxxps[://]vev4tkrrpq[.]blogspot[.]com/2021/08/1[.]html\r\nhxxps[://]akf4tvrbmg[.]blogspot[.]com/2021/08/1[.]html\r\nhxxps[://]vgn5tvrrpq[.]blogspot[.]com/2021/08/1[.]html\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 20 of 21\n\nhxxps[://]vgt5tvrnpq[.]blogspot[.]com/2021/08/1[.]html\r\nhxxps[://]amfuz2h5b2s[.]blogspot[.]com/2021/07/1[.]html\r\nhxxps[://]tvrbmkxqstbouzq0twk0ee9uaz0[.]blogspot[.]com/2021/07/1_22[.]html\r\nhxxps[://]twpbekxqsxpoqzr4txpvdu1uyzu[.]blogspot[.]com/2021/07/1[.]html\r\nhxxps[://]kimshan600000[.]blogspot[.]com/2021/07/1[.]html\r\nhxxps[://]smyun0272[.]blogspot[.]com/2021/06/dootakim[.]html\r\nhxxps[://]smyun0272[.]blogspot[.]com/2021/06/donavyk[.]html\r\nhxxps[://]tvrfekxqrtvpqzr5tvrfdu5evt0[.]blogspot[.]com/2021/08/1[.]html\r\nhxxps[://]smyun0272[.]blogspot[.]com/2021/06/blog-post[.]html\r\nhxxps[://]44179d6df22c56f339bf[.]blogspot[.]com/2021/10/1[.]html\r\nhxxps[://]pjeu1urxdnvef6twpveg[.]blogspot[.]com/2021/09/1[.]html\r\nhxxps[://]rrmu1qrxdoekv6twc9pq[.]blogspot[.]com/2021/09/1[.]html\r\nMalicious Threat Actor profiles\r\nhxxps[://]www[.]blogger[.]com/profile/11323350955991033715\r\nhxxps[://]www[.]blogger[.]com/profile/00979528293184121513\r\nhxxps[://]www[.]blogger[.]com/profile/06488825595966996362\r\nhxxps[://]www[.]blogger[.]com/profile/08543251662563600075\r\nhxxps[://]www[.]blogger[.]com/profile/09461495260479357479\r\nhxxps[://]www[.]blogger[.]com/profile/17163478108036561703\r\nSource: https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nhttps://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" ], "report_names": [ "kimsuky-abuses-blogs-delivers-malware.html" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434738, "ts_updated_at": 1775826778, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d36c0090c55ce07243f99f35e316863a217255a9.pdf", "text": "https://archive.orkl.eu/d36c0090c55ce07243f99f35e316863a217255a9.txt", "img": "https://archive.orkl.eu/d36c0090c55ce07243f99f35e316863a217255a9.jpg" } }