{ "id": "d970ac81-68d2-400c-97bf-bed9f62e9eb7", "created_at": "2026-04-06T00:10:17.323719Z", "updated_at": "2026-04-10T03:37:40.857506Z", "deleted_at": null, "sha1_hash": "d5f36a2fd75153f708adea4baee7d155aa6e09ae", "title": "SmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 998544, "plain_text": "SmallTiger Malware Used in Attacks Against South Korean\r\nBusinesses (Kimsuky and Andariel) - ASEC\r\nBy ATCP\r\nPublished: 2024-05-26 · Archived: 2026-04-05 19:37:24 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) is responding to recently discovered cases that are using the\r\nSmallTiger malware to attack South Korean businesses. The method of initial access has not yet been identified,\r\nbut the threat actor distributed SmallTiger into the companies’ systems during the lateral movement phase. South\r\nKorean defense contractors, automobile part manufacturers, and semiconductor manufacturers are some of the\r\nconfirmed targets.\r\nThe attacks were first found in November 2023, and the malware strains found inside the affected systems seemed\r\nto indicate that the Kimsuky group was utilizing their typical method. However, instead of taking an orthodox\r\nKimsuky group approach, the threat actor exploited the software updater programs of the companies during the\r\ninternal propagation phase. Furthermore, it is noteworthy that the backdoor malware installed at the end is\r\nDurianBeacon, a malware strain found in Andariel’s past attack cases.\r\nThe same threat actor resumed attacks in February 2024, and the malware distributed at the end was replaced with\r\na downloader named SmallTiger. The malware was still being used in attacks as of May 2024.\r\n1. DurianBeacon Attack Case\r\nThe cases of attacks using the MultiRDP malware and Meterpreter were found in November 2023. The malware\r\nclassified as MultiRDP patches the memory of the currently running remote desktop service so that multiple users\r\ncan connect with remote desktop protocol (RDP). The threat actor can utilize it to log into the affected system\r\nwithout the user realizing it, and it is a method the Kimsuky group deploys. Meterpreter is a backdoor malware\r\nstrain provided by Metasploit, a penetration tester framework. It supports features similar to Cobalt Strike such as\r\ncommand execution, information theft, and lateral movement that can be used to seize control of company\r\nnetworks.\r\nFigure 1. MultiRDP installed via a PowerShell command\r\nhttps://asec.ahnlab.com/en/74039/\r\nPage 1 of 9\n\nInside the system, another malware was installed via the company’s software updater program. The malware\r\ninstalled at the end was DurianBeacon RAT, which was found in Andariel’s past attacks. In addition, the attack\r\ntechnique used when distributing malware is similar to the one the Andariel group has been using.\r\nThe malware first installed during the internal propagation phase is a dropper that decrypts three files that exist in\r\nthe resource and installs them using a service named “mozillasvcone”. “%SystemDirectory%\\mozillasvcone.dll”,\r\nthe file executed via the “mozillasvcone” service, loads a DLL created in the\r\n“%SystemDirectory%\\0OGPWm4uRZ0CAkHZ9o\\c0FcEpj86LSNmZ5.dll” path and calls the\r\nRyXmqIUMXViyw6Uvkf() function. “c0FcEpj86LSNmZ5.dll” reads the encrypted data files created inside the\r\n“%SystemDirectory%\\OQAuagarc0wDTo\\mNyKQBP3vV4uX” path and decrypts the files to execute them inside\r\nthe memory.\r\nThe DurianBeacon that is ultimately executed in the memory is the updated version of DurianBeacon that was\r\nmentioned in the ASEC Blog article “Analysis of Andariel’s New Attack Activities.” [1] The updated version is\r\nalso developed in the Go language and uses the SSL protocol to communicate with the C\u0026C server.\r\nFigure 2. Comparing the pas and the present versions\r\nLike the previous version, DurianBeacon sends the infected system’s IP information, user name, desktop name,\r\narchitecture, and file names before awaiting commands after the initial access. When a command is sent, it returns\r\na result. The difference is that the commands 0x10 and 0x12 were added for the roles of self-deletion and Socks\r\nProxy.\r\nCommand Feature\r\n0x00 Hibernate\r\n0x01 Interval\r\n0x02 Execute PowerShell commands\r\n0x03 Look up directory\r\nhttps://asec.ahnlab.com/en/74039/\r\nPage 2 of 9\n\nCommand Feature\r\n0x04 Drive information\r\n0x05, 0x06, 0x07, 0x08 Upload files\r\n0x09, 0x0A, 0x0B Download files\r\n0x0C Create directories\r\n0x0D Delete file\r\n0x0E Run commands\r\n0x0F Terminate\r\n0x10 Auto-delete\r\n0x12 Socks Proxy\r\nTable 1. The list of DurianBeacon commands\r\nIt appears that the threat actor distributed DurianBeacon inside the target companies to control their inner\r\ninfrastructures after the initial access and used the malware to steal information.\r\n2. SmallTiger Attack Case #1\r\nSince February 2024, there have been confirmed cases in which the same threat actor abused different software in\r\ntheir attack. The malware in the form of DLL is ultimately installed during the internal propagation phase. It is a\r\ndownloader that accesses the C\u0026C server to download a payload and executes it inside the memory. The\r\ndownloader malware in this case is classified as SmallTiger based on the name of the DLL given by the developer\r\n(threat actor).\r\nFigure 3. SmallTiger, the name the threat actor gave to the DLL file\r\nThe threat actor also installed Mimikatz and ProcDump during the infiltration stage and dumped the memory of\r\nthe LSASS process using the ProcDump tool to hijack the infected system’s credentials.\r\nhttps://asec.ahnlab.com/en/74039/\r\nPage 3 of 9\n\nFigure 4. The ProcDump commands that were found during the attack stage\r\nIn this case, the malware that steals the information from NirSoft’s WebBrowserPassView and web browser was\r\nalso discovered. It is a command line tool similar to WebBrowserPassView in that it extracts and shows the\r\naccount and history information saved in Google Chrome, Firefox, and Internet Explorer.\r\nhttps://asec.ahnlab.com/en/74039/\r\nPage 4 of 9\n\nFigure 5. Web browser account information stealer confirmed in the attack phase\r\n3. SmallTiger Attack Case #2\r\nUnlike in November 2023 where the threat actor used a dropper that creates DurianBeacon, a downloader with the\r\nsame name (j******n.exe) was used in April 2024. The malware downloads a malicious JavaScript from the C\u0026C\r\nserver using the mshta command and runs it. The downloaded JavaScript creates a payload that is included\r\ninternally at the “C:/Users/Public/printsys.dll:mdata” path—the alternate data stream (ADS) area—and runs it\r\nusing rundll32. As a result, SmallTiger is created.\r\nhttps://asec.ahnlab.com/en/74039/\r\nPage 5 of 9\n\nFigure 6. The mshta commands that install SmallTiger in the ADS area\r\nIn May 2024, GitHub was used instead of the usual C\u0026C server to distribute SmallTiger. “pk.dll” is the file that is\r\ninstalled at the end, and it is the SmallTiger malware just like the past attack cases.\r\nhttps://asec.ahnlab.com/en/74039/\r\nPage 6 of 9\n\nFigure 7. The malware that downloads additional payloads from GitHub\r\nFigure 8. The GitHub address of the threat actor where the malware was uploaded\r\n4. Conclusion\r\nSince November 2023, ASEC has confirmed cases of attacks targeting South Korean companies that led to\r\nSmallTiger’s distribution. The first case used DurianBeacon—employed by the Andariel group in the past—as the\r\nfinal payload, but it was found alongside malware strains that the Kimsuky group used in its previous attacks. The\r\nattacker has been using a different strain of malware named SmallTiger since February 2024.\r\nhttps://asec.ahnlab.com/en/74039/\r\nPage 7 of 9\n\nUsers must be particularly cautious against attachments in emails from unknown sources and executable files\r\ndownloaded from web pages. Additionally, security administrators in companies must enhance the monitoring of\r\nsecurity programs and apply patches for any security vulnerabilities in security. Users should also apply the latest\r\npatch for OS and programs such as Internet browsers, and update V3 to the latest version to prevent malware\r\ninfection in advance.\r\nFile Detection\r\n– Data/BIN.Encoded (2024.05.07.02)\r\n– Downloader/HTA.Agent.SC199444 (2024.05.02.00)\r\n– Downloader/Win.SmallTiger.R648273 (2024.05.15.01)\r\n– Downloader/Win.Agent.R648272 (2024.05.15.01)\r\n– Downloader/Win.SmallTiger.R648174 (2024.05.14.01)\r\n– Downloader/Win.SmallTiger.R647319 (2024.05.07.01)\r\n– Downloader/Win.SmallTiger.R646830 (2024.05.01.03)\r\n– Malware/Win.Agent.R628198 (2023.12.18.02)\r\n– Dropper/Win.Agent.R626614 (2023.12.05.00)\r\n– Trojan/Win.Agent.R626616 (2023.12.05.00)\r\n– Trojan/Win.Agent.R626617 (2023.12.05.00)\r\n– Backdoor/Win.Iedoor.R625563 (2023.11.27.03)\r\n– Trojan/Win.Generic.R577010 (2023.05.15.02)\r\n– Trojan/Win32.RL_Mimikatz.R290617 (2019.09.09.01)\r\n– Trojan/Win32.RL_AgentTesla.C4181110 (2020.08.16.06)\r\n– HackTool/Win.PassViewer.C5353355 (2023.01.08.03)\r\n– Downloader/Win.Agent.C5617482 (2024.05.01.03)\r\n– Downloader/Win.SmallTiger.C5617497 (2024.05.02.00)\r\n– Downloader/Win.SmallTiger.C5617498 (2024.05.02.00)\r\n– Trojan/Win.AndarDowner.C5619183 (2024.05.07.01)\r\n– Downloader/Win.SmallTiger.C5621202 (2024.05.13.00)\r\n– Downloader/Win.Agent.C5621403 (2024.05.13.02)\r\n– Downloader/Win.Agent.C5621517 (2024.05.14.01)\r\n– Downloader/Win.SmallTiger.C5623714 (2024.05.21.01)\r\n– Downloader/Win.SmallTiger.C5623717 (2024.05.21.01)\r\n– Downloader/Win.SmallTiger.C5623718 (2024.05.21.01)\r\n– Infostealer/Win.Agent.C5623997 (2024.05.21.03)\r\nBehavior Detection\r\n– DefenseEvasion/MDP.Event.M1423\r\n– Execution/MDP.Powershell.M1185\r\n– InitialAccess/MDP.Powershell.M1197\r\n– Execution/MDP.Ngrok.M4615\r\nMD5\r\n0859f9666e0428447451c036a38057f6\r\nhttps://asec.ahnlab.com/en/74039/\r\nPage 8 of 9\n\n0be7d0975d3d81403d16ba4c4c9c7bf8\r\n1210ff921922f2e27db4feae9fe63394\r\n188f289206c3a945d670f29400d9f77f\r\n232046aff635f1a5d81e415ef64649b7\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//104[.]168[.]145[.]83[:]993/\r\nhttp[:]//104[.]36[.]229[.]179/\r\nhttp[:]//104[.]36[.]229[.]179/am[.]dll\r\nhttp[:]//38[.]110[.]1[.]69/\r\nhttp[:]//38[.]110[.]1[.]69[:]993/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/74039/\r\nhttps://asec.ahnlab.com/en/74039/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://asec.ahnlab.com/en/74039/" ], "report_names": [ "74039" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434217, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d5f36a2fd75153f708adea4baee7d155aa6e09ae.pdf", "text": "https://archive.orkl.eu/d5f36a2fd75153f708adea4baee7d155aa6e09ae.txt", "img": "https://archive.orkl.eu/d5f36a2fd75153f708adea4baee7d155aa6e09ae.jpg" } }