{
	"id": "f9f9a178-60db-4e65-8671-0710af204225",
	"created_at": "2026-04-06T00:09:45.270833Z",
	"updated_at": "2026-04-10T13:12:15.747119Z",
	"deleted_at": null,
	"sha1_hash": "e1e4ece35966716b85875d61061630533c71b79b",
	"title": "Attack Activities by Kimsuky Targeting Japanese Organizations - JPCERT/CC Eyes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 579418,
	"plain_text": "Attack Activities by Kimsuky Targeting Japanese Organizations -\r\nJPCERT/CC Eyes\r\nBy 喜野 孝太(Kota Kino)\r\nPublished: 2024-07-07 · Archived: 2026-04-05 19:21:10 UTC\r\nJPCERT/CC has confirmed attack activities targeting Japanese organizations by an attack group called Kimsuky\r\nin March 2024. This article introduces the attack methods of the group confirmed by JPCERT/CC.\r\nAttack overview\r\nIn the attack we identified, the attacker sent a targeted attack email impersonating a security and diplomatic\r\norganization. A zip file containing the following files with double file extensions was attached to the email. (File\r\nnames are omitted.)\r\n(1) [omitted].docx[a large number of spaces].exe\r\n(2) [omitted].docx[a large number of spaces].docx\r\n(3) [omitted].docx[a large number of spaces].docx\r\nTo hide the file extension, each file name contains a large number of spaces. The target executes the EXE file in\r\n(1), and it eventually leads to malware infection. Figure 1 shows the flow after the EXE file is executed.\r\nFigure 1: Flow after the EXE file is executed\r\nThe docx files (2) and (3) are decoy documents. The following section explains the infection flow after the EXE\r\nfile is executed.\r\nFlow of infection\r\nhttps://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html\r\nPage 1 of 6\n\nWhen the EXE file (1) is executed, a VBS file is downloaded from an external source and executed using\r\nwscript.exe. Figure 2 shows the downloaded VBS file.\r\nFigure 2: Downloaded VBS file\r\nThe VBS file downloads PowerShell from the external source and calls the PokDoc function with the following\r\nparameter.\r\nPokDoc -Slyer [Destination URL]\r\nIn addition, it uses the Run key in the registry to configure the file C:\\Users\\Public\\Pictures\\desktop.ini.bak so\r\nthat it automatically starts via WScript.\r\nStealing information from the device\r\nThe PowerShell downloaded by the VBS file has a feature to collect information from the device. Figure 3 shows\r\nthe downloaded PowerShell.\r\nFigure 3: PowerShell with downloaded PokDoc function\r\nWhen PokDoc function is executed by the VBS file, the following information on the device is collected, and the\r\ndata is sent to the URL provided in the parameter.\r\nSystem information\r\nProcess list\r\nNetwork information\r\nList of files in specific user folders (Downloads, Documents, Desktop)\r\nUser account information\r\nBased on the above information, it is assumed that this is intended to check whether the device on which the EXE\r\nfile was executed is in an analysis environment such as a sandbox.\r\nhttps://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html\r\nPage 2 of 6\n\nFurthermore, after the information on the device is sent, a VBS file with the file name\r\nC:\\Users\\Public\\Pictures\\desktop.ini.bak is created and executed. Figure 4 shows the VBS file to be created.\r\nFigure 4: VBS file to be created\r\nThe VBS file to be created is similar to the one described earlier. It downloads PowerShell from the external\r\nsource and calls InfoKey function with the following parameter.\r\nInfoKey -ur [Destination URL]\r\nKeylogger\r\nPowerShell downloaded by the VBS file functions as a keylogger. Figure 5 shows an example of downloaded\r\nPowerShell.\r\nFigure 5: PowerShell containing the downloaded InfoKey function\r\nWhen the InfoKey function is called, the file C:\\Users\\Public\\Music\\desktop.ini.bak is created, and then the\r\nstolen keystrokes and clipboard information are saved. The contents of the file are sent to the URL provided in the\r\nparameter.\r\nAssociated Attacks\r\nIt is reported that Kimsuky is using VBS and PowerShell introduced in this article to target organizations in South\r\nKorea [1], and there is another report of a similar TTP-based attack [2]. Therefore, we consider that Kimsuky is\r\nbehind this case as well.\r\nIn closing\r\nAlthough there have been few reports of attack activities by Kimsuky targeting organizations in Japan, there is a\r\npossibility that Japan is also being actively targeted. The most recent report says that malware in CHM format is\r\nused to execute the keylogger mentioned in this article [1], and we need to pay attention to similar attacks in the\r\nfuture.\r\nhttps://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html\r\nPage 3 of 6\n\n- Kota Kino\r\n(Translated by Takumi Nakano)\r\nReferences\r\n[1] AhnLab: CHM Malware Stealing User Information Being Distributed in Korea\r\nhttps://asec.ahnlab.com/en/65245/\r\n[2] AhnLab: Malware Disguised as HWP Document File (Kimsuky)\r\nhttps://asec.ahnlab.com/en/54736/\r\n喜野 孝太(Kota Kino)\r\nKota Kino is Malware/Forensic Analyst at Incident Response Group, JPCERT/CC since August 2019.\r\nRelated articles\r\nUpdate on Attacks by Threat Group APT-C-60\r\nhttps://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html\r\nPage 4 of 6\n\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nhttps://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html\r\nPage 5 of 6\n\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html\r\nhttps://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html"
	],
	"report_names": [
		"attack-activities-by-kimsuky-targeting-japanese-organizations.html"
	],
	"threat_actors": [
		{
			"id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805",
			"created_at": "2023-07-20T02:00:08.724751Z",
			"updated_at": "2026-04-10T02:00:03.341845Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "MISPGALAXY:APT-C-60",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2",
			"created_at": "2022-10-25T15:50:23.280374Z",
			"updated_at": "2026-04-10T02:00:05.305572Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"Kimsuky",
				"Black Banshee",
				"Velvet Chollima",
				"Emerald Sleet",
				"THALLIUM",
				"APT43",
				"TA427",
				"Springtail"
			],
			"source_name": "MITRE:Kimsuky",
			"tools": [
				"Troll Stealer",
				"schtasks",
				"Amadey",
				"GoBear",
				"Brave Prince",
				"CSPY Downloader",
				"gh0st RAT",
				"AppleSeed",
				"Gomir",
				"NOKKI",
				"QuasarRAT",
				"Gold Dragon",
				"PsExec",
				"KGH_SPY",
				"Mimikatz",
				"BabyShark",
				"TRANSLATEXT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "760f2827-1718-4eed-8234-4027c1346145",
			"created_at": "2023-01-06T13:46:38.670947Z",
			"updated_at": "2026-04-10T02:00:03.062424Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"G0086",
				"Emerald Sleet",
				"THALLIUM",
				"Springtail",
				"Sparkling Pisces",
				"Thallium",
				"Operation Stolen Pencil",
				"APT43",
				"Velvet Chollima",
				"Black Banshee"
			],
			"source_name": "MISPGALAXY:Kimsuky",
			"tools": [
				"xrat",
				"QUASARRAT",
				"RDP Wrapper",
				"TightVNC",
				"BabyShark",
				"RevClient"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854",
			"created_at": "2024-12-28T02:01:54.668462Z",
			"updated_at": "2026-04-10T02:00:04.564201Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "ETDA:APT-C-60",
			"tools": [
				"SpyGlace"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d",
			"created_at": "2025-08-07T02:03:25.101147Z",
			"updated_at": "2026-04-10T02:00:03.846812Z",
			"deleted_at": null,
			"main_name": "NICKEL KIMBALL",
			"aliases": [
				"APT43 ",
				"ARCHIPELAGO ",
				"Black Banshee ",
				"Crooked Pisces ",
				"Emerald Sleet ",
				"ITG16 ",
				"Kimsuky ",
				"Larva-24005 ",
				"Opal Sleet ",
				"Ruby Sleet ",
				"SharpTongue ",
				"Sparking Pisces ",
				"Springtail ",
				"TA406 ",
				"TA427 ",
				"THALLIUM ",
				"UAT-5394 ",
				"Velvet Chollima "
			],
			"source_name": "Secureworks:NICKEL KIMBALL",
			"tools": [
				"BabyShark",
				"FastFire",
				"FastSpy",
				"FireViewer",
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "71a1e16c-3ba6-4193-be62-be53527817bc",
			"created_at": "2022-10-25T16:07:23.753455Z",
			"updated_at": "2026-04-10T02:00:04.73769Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"APT 43",
				"Black Banshee",
				"Emerald Sleet",
				"G0086",
				"G0094",
				"ITG16",
				"KTA082",
				"Kimsuky",
				"Larva-24005",
				"Larva-25004",
				"Operation Baby Coin",
				"Operation Covert Stalker",
				"Operation DEEP#DRIVE",
				"Operation DEEP#GOSU",
				"Operation Kabar Cobra",
				"Operation Mystery Baby",
				"Operation Red Salt",
				"Operation Smoke Screen",
				"Operation Stealth Power",
				"Operation Stolen Pencil",
				"SharpTongue",
				"Sparkling Pisces",
				"Springtail",
				"TA406",
				"TA427",
				"Thallium",
				"UAT-5394",
				"Velvet Chollima"
			],
			"source_name": "ETDA:Kimsuky",
			"tools": [
				"AngryRebel",
				"AppleSeed",
				"BITTERSWEET",
				"BabyShark",
				"BoBoStealer",
				"CSPY Downloader",
				"Farfli",
				"FlowerPower",
				"Gh0st RAT",
				"Ghost RAT",
				"Gold Dragon",
				"GoldDragon",
				"GoldStamp",
				"JamBog",
				"KGH Spyware Suite",
				"KGH_SPY",
				"KPortScan",
				"KimJongRAT",
				"Kimsuky",
				"LATEOP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Lovexxx",
				"MailPassView",
				"Mechanical",
				"Mimikatz",
				"MoonPeak",
				"Moudour",
				"MyDogs",
				"Mydoor",
				"Network Password Recovery",
				"PCRat",
				"ProcDump",
				"PsExec",
				"ReconShark",
				"Remote Desktop PassView",
				"SHARPEXT",
				"SWEETDROP",
				"SmallTiger",
				"SniffPass",
				"TODDLERSHARK",
				"TRANSLATEXT",
				"Troll Stealer",
				"TrollAgent",
				"VENOMBITE",
				"WebBrowserPassView",
				"xRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434185,
	"ts_updated_at": 1775826735,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e1e4ece35966716b85875d61061630533c71b79b.pdf",
		"text": "https://archive.orkl.eu/e1e4ece35966716b85875d61061630533c71b79b.txt",
		"img": "https://archive.orkl.eu/e1e4ece35966716b85875d61061630533c71b79b.jpg"
	}
}