{ "id": "a7672209-f445-4e3c-b1bf-205ce136c61c", "created_at": "2026-04-06T00:17:06.721624Z", "updated_at": "2026-04-10T03:37:40.695973Z", "deleted_at": null, "sha1_hash": "e7b0c58d5edbceec368828861b3c47da045e681f", "title": "Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 438641, "plain_text": "Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy\r\nBy Daniel Frank, Lior Rochberger\r\nPublished: 2024-09-26 · Archived: 2026-04-05 16:50:35 UTC\r\nExecutive Summary\r\nUnit 42 researchers discovered two malware samples used by the Sparkling Pisces (aka Kimsuky) threat group.\r\nThis includes an undocumented keylogger, called KLogEXE by its authors, and an undocumented variant of a\r\nbackdoor dubbed FPSpy. These samples enhance Sparkling Pisces' already extensive arsenal and demonstrate the\r\ngroup’s continuous evolution and increasing capabilities.\r\nBased on our analysis, we suspect that the FPSpy variant detailed in this report is a variant of malware mentioned\r\nin a campaign carried out in 2022. That campaign targeted users of a South Korean technology conglomerate.\r\nIn this article, we will provide a technical analysis of KLogEXE and FPSpy, and we’ll shed some light on\r\nSparkling Pisces’s infrastructure. By understanding the mechanics of those two pieces of malware and the\r\nmethods employed by Sparkling Pisces, organizations can better prepare and defend against such threats.\r\nPalo Alto Networks customers receive better protection from the threats discussed in this article through Cortex\r\nXDR and XSIAM.\r\nCustomers are also better protected through Cloud-Delivered Security Services for the Next-Generation Firewall,\r\nincluding Advanced WildFire, Advanced URL Filtering, Advanced DNS Security and Advanced Threat\r\nPrevention.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nBackground: Who Is Sparkling Pisces?\r\nThe North Korean APT group Sparkling Pisces (aka Kimsuky, THALLIUM, Velvet Chollima) is known for its\r\nsophisticated cyberespionage operations and advanced spear phishing attacks. The group’s most notable attack\r\nwas against Korea Hydro and Nuclear Power (KHNP) in 2014.\r\nThe group initially targeted South Korean government agencies, research institutions and think tanks. As it\r\nevolved, it expanded its reach to Western countries, including the United States, highlighting the group’s status as\r\na global threat.\r\nNicknamed “the king of spear phishing,” the group has conducted hundreds of attacks to lure victims into\r\ndownloading and executing malicious payloads. Recently, the group targeted South Koreans by masquerading as a\r\nlegitimate Korean company and using a valid certificate to sign malware. Sparkling Pisces is also known for its\r\ncomplex and constantly evolving infrastructure, which overlaps between multiple malware strains and campaigns.\r\nhttps://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/\r\nPage 1 of 7\n\nInfrastructure Pivoting: Discovering New Malware Links\r\nWhile tracking Sparkling Pisces’s infrastructure, we found connections between different operations and tools. We\r\nalso discovered the group using new and undocumented malware.\r\nOne of the malware samples, KLogEXE, was found by tracking the infrastructure that the group used as the\r\ncommand and control (C2) of a PowerShell keylogger that the JPCERT documented. The threat actor delivered\r\nthe PowerShell keylogger, which an earlier report by ASEC also mentioned, in a spear phishing campaign\r\ntargeting South Korean users.\r\nThe PowerShell keylogger from the aforementioned JPCERT report communicates with www.vic.apollo-star7[.]kro.kr, which resolves to 152.32.138[.]167.\r\nPivoting on that IP address led us to another file, a Portable Executable (PE) called powershell.exe\r\n(a173a425d17b6f2362eca3c8ea4de9860b52faba414bbb22162895641dda0dc2).\r\nWhen examining the file, we found that it communicates to a different domain that resolves to the same IP address\r\nas the PowerShell keylogger. It also uses an unknown Uniform Resource Identifier (URI) pattern that we didn't\r\nobserve in any other malware associated with Sparkling Pisces.\r\nThe Maltego graph in Figure 1 below shows the overlaps between the PowerShell malware and the two examples\r\nof PE malware we discovered called KLogEXE and FPSpy. This includes similar domains registered by the same\r\nregistrant email.\r\nFigure 1. Infrastructure layout showing the connection between the malware.\r\nKLogExe Analysis\r\nThe first PE malware we discovered (powershell.exe) is a keylogger named KLogExe. Based on the dialog\r\nresource, the internal name is KLogExe, and it appears to be a similar implementation of the aforementioned\r\nPowerShell keylogger, but written in C++.\r\nhttps://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/\r\nPage 2 of 7\n\nFigure 2. Dialog resource of KLogExe.\r\nKLogExe collects the following data from the compromised machine:\r\nApplications currently running on the compromised host\r\nKeyboard keylogging using the GetAsyncKeyState method\r\nMouse clicks, including retrieving the button name\r\nKLogExe saves the collected data in an .ini file, under C:\\Users\\user\\AppData\\Roaming\\Microsoft\\desktops.ini.\r\nWhen it reaches its file size limit, KLogExe adds the date to the name of the file, generates a random boundary,\r\nand sends it over HTTP to the C2 using the following URI: /wp-content/include.php?_sys_=7.\r\nFigure 3. Exfiltration of the stolen data through a POST request.\r\nFPSpy Analysis\r\nThe second piece of PE malware we uncovered is FPSpy, a threat that has remained relatively under the radar\r\nsince at least 2022. Based on code and behavioral similarities, this malware appears to be a variant of the malware\r\ndescribed in ASEC’s research from 2022. Several characteristics, including the naming conventions of additional\r\ndownloaded modules and logs, as well as the malware’s capabilities, also closely resemble Sparkling Pisces’s\r\nKGHSpy backdoor discovered in 2020.\r\nhttps://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/\r\nPage 3 of 7\n\nSimilar to KGHSpy, we suspect that there is the possibility that FPSpy binaries are timestomped. This means that\r\nthreat authors modified the compilation time to hide the real creation time of the malware.\r\nFPSpy was first uploaded to VirusTotal on June 26, 2024, although its compilation timestamp dates back to 2018.\r\nMoreover, we discovered that the hard-coded subdomain for the malware's C2 server\r\nbitjoker2024.000webhostapp[.]com, was first seen in 2024.\r\nUnlike KLogExe, FPSpy is a DLL named sys.dll with a unique export called MazeFunc. The DLL is contained in\r\na resource called DB in its custom loader, whose purpose is to drop sys.dll to the\r\nC:\\Users\\user\\AppData\\Local\\Microsoft\\WPSOffice\\ folder and load it. Figure 4 below shows the loader’s code.\r\nFigure 4. The code from the sys.dll loader is in charge of loading sys.dll.\r\nFPSpy implements a range of additional capabilities beyond keylogging. Some of these capabilities include:\r\nStoring configuration data about the infected device in a separate file called Param.ini\r\nStoring a vast amount of system information in a file with the naming format Sysinfo_\u003cdate\u003e_.txt\r\nDownloading and executing additional encrypted modules\r\nWorking in a multithreading model, with a thread in charge of downloading additional modules, and one in\r\ncharge of uploading data to the C2\r\nExecuting arbitrary commands\r\nExecuting the PowerShell tree command to enumerate drives, folders and files on the infected device,\r\nwhich the malware stores in a file named Drv_\u003cdrive letter\u003e\r\nFigure 5 below shows the aforementioned files, which are also stored under the\r\nC:\\Users\\user\\AppData\\Local\\Microsoft\\WPSOffice\\ folder.\r\nFigure 5. Files created by FPSpy.\r\nThe Connection Between KLogExe and FPSpy\r\nOur analysis indicates that FPSpy shares its codebase with KLogExe, suggesting a possible connection between\r\nthe two. For example, Figure 6 shows its dialog resource.\r\nhttps://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/\r\nPage 4 of 7\n\nFigure 6. Dialog resource of FPSpy.\r\nWe were able to find code similarities in the implementations of both malware. These similarities include:\r\nUsing the same HackingTeam’s leaked code for dynamic API calls to harden static detection\r\nSimilar hard-coded HTTP packet structure, including similar headers, a randomly generated boundary\r\nstring and a Chrome version Chrome/31.0.1650.57 used for the User-Agent that is over a decade old\r\nStoring the malware’s data (such as keylogging data) in an .ini file with similar content\r\nFigure 7 below depicts the section in the code that is in charge of the beginning of the keylogging process. This\r\nsection also builds the HTTP packet for data exfiltration of KLogExe and FPSpy respectively.\r\nFigure 7. Comparison between FPSpy and KLogExe’s HTTP packet structure.\r\nConclusion\r\nOur research highlights the continuous evolution and sophistication of Sparkling Pisces's tool set, and their\r\nconstantly evolving infrastructure. We uncovered another piece of Sparkling Pisces’s infrastructure, and two\r\nadditional threats in their tool set. This included an undocumented type of malware, KLogExe, and a previously\r\nundocumented variant of malware called FPSpy.\r\nThrough examining KLogExe, we revealed its keylogging and data exfiltration mechanisms. Our investigation of\r\nFPSpy uncovered its advanced functionalities, including data collection and arbitrary command execution.\r\nBy identifying the connections between KLogExe and FPSpy, we demonstrated the shared codebase and\r\nmethodologies employed by Sparkling Pisces.\r\nMost of the targets we observed during our research originated from South Korea and Japan, which is congruent\r\nwith previous Kimsuky targeting.\r\nhttps://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/\r\nPage 5 of 7\n\nProtections and Mitigations\r\nPalo Alto Networks Cortex XDR and XSIAM detect and prevent the execution of KLogExe and FPSpy.\r\nFigure 8. Prevention of KLogExe and FPSpy by Cortex and XSIAM.\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ngroup:\r\nAdvanced WildFire cloud-delivered malware analysis service accurately identifies the FPSpy and KLogExe\r\nsamples mentioned in this article as malicious.\r\nAdvanced URL Filtering and Advanced DNS Security identify domains associated with this group as malicious.\r\nCortex XDR and XSIAM help detect user and credential-based threats by analyzing user activity from multiple\r\ndata sources, including the following:\r\nEndpoints\r\nNetwork firewalls\r\nActive Directory\r\nIdentity and access management solutions\r\nCloud workloads\r\nCortex XDR and XSIAM build behavioral profiles of user activity over time with machine learning. By\r\ncomparing new activity to past activity, peer activity and the expected behavior of the entity, Cortex XDR and\r\nXSIAM help detect anomalous activity indicative of credential-based attacks.\r\nIf you think you may have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nhttps://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/\r\nPage 6 of 7\n\nIndicators of Compromise\r\nKLogExe\r\n990b7eec4e0d9a22ec0b5c82df535cf1666d9021f2e417b49dc5110a67228e27\r\na173a425d17b6f2362eca3c8ea4de9860b52faba414bbb22162895641dda0dc2\r\nfaf666019333f4515f241c1d3fcfc25c67532463245e358b90f9e498fe4f6801\r\nFPSpy\r\nc69cd6a9a09405ae5a60acba2f9770c722afde952bd5a227a72393501b4f5343\r\n2e768cee1c89ad5fc89be9df5061110d2a4953b336309014e0593eb65c75e715\r\nDomains\r\nmail.apollo-page.r-e[.]kr\r\nnidlogin.apollo.r-e[.]kr\r\nbitjoker2024.000webhostapp[.]com\r\nwww.vic.apollo-star7[.]kro.kr\r\nIP addresses\r\n152.32.138[.]167\r\nURL\r\nhxxp[:]//mail.apollo-page.r-e[.]kr/wp-content/include.php?_sys_=7\r\nhxxp[:]//mail.apollo-page.r-e[.]kr/plugin/include.php?_sys_=7\r\nhxxps[:]//nidlogin.apollo.r-e[.]kr/cmd/index.php?_idx_=7\r\nSource: https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/\r\nhttps://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/" ], "report_names": [ "kimsuky-new-keylogger-backdoor-variant" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434626, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e7b0c58d5edbceec368828861b3c47da045e681f.pdf", "text": "https://archive.orkl.eu/e7b0c58d5edbceec368828861b3c47da045e681f.txt", "img": "https://archive.orkl.eu/e7b0c58d5edbceec368828861b3c47da045e681f.jpg" } }