{
	"id": "94eae837-f0f3-464f-81ef-b4a14f092425",
	"created_at": "2026-04-06T00:09:54.723154Z",
	"updated_at": "2026-04-10T13:12:03.479477Z",
	"deleted_at": null,
	"sha1_hash": "f058f562cfdfdc5aea92985f74627e3f507edb1b",
	"title": "Analysis of the North Korea-backed puNK-003’s Lilith RAT ported to AutoIt Script",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66791,
	"plain_text": "Analysis of the North Korea-backed puNK-003’s Lilith RAT\r\nported to AutoIt Script\r\nArchived: 2026-04-05 12:39:41 UTC\r\nResearch\r\nThreat Intelligence Reports\r\nAnalysis of the North Korea-backed puNK-003’s Lilith RAT ported to AutoIt Script\r\n2024.08.22\r\nS2W's Threat Intelligence Center, TALON, has published a detailed analysis report on the Lilith RAT malware\r\ndistributed by the North Korean-backed attack group puNK-003. This report marks the first instance of publicly\r\ndisclosing findings based on the threat group classification system (refer to Table 1 below) that S2W analysts have\r\nbeen managing separately.  \r\n✅ Report Title:\r\nThreat Tracking: Analysis of puNK-003’s Lilith RAT ported to AutoIt Script\r\n*puNK: partially unidentified North Korean threat actor\r\n✅ Executive Summary:\r\n📌 Malware Disguised as a List of Supporting Documents Related to Tax Evasion Reports (LNK)\r\nOn April 24, 2024, S2W's Threat Research and Intelligence Center, TALON, discovered and analyzed an LNK\r\nmalware disguised as a document related to tax evasion reports.\r\nWhen the LNK file is executed, it drops and displays a decoy document included within the file and downloads\r\nadditional files from a hardcoded attacker server. The downloaded files consist of a malicious AutoIt script and a\r\nlegitimate AutoIt3 executable used to run the script. Ultimately, the AutoIt script executes the Lilith RAT malware\r\nthat has been reimplemented in AutoIt.\r\n📌 Inferring the Attack Group Through Malware Analysis (Comparison with KONNI Group)\r\nThe recently discovered LNK malware exhibits characteristics of the North Korean-backed KONNI group,\r\nparticularly in the composition of the PowerShell commands included in the execution parameters and the fact\r\nthat the downloaded files are all reimplemented as AutoIt scripts.\r\nHowever, there are differences in the execution purpose between this malware and the LNK malware used by the\r\nKONNI group. The former acts as a Downloader, while the latter functions as a Dropper. Additionally, in this\r\nhttps://s2w.inc/en/resource/detail/581\r\nPage 1 of 2\n\nattack campaign, there is a notable absence of VBS and BAT script-based malware, which are commonly used by\r\nthe KONNI group. Based on these differences, S2W TALON has distinguished between the two attack groups.\r\n📌 Analysis of North Korean-backed Attack Group puNK\r\nTALON separately manages unidentified threat groups, and among them, North Korean-backed attack groups are\r\ntracked under the name \"puNK.\" The list of puNK groups tracked by TALON is shown in Table 1.\r\nThe entity responsible for distributing this malware has been designated as \"puNK-003,\" and the LNK malware\r\nthey use, which serves as a Downloader, has been named \"CURKON.\"\r\n🧑‍💻 Report Author: S2W TALON (Jiho Kim)\r\n👉 Learn more: https://bit.ly/3yKzuFn\r\nList\r\nSource: https://s2w.inc/en/resource/detail/581\r\nhttps://s2w.inc/en/resource/detail/581\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://s2w.inc/en/resource/detail/581"
	],
	"report_names": [
		"581"
	],
	"threat_actors": [
		{
			"id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4",
			"created_at": "2025-08-07T02:03:25.096857Z",
			"updated_at": "2026-04-10T02:00:03.659118Z",
			"deleted_at": null,
			"main_name": "NICKEL JUNIPER",
			"aliases": [
				"Konni",
				"OSMIUM ",
				"Opal Sleet "
			],
			"source_name": "Secureworks:NICKEL JUNIPER",
			"tools": [
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b43c8747-c898-448a-88a9-76bff88e91b5",
			"created_at": "2024-02-02T02:00:04.058535Z",
			"updated_at": "2026-04-10T02:00:03.545252Z",
			"deleted_at": null,
			"main_name": "Opal Sleet",
			"aliases": [
				"Konni",
				"Vedalia",
				"OSMIUM"
			],
			"source_name": "MISPGALAXY:Opal Sleet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e525bbd2-d1a5-4f35-bd4a-927ad0517723",
			"created_at": "2025-05-29T02:00:03.206997Z",
			"updated_at": "2026-04-10T02:00:03.86216Z",
			"deleted_at": null,
			"main_name": "puNK-003",
			"aliases": [],
			"source_name": "MISPGALAXY:puNK-003",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434194,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f058f562cfdfdc5aea92985f74627e3f507edb1b.pdf",
		"text": "https://archive.orkl.eu/f058f562cfdfdc5aea92985f74627e3f507edb1b.txt",
		"img": "https://archive.orkl.eu/f058f562cfdfdc5aea92985f74627e3f507edb1b.jpg"
	}
}