{ "id": "7dd74e36-e4e1-4b24-b9b3-c55ad6ee96ab", "created_at": "2026-04-06T00:08:15.074865Z", "updated_at": "2026-04-10T03:37:41.125091Z", "deleted_at": null, "sha1_hash": "f47cabf491ff1a3e54b07989853f77a10f662934", "title": "Unveil the evolution of Kimsuky targeting Android devices with newly discovered mobile malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6336256, "plain_text": "Unveil the evolution of Kimsuky targeting Android devices with\r\nnewly discovered mobile malware\r\nBy S2W\r\nPublished: 2023-03-21 · Archived: 2026-04-05 17:40:56 UTC\r\nAuthor: Sebin, Lee \u0026 Yeongjae, Shin | S2W TALON\r\nLast Modified : Oct 24, 2022\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 1 of 30\n\nPhoto by Afif Ramdhasuma on Unsplash\r\nExecutive Summary\r\nS2W’s threat research and intelligence center, Talon, recently identified three new types of malware that\r\ntarget Android devices.\r\nWe named the malicious APKs FastFire, FastViewer, and FastSpy by adding ‘Fast’ included in the\r\npackage name and the characteristics of each.\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 2 of 30\n\nAs a result of analyzing the APKs, we figured out that there is a significant association with the past\r\ncampaigns attributed to Kimsuky group.\r\nThe FastFire malware is disguised as a Google security plugin, and the FastViewer malware disguises\r\nitself as “Hancom Office Viewer”, FastSpy is a remote access tool based on AndroSpy.\r\nAll three APKs were recently confirmed to have been developed by the Kimsuky group and FastViewer \u0026\r\nFastSpy were actually used to attack South Koreans.\r\nSince Kimsuky group’s mobile targeting strategy is getting more advanced, it is necessary to be careful\r\nabout sophisticated attacks targeting Android devices.\r\nAn understanding of the Kimsuky group’s new strategy for targeting mobile devices that we have described\r\nwill help to prevent infection proactively.\r\n— Be careful not to open phishing pages on mobile\r\n— Be careful not to download a viewer program and document files from third parties and anyone.\r\nIntroduction\r\nNorth Korean hacking group Kimsuky (aka Thallium, Black Banshee) first became active in 2012 and has carried\r\nout attacks on targets engaged in Media, Research, Politics, and Diplomacy, etc around the world. The group\r\nmainly attempts to collect by distributing malware and taking over accounts through spear-phishing attacks.\r\nAttacks have mainly targeted Windows, though instances of attacks on Android devices have likewise been\r\ndiscovered.\r\nIn November 2020, we found the mobile version of the AppleSeed family used by Kimsuky group. In that sample,\r\nthe group even called themselves Thallium, a name given by Microsoft. We published our analysis on VB2021\r\nlocalhost.\r\nIn April 2021, a malicious APK disguised as a mobile security program of KISA (Korea Internet \u0026 Security\r\nAgency) to which KrCERT/CC belongs was distributed. The APK was also a mobile version of the AppleSeed\r\nfamily. When infected with a malicious APK, it communicates with the C\u0026C server using the HTTP/S protocol,\r\nreceives commands, and performs malicious behaviors such as stealing information from the infected device.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 3 of 30\n\nFigure 1. Kimsuky’s APK\r\nS2W’s threat research and intelligence center, Talon, recently identified three new types of malware that target\r\nAndroid devices in the process of tracking the Kimsuky group. We named the three malicious APKs FastFire,\r\nFastViewer, and FastSpy by adding ‘Fast’ included in the package name of each malicious APK and the\r\ncharacteristics of each.\r\n1. FastFire is a malicious APK currently being developed by the Kimsuky group, disguised as a Google\r\nsecurity plug-in. It receives commands from Firebase, an app development platform backed by Google,\r\nrather than receiving commands from the C\u0026C through HTTP/S communication as in the traditional\r\nmethod.\r\n2. FastViewer malware disguises itself as “Hancom Viewer”, a mobile viewer program that can read the\r\nHangul documents (.hwp) used in Korea, and downloads additional malware after stealing information\r\nfrom an infected device.\r\n3. The FastViewer malware downloads FastSpy, and receives commands from the attacker’s server through\r\nTCP/IP protocol. FastSpy is developed based on the source code of AndroSpy, a remote control tool for\r\nAndroid devices that was released as an open source.\r\nFastFire malware disguised as Google Security Plugin\r\nAnalyzing the IP of the C\u0026C server domain used by the Kimsuky group in the past, we found a suspected\r\nmalicious APK that the Kimsuky group is developing to target mobile devices. It is named “FastFire” as its\r\npackage name contains “fastsecure” and uses the “Firebase” for C\u0026C communication.\r\nAll antivirus vendors in VirusTotal have not classified the APK as malicious so far. (detection result 0/64,\r\nas of 2022.10.18)\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 4 of 30\n\nFigure 2. FastFire malware in VirusTotal\r\nThe malicious APK has a package name com.viewer.fastsecure and disguises Google Security Plugin. After\r\ninstallation, it hides its launcher icon so that the victim does not know that it is installed.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 5 of 30\n\nFigure 3. Disguised as Google Security Plugin (보안 means Security)\r\nAPK File Certificate Information (Link)\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 6 of 30\n\nTable 1. APK File Certificate Information\r\nDetailed analysis of FastFire\r\nFastFire contains five malicious classes. After installation, only three classes are actually executed, and two\r\nclasses are not. FastFire transmits a device token to the C\u0026C server, and then the C\u0026C server sends a command to\r\nthe infected device through Firebase Cloud Messaging (FCM).\r\nPress enter or click to view image in full size\r\nFigure 4. MainActivity\r\n1. Request a permission\r\nWhen FastFire is executed, MainActivity class is executed first, and “You must grant permission to the Google\r\nSecurity Plugin in order to be safely downloaded.” message is displayed, and the\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 7 of 30\n\nMANAGE_OVERLAY_PERMISSION permission is requested. If permission is granted, the message\r\n“Downloaded safely” is displayed.\r\nPress enter or click to view image in full size\r\nFigure 5. MainActivity\r\n2. C\u0026C Communication in Services\r\nIn the manifest file in FastFire, two classes are specified to be executed as services. Of these, only the\r\nMyFirebaseMessagingService class is actually executed.\r\nPress enter or click to view image in full size\r\nFigure 6. Service in Manifest\r\nStartModuleService\r\nThe StartModuleService class is specified on the manifest, but it is not actually executed when FastFire is running.\r\nThis class performs the function of reading a specific HTML page through the Android VIEW indent.\r\nPress enter or click to view image in full size\r\nFigure 7. StartModuleService\r\nstartmodule\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 8 of 30\n\nstartmodule class is not in the manifest nor is it called by another class, but a malicious code is implemented.\r\nKimsuky group conducts phishing attacks disguised as the site to hijack the accounts of large Korean portal sites\r\nsuch as Naver and Daum, FastFire malware also targets the two portal sites. If the string “naver”, “daum” or\r\n“facebook” exists in the value received as an argument when calling the startmodule class, it connects to the C\u0026C\r\nserver and gets an HTML page. As that class is not actually called, it is likely still in development.\r\nhxxp[:]//mc.pzs[.]kr/themes/mobile/images/about/temp/android/naver.html\r\nhxxp[:]//mc.pzs[.]kr/themes/mobile/images/about/temp/android/daum.html\r\nhxxp[:]//mc.pzs[.]kr/themes/mobile/images/about/temp/android/facebook.html\r\nPress enter or click to view image in full size\r\nFigure 8. startmodule\r\nMyFirebaseMessagingService\r\nFirebase is a mobile development platform that provides various necessary functions such as DB, authentication,\r\nand messaging. Using this, message payloads can include a notification property that the Firebase SDKs intercept\r\nand attempt to display a visible notification to users.\r\nMyFirebaseMessagingService class performs malicious behaviors by receiving commands through Firebase Cloud\r\nMessaging (FCM). FastFire generates a device token to use FCM, and the token value is transmitted to the C\u0026C\r\nserver. After obtaining the token, the attacker makes a request to Firebase to send a message payload containing\r\nthe attacker’s command to the infected device. In response to the request, Firebase sends a message to the device.\r\nhxxp[:]//navernnail[.]com/fkwneovjubske4gv/report_token/report_token.php?token=[Device token]\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 9 of 30\n\nFigure 9. C\u0026C Communication Flow via FastFire\r\nWhen the command is received, the onMessageRecived method is executed to perform an action. If the data of\r\nmy_custom_key exists in the message, FastFire reads an HTML file from the C\u0026C server and connects the deep\r\nlink that takes the user to a specific page in an app. The HTML file according to whether the value is “naver”,\r\n“daum”, or “facebook”.\r\nhxxp[:]//navernnail[.]com/fkwneovjubske4gv/android/naver.html\r\nhxxp[:]//navernnail[.]com/fkwneovjubske4gv/android/daum.html\r\nhxxp[:]//navernnail[.]com/fkwneovjubske4gv/android/facebook.html\r\nPress enter or click to view image in full size\r\nFigure 10. onMessageReceived\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 10 of 30\n\n3. Additional C\u0026C Server and Malicious Pages\r\nAfter further analysis of FastFire’s infrastructure, an additional domain assigned to the Resolved IP of FastFire’s\r\nC\u0026C server was discovered. Since the domain has specific HTML files in the same directory path as FastFire’s, it\r\nis also identified as another C\u0026C server used by Kimsuky.\r\nFastFire‘s C\u0026C Server: navernnail[.]com (23.106.122[.]16, SG)\r\nAdditional C\u0026C server: goooglesecurity[.]com (23.106.122[.]16, SG)\r\nThe HTML file obtained from the additional C\u0026C server performs the function of calling a specific application\r\nthrough a deep link on an Android device. FastFire takes the user to a specific page in an app using the deep link\r\naccording to the command, but the values in the secured HTML were all unidentified. The attacker is expected to\r\nfill in that value with a test APK name “[Target]_host” or a random string for the test.\r\nPress enter or click to view image in full size\r\nFigure 11. facebook.html\r\nPress enter or click to view image in full size\r\nTable 2. HTML pages in the additional C\u0026C server\r\nGenerally, the notification sent from Firebase is handled with the onMessageReceived method. However, the\r\nfeature is not performed as the method is not implemented. Also, in a separate function for testing notifications,\r\nrelated messages Facebook and Google are included in Turkish.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 11 of 30\n\nFigure 12. Firebase notification handler test function\r\nPress enter or click to view image in full size\r\nFigure 13. Separated notification test function\r\nIn addition, a file “fcm.html” was secured, and it calls the fcm_host through the deep link and downloads\r\nadditional malicious code.\r\nhxxp[:]//goooglesecurity[.]com/fkwneovjubske4gv/android/fcm.html\r\nPress enter or click to view image in full size\r\nFigure 14. fcm.html\r\nAs such, FastFire is believed to be a new mobile malware currently being developed by the Kimsuky group in that\r\nthe deep link calling function is not yet properly implemented and there are classes that are not actually executed.\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 12 of 30\n\nFastViewer \u0026 FastSpy disguised as Hancom Office Viewer\r\nIn addition to FastFire, we discovered mobile RAT that impersonates the “Hancom Office Viewer”. “Hancom\r\nOffice Viewer” is a mobile document viewer application used to view Microsoft Word, PDF, or ‘Hangul (.hwp)’\r\ndocuments and the number of downloads on the Google Play store is over 10 million.\r\nFastViewer normally performs a document viewer, but when reading a document file specially created by an\r\nattacker, it performs malicious behaviors. The first 4 bytes of the file are checked to determine whether the\r\ndocument was created by the attacker, and if the conditions are met, device information is transmitted to the C\u0026C\r\nserver. After that, FastViewer additionally downloads FastSpy malware and executes it in memory to perform\r\nadditional malicious actions.\r\nPress enter or click to view image in full size\r\nFigure 15. Overall attack flow\r\nFastViewer is a repackaged APK by adding arbitrary malicious code inserted by an attacker to the normal Hancom\r\nOffice Viewer app, and the package name, app name, and icon are very similar to the normal app.\r\n8420236c32f0991feaa7869549abdb97 (Hancom Office Viewer)\r\n3458daa0dffdc3fbb5c931f25d7a1ec0 (FastViewer)\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 13 of 30\n\nTable 3. App Information(Hancom Office Viewer VS FastViewer)\r\nFastViewer is signed with jks certificate (Java-based certificate format). The certificate information is as follows.\r\n(Link)\r\nTable 4. FastViewer Certificate Information\r\nDetailed analysis of FastViewer \u0026 FastSpy\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 14 of 30\n\n1. String decryption algorithm\r\nThe string used in FastViewer is decrypted by the custom algorithm. The encrypted string is used as the first\r\nargument, and the index of the key table is used as the second argument. After obtaining a key pair using the value\r\nof the XOR key table corresponding to the index, XOR is performed alternately from the back of the encrypted\r\nstring.\r\nFigure 16. String Decryption Flow\r\nPress enter or click to view image in full size\r\nFigure 17. Decrypt function\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 15 of 30\n\n2. Request permissions\r\nFastViewer requests additional permissions from users for malicious actions such as receiving commands,\r\npersistence, and spying. FastViewer abuses accessibility, so it is checked whether accessibility is enabled before\r\nperforming malicious behaviors.\r\nThe class name that requests the permissions is “HiPermission”, which is an open-source that has been released in\r\nthe past. It is believed that Kimsuky group partially modified the source code and applied it to FastViewer.\r\nTable 5. Permissions Requested\r\nPress enter or click to view image in full size\r\nFigure 18. Permission request\r\n3. Check the header of document files\r\nMalicious behavior operates when a special document file created by an attacker is read, by checking whether the\r\nfirst 4 bytes of the file are “EDC%”. It then changes “EDC%” to the original 4 bytes, converting it to a normal\r\ndocument and displaying it to the user, executing malicious behavior in the background.\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 16 of 30\n\nAccording to the calling condition, malicious behavior is performed that meets the condition according to the\r\nvariable “StrOpt”.\r\nTable 6. Conditions to execute Malicious Code\r\n4. C\u0026C Communication\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nFastViewer collects the information of the device and sends it to the C\u0026C server as an ati parameter. If the app\r\nacquires permissions on the device and successfully gets the Device’s IMEI value, the ati parameter is assigned\r\n“Kur-{Device IMEI}_{Device IMEI}”. If IMEI value cannot be acquired due to permission failure or other\r\nproblems, ati is assigned “Kur-null_error_imei”.\r\n(Success) hxxp://23.106.122[.]16/dash/index.php?\u0026ati=Kur-{Device IMEI}_{Device IMEI}\r\n(Fail) hxxp://23.106.122[.]16/dash/index.php?\u0026ati=Kur-null_error_imei\r\nAfter that, the data that FastViewer receives from the C\u0026C server is as follows, and it determines whether to\r\ndownload additional modules by comparing the version variable defined in the FastViewer with the version value\r\nreceived from the server. If the response value is “ok”, only simple information stealing is performed, and an\r\nadditional module is not downloaded.\r\n(Response) version:0|rat:on|ip:23.106.122[.]16|port:4545|package:com.example.res|interval:120\r\nTable 7. Response from Server\r\nAs above, when information about the additional module is successfully received, the request for downloading the\r\nmodule is sent to the C\u0026C server. The version value is the value received from the server.\r\n(Download request) hxxp://23.106.122[.]16/dash/patch.php?name=Image{version}.bin\u0026ati={Device\r\nIMEI}\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 17 of 30\n\n5. Download an additional module — FastSpy\r\nThe downloaded module is a compressed DEX file, and the original data is extracted through base64 decoding\r\nand GZIP decompression in memory. The extracted file is FastSpy which performs remote control.\r\nAfter data extraction, the malicious class in the DEX in memory is dynamically called by calling the LoadClass\r\nAPI that matches the SDK version of the device. If the class is successfully called, the decrypted DEX is saved as\r\nimage{version}.bin in the app install path.\r\nInstall Path: {App install path}/image{version}.bin\r\nFilename: image0.bin (version: 0)\r\nPackage Name: com.example.res\r\nMD5 hash (Compressed): aefa23b91cc667be041cad40abbfa043\r\nMD5 hash (Extracted): 89f97e1d68e274b03bc40f6e06e2ba9a\r\nPress enter or click to view image in full size\r\nFigure 20. Downloaded file\r\nPress enter or click to view image in full size\r\nFigure 21. Extracted file\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 18 of 30\n\nWhen FastSpy is executed, the internally stored C\u0026C server information is compared with the information\r\npreviously received from the C\u0026C server. If the two values are different, the information is updated in memory\r\nwith the information received from the server.\r\nPress enter or click to view image in full size\r\nFigure 22. Internally stored C\u0026C server information\r\nFastSpy could abuse the accessibility API obtained from FastViewer to get additional privileges without the user’s\r\nconsent. If FastSpy requests specific permission for malicious behaviors, a pop-up window requesting permission\r\nis displayed. In this case, FastSpy automates the function of clicking the “Agree” button in the window, so that\r\nFastSpy acquires the permission itself without interaction with users. However, it isn’t actually called in FastSpy\r\nwe secured.\r\nThe above method is similar to the method used by the previous Malibot malware to bypass Google MFA\r\nauthentication.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 19 of 30\n\nFigure 23. sendAutoAction\r\nPress enter or click to view image in full size\r\nFigure 24. clickAllowButton (Caller: sendAutoAction)\r\nFastSpy can take control of infected devices, hijack phone and SMS information, or identify the device’s location\r\nand whether it is used via camera, microphone, speaker, GPS, or KeyStroke in real-time.\r\nIn addition, the attacker can access files on the infected device and send them to the C\u0026C server. To exfiltrate, the\r\nfile is compressed with the gzip algorithm and base64 encoding as used in FastSpy.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 20 of 30\n\nTable 8. Malicious behaviors performed by FastSpy\r\nCorrelation between FastSpy and AndroSpy\r\nFastSpy and AndroSpy have similar characteristics in the method name, message format, functions, and code.\r\nAndroSpy is an open-source RAT malware that was released in 2018 and has the characteristic that methods and\r\nkey variables are in Turkish.\r\nTable 9. Features of Malware(AndroSpy VS FastSpy)\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 21 of 30\n\nTable 10. Functions(AndroSpy VS FastSpy)\r\nAttribution\r\nAs a result of analyzing the association between the FastFire, FastViewer, and FastSpy malware and Kimsuky\r\ngroup, it was found that the FastFire’s C\u0026C server domain also used in the “다양한 주제의 보도자료를 사칭한\r\nKimsuky 공격시도” performed by Kimsuky group in the past.\r\nComparing the C\u0026C URL released at the time and FastFire’s C\u0026C URL, the same domain was used for both\r\ncampaigns, and the path under the temp directory was used. In addition, the group mainly impersonates Korean\r\nlarge portal sites (Naver and Daum) in order to steal information from the target.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 22 of 30\n\nTable 11. Comparing C\u0026C URLs\r\nThe domains (navernnail[.]com, goooglesecurity[.]com) used by the FastFire malware have a history of pivoting\r\nto 23[.]106.122.16 in the past, and this IP was also used as a distribution site and C\u0026C server for FastViewer and\r\nFastSpy.\r\nIn that, the signature date of FastViewer and that of FastFire are included within the period in which the\r\nnavernnail[.]com domain which was bound to 23[.]106.122.16 (Singapore), all three malware and infrastructure\r\nare used by Kimsuky at the same time.\r\nIn addition, the fact that goooglesecurity[.]com, an additionally verified C\u0026C server of FastFire, also supports this\r\npoint.\r\nPress enter or click to view image in full size\r\nFigure 25. Overlapped time\r\nTable 12. FastFire’s C\u0026C Domain \u0026 resolved IP\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 23 of 30\n\nFigure 26. Overall infrastructure\r\nDuring the analysis, there was a directory listing vulnerability in navernnail[.]com, so we were able to collect files\r\nexisting on the server. Among them, the key_ps.txt file has a code similar to the keylogging script used by the\r\nKimsuky group in the past, and the same mutex name is also used.\r\nFilename: key_ps.txt\r\nMD5 : 5D56371944DEC9DA57DB95D0199DD920\r\nMutex name: Global\\AlreadyRunning191122\r\nReference: https://twitter.com/_brkdwn_/status/1235531480777887744\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 24 of 30\n\nFigure 27. Directory Listing\r\nPress enter or click to view image in full size\r\nFigure 28. Kimsuky’s keylogger script (key_ps.txt)\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 25 of 30\n\nIn addition, the info_sc.txt file was also confirmed to have similarities with Kimsuky group. February 18, 2022,\r\nthe malicious document disguised as the customer center of Klip, a virtual asset wallet service in Korea,\r\ndownloaded a very similar script.\r\nReference: https://blog.alyac.co.kr/m/4501?category=957259\r\nConclusion\r\nKimsuky group has continuously performed attacks to steal the target’s information targeting mobile devices.\r\nFirebase, a normal service used as the C\u0026C server in FastFire, is their advanced tactic. In addition, various\r\nattempts are being made to bypass detection by customizing Androspy, an open-source RAT. In the future, caution\r\nis required as the Kimsuky group may distribute malicious codes with similar functions and variants to Android\r\ndevices.\r\nLike FastViewer, sophisticated attack vectors are used to attack only specific targets, and existing open sources\r\nare actively used to create high-performance variants such as FastSpy. Since Kimsuky group’s mobile targeting\r\nstrategy is getting more advanced, it is necessary to be careful about sophisticated attacks targeting Android\r\ndevices.\r\nAppendix A. IoC\r\nIoC: Link\r\nFastFire\r\nFDD0E18E841D3EC4E501DD8BF0DA68201779FD90237C1C67078D1D915CD13045\r\nC038B20F104BE66550D8DD3366BF4474398BEEA330BD25DAC2BB2FD4B5377332\r\n1510780646E92CBEFC5FB4F4D7D2997A549058712A81553F90E197E907434672\r\n38D1D8C3C4EC5EA17C3719AF285247CB1D8879C7CF967E1BE1197E60D42C01C5\r\n884FF7E3A3CEA5CE6371851F205D703E77ABC7D1427D21800A04A205A124B649\r\nFastViewer\r\n031BDE16D3B75083B0ADDA754AA982D4F6BD91E6B9D0531D5486DC139A90CE5A\r\nFastSpy\r\nAE7436C00E2380CDABBDCCCACF134B95DDBAF2A40483FA289535DD6207CC58CE\r\n539231DEA156E29BD6F7ED8430BD08A4E07BA330A9FAD799FEA45D9E9EED070C\r\nkey_ps.txt\r\n9722107FFF4F3B2255556E0CF4D367CCB73305C34B1746BAED31B16899EEFC4B\r\ninfo_sc.txt\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 26 of 30\n\n59CB6BB54A6A222C863258BAF9EE2500A539B55411B468A3E672FE7B26166B98\r\nFastFire\r\nhxxp[:]//mc.pzs[.]kr/themes/mobile/images/about/temp/android/naver.html\r\nhxxp[:]//mc.pzs[.]kr/themes/mobile/images/about/temp/android/daum.html\r\nhxxp[:]//mc.pzs[.]kr/themes/mobile/images/about/temp/android/facebook.html\r\nhxxp[:]//navernnail[.]com/fkwneovjubske4gv/report_token/report_token.php?token=[Token]\r\nhxxp[:]//navernnail[.]com/fkwneovjubske4gv/android/naver.html\r\nhxxp[:]//navernnail[.]com/fkwneovjubske4gv/android/daum.html\r\nhxxp[:]//navernnail[.]com/fkwneovjubske4gv/android/facebook.html\r\nFastViewer/FastSpy\r\n23.106.122[.]16\r\nhxxp[:]//23.106.122.16/dash/index[.]php\r\nhxxp[:]//23.106.122.16/dash/patch[.]php\r\nAppendix B. Mobile MITRE ATT\u0026CK\r\nMobile MITRE ATT\u0026CK: Link\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 27 of 30\n\nAppendix C. Decryption key \u0026 Decrypted strings (FastViewer, FastSpy)\r\nDecryption key table\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 28 of 30\n\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 29 of 30\n\nDecrypted strings\r\nPress enter or click to view image in full size\r\nReference\r\nhttps://www.malwarebytes.com/blog/news/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild\r\nhttps://twitter.com/malwrhunterteam/status/1534184385313923072\r\nhttps://twitter.com/_brkdwn_/status/1235531480777887744\r\nhttps://blog.alyac.co.kr/m/4501?category=957259\r\nSource: https://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280\r\ndae5a650f\r\nhttps://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f\r\nPage 30 of 30", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f" ], "report_names": [ "unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434095, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f47cabf491ff1a3e54b07989853f77a10f662934.pdf", "text": "https://archive.orkl.eu/f47cabf491ff1a3e54b07989853f77a10f662934.txt", "img": "https://archive.orkl.eu/f47cabf491ff1a3e54b07989853f77a10f662934.jpg" } }