{ "id": "9f8d3ba3-d4e7-4e68-a4d5-e6a517a76caa", "created_at": "2026-04-06T00:17:18.230132Z", "updated_at": "2026-04-10T03:37:40.652369Z", "deleted_at": null, "sha1_hash": "f617ffb583ff35a15e26152b1f24cf5e37d22b67", "title": "MoonPeak malware from North Korean actors unveils new details on attacker infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2375702, "plain_text": "MoonPeak malware from North Korean actors unveils new details on\r\nattacker infrastructure\r\nBy Asheer Malhotra\r\nPublished: 2024-08-21 · Archived: 2026-04-05 13:00:59 UTC\r\nCisco Talos is exposing infrastructure we assess with high confidence is being used by a state-sponsored North\r\nKorean nexus of threat actors we track as “UAT-5394,\" including for staging, command and control (C2) servers, and\r\ntest machines the threat actors use to test their implants. \r\nOur analysis of the threat actor’s infrastructure indicates they pivoted across C2s and staging servers to set up new\r\ninfrastructure and modify existing servers. \r\nThis campaign consists of distributing a variant of the open-source XenoRAT malware we're calling “MoonPeak,” a\r\nremote access trojan (RAT) being actively developed by the threat actor. \r\nAnalysis of XenoRAT against MoonPeak malware samples we’ve discovered so far illustrates the evolution of the\r\nmalware family after it was forked by the threat actors. \r\nCisco Talos has uncovered a new remote access trojan (RAT) family we are calling “MoonPeak.” This a XenoRAT-based\r\nmalware, which is under active development by a North Korean nexus cluster we are calling “UAT-5394.” Our analysis of\r\ninfrastructure used in the campaign reveals additional links to the UAT-5394 infrastructure and new tactics, techniques and\r\nprocedures (TTPs) of the threat actor.  \r\nIn a recent report, AhnLab disclosed a spear-phishing campaign employing the use of an early variant of XenoRAT, an open-source RAT family, which evolved into what we track as “MoonPeak.” \r\nThis cluster of activity has some overlaps in TTPs and infrastructure patterns with the North Korean state-sponsored group\r\n“Kimsuky,” however, we do not have substantial technical evidence to link this campaign with the APT. \r\nSince Kimsuky has been rapidly evolving and upgrading their infrastructure and tooling since 2024, the development and\r\nusage of a new RAT in this specific campaign raises two possibilities we must consider:  \r\nEither UAT-5394 is actually Kimsuky (or a sub-group within Kimsuky) and they are replacing QuasarRAT with\r\nMoonPeak. (We have observed UAT-5394 actively setting up and operating QuasarRAT C2 servers before they\r\neventually adopted the use of XenoRAT and MoonPeak.) \r\nOr, UAT-5394 is another group within the North Korean APT machinery that borrows their TTPs and infrastructure\r\npatterns from Kimsuky. \r\nWe will, for the time being, consider this cluster of activity an independent campaign owned and operated under the UAT-5394 moniker until we have more intelligence to merge this campaign into Kimsuky’s attacks or determine that UAT-5394\r\nis, in fact, a disparate/unique group operating within DPRK’s APT machinery. \r\nTalos’ research has uncovered the testing and staging infrastructure used to create new iterations of MoonPeak. The C2\r\nserver hosts malicious artifacts for download, which is then used to access and set up new infrastructure to support this\r\ncampaign. In multiple instances, we also observed the threat actor access existing servers to update their payloads and\r\nretrieve logs and information collected from MoonPeak infections. Apart from accessing servers from other servers, the\r\nthreat actors also accessed their infrastructure from VPN nodes. \r\nMapping out UAT-5394 infrastructure \r\nTalos’ analysis mapping out the infrastructure involved in this campaign led to a plethora of new servers owned, operated\r\nand administered by the threat actor. This infrastructure includes remote access and C2 servers, payload-hosting sites and\r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 1 of 19\n\neven test virtual machines the attackers used to test their MoonPeak implants before distributing them to potential targets. \r\nThe net of the infrastructure can be mapped as: \r\nThe UAT-5394 activity over the past two months shows the interconnections between the several servers used by this threat\r\nactor. \r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 2 of 19\n\nThe move from cloud services to attacker-owned infrastructure: 95[.]164[.]86[.]148 \r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 3 of 19\n\nSince June 11, 2024, we saw a distinct shift in the actor’s tactics with respect to setting up supporting infrastructure. After\r\nAhnLab’s disclosure, UAT-5394 moved from hosting their malicious payloads on legitimate cloud storage providers to\r\nsystems and servers they now owned and controlled. It is likely that this move was made to preserve their infections from\r\npotential shutdown of cloud locations by the service providers. \r\n95[.]164[.]86[.]148 is one of the earliest servers set up and actively used by UAT-5394 since at least June 12, 2024, to host\r\nmalicious artifacts (described in AhnLab’s disclosure) and served as a MoonPeak C2 server on Port 9999 until at least July\r\n4, 2024. This C2 server was accessed between this time frame, over RDP by 27[.]255[.]81[.]118, another  UAT-5394 IOC\r\nresolving multiple malicious domains registered by the threat actors. \r\nOn July 5, 2024, the threat actors now used 95[.]164[.]86[.]148 to RDP into a second malicious server, 167[.]88[.]173[.]173\r\nwhich was already serving as a MoonPeak C2 on Port 9966. This RDP access to 167[.]88[.]173[.]173 resulted in a second\r\ndeployment of MoonPeak’s C2 on Port 9936. \r\nIt is also worth noting that we observed the MoonPeak C2 server (95[.]164[.]86[.]148) connect to 84[.]247 [.]179 [.]77:443\r\nbetween June 22 and July 2, 2024. 84[.]247 [.]179 [.]77 is a known C2 server for another open-sourced RAT family,\r\nQuasarRAT, and hosts an SSL cert with serial number “8cf5fb326e1e6d3015c3846f09c93b” and the CN is listed as “Quasar\r\nServer CA.” Talos assesses with low confidence that the MoonPeak server may have been infected with QuasarRAT so that\r\nthe threat actors had a parallel means of maintaining access to the C2 from the QuasarRAT C2. \r\nA pivotal server - 167[.]88[.]173[.]173 \r\n167[.]88[.]173[.]173 is a high-flux server that has changed operating systems and web servers four times in less than two\r\nmonths. Looking at passive DNS data, this would seem like a Linux server owned by the Gamaredon APT, a threat group\r\nallegedly linked to the Russian FSB by the Security Service of Ukraine (SSU). However, our analysis has found a window\r\nof time in which we assess with high confidence that the IP was under UAT-5394 ownership and control. \r\nBetween June 30 and July 8, 2024, this server had the Windows Server 2022 operating system and was under ownership of\r\nUAT-5394. During this time, specifically on July 2, 2024, UAT-5394 compiled MoonPeak v2 malware samples pointing to\r\nthis C2’s Port 9966.  \r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 4 of 19\n\nThis IP was also accessed by two other IP addresses, 45[.]87[.]153[.]79 and 45[.]95[.]11[.]52 over ports 9936 and 9966 on\r\nthe same day, which are the C2 ports used by MoonPeak malware created by the threat actor. Both IP addresses from AS\r\n44477 (Stark Industries Solutions Ltd.) are important since we will later demonstrate that these are test machines/VM used\r\nby the threat actors to test their implants. \r\nThe new MoonPeak C2 server was also accessed by the attackers using RDP (port 3389) using two other remote IP\r\naddresses – 80[.]71[.]157[.]55 and 95[.]164[.]86[.]148 during the time it was under UAT-5394's control. \r\nWe discovered that 167[.]88[.]173[.]173 resolves to and hosts an SSL certificate for pumaria[.]store, a malicious domain\r\nowned by UAT-5394. This domain later resolved to 104[.]194[.]152[.]251 on July –11 2024, the same day that the threat\r\nactors tested another implant on one of their test VMs that connected back to this IP on Port 8936 — another XenoRAT\r\ninfection — indicating that 104[.]194[.]152[.]251 was a new MoonPeak C2 being set up by the threat actors. \r\nFurthermore, we also found evidence that another one of UAT-5394's test machine (80[.]71[.]157[.]55) also reached out to\r\nand communicated with the IP over Port 443 on July 8, 2024. Based on infection logs and network analysis, we assess with\r\nmedium confidence that, in addition to remotely accessing other systems, this system (80[.]71[.]157[.]55) has also been used\r\nto test MoonPeak infections since January 2024 and the HTTPS (443) communication with 104[.]194[.]152[.]251 is one of\r\nthese tests. \r\nOur analysis deems 104[.]194[.]152[.]251 a malicious C2 server for communicating with the MoonPeak malware and the\r\nthreat actors were preparing to use the system in their malicious operations and had it ready for use by July 8, 2024. \r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 5 of 19\n\nFrom C2 to C2: Finding a newly minted MoonPeak C2 \r\nTalos’ analysis of 104[.]194[.]152[.]251 between June and July 2024 revealed that it resolved to the pumaria[.]store and\r\nyoiroyse[.]store domains that we attribute to UAT-5394. \r\nWe also observed one of UAT-5394’s infection testing machines (45[.]87 [.]153 [.]79) communicate with this server over\r\nport 8936 (the same port used in MoonPeak v2) on July 11, 2024, reinforcing our assessment that 104[.]194[.]152[.]251\r\nhosted a MoonPeak C2. \r\nWe also discovered that the threat actors used this system to access another IP address, 91[.]194[.]161[.]109 via RDP (port\r\n3389) on July 11, 2024, to set up the IP address as the newest host for the malware and MoonPeak C2. \r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 6 of 19\n\nEnter MoonPeak’s newest C2 server — 91[.]194[.]161[.]109 \r\n91[.]194[.]161[.]109 hosts multiple malicious artifacts including scripts to carry out the infection chain ultimately serving\r\nMoonPeak to targets. \r\nThe latest version of MoonPeak discovered on this server is built as recently as July 16, 2024, and connects to the server\r\nover Port 8936. \r\nOn the same day, we observed one of the threat actor’s test machines (45[.]95[.]11[.]52) began communicating with this C2\r\nserver. \r\nBased on this timeline, it is likely that the threat actors built the MoonPeak implant, set up the C2 component and then\r\nexecuted MoonPeak on their test VM to test the correct functioning of the variant. \r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 7 of 19\n\nThis MoonPeak server hosts other artifacts from the infection chain leading up to MoonPeak: \r\nA PHP file that serves malicious artifacts based on the “id” value provided. \r\nA PowerShell script (calc[.]txt) was meant to pull down an RTF file from the remote host. The RTF is downloaded\r\nand then the first six bytes are replaced with the GZIP header. The resulting GZIP contains the MoonPeak malware\r\nthat is executed on the compromised endpoint. \r\nAnother PowerShell script to replace the GZIP header bytes with those of an RTF. This script converts the GZIP to\r\nRTF and stores it on the server. \r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 8 of 19\n\nVirtual machines for testing implants and infection chains \r\nWe discovered several instances of two virtual machines hosted on public IPs that reached out to various MoonPeak C2\r\nservers over ports configured in the malware. \r\nThe timing of the communications over specific C2 ports corresponds to the compilation times of various MoonPeak\r\nsamples we’ve discovered in this campaign so far. \r\nThese VMs, 45[.]87[.]153[.]79 and 45[.]95[.]11[.]52, have been used to test MoonPeak infections over Ports 9966, 9936,\r\n8936 and 9999 since at least July 2, 2024. \r\nA third test machine, 80[.]71[.]157[.]55, was also used by UAT-5394, but it is a dual-purpose machine – testing infections\r\nand used to RDP into C2 servers.   \r\nMoonPeak Malware – Slowly evolving toward evasion \r\nAn analysis of MoonPeak samples reveals an evolution in the malware and its corresponding C2 components that warranted\r\nthe threat actors deploy their implant variants several times on their test machines. The constant evolution of MoonPeak runs\r\nhand-in-hand with new infrastructure set up by the threat actors. Each new increment of MoonPeak differs from the previous\r\none in two aspects: \r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 9 of 19\n\nJust enough to introduce more obfuscation to make detection and identification more cumbersome. \r\nJust enough tweaks in communication and peripheral characteristics of the malware and the corresponding XenoRAT\r\nserver code to prevent unauthorized connections and instrumentation of MoonPeak malware and C2 servers. Simply\r\nput, the threat actors ensured that specific variants of MoonPeak only work with specific variants of the C2 server. \r\nEvolution of MoonPeak over time \r\nMoonPeak is based on a publicly available source code for XenoRAT made available on GitHub around October 2023.\r\nWhile MoonPeak contains most of the functionalities of the original XenoRAT, our analysis observed consistent changes\r\nthroughout the variants that shows the threat actors are modifying and evolving the code independently from the open-source version. \r\nThe samples used in this analysis were found based on characteristics matching the samples reported by Ahnlab, which we\r\nare calling “MoonPeak v1,” as well as samples Talos independently found we are calling “Moonpeak v2.” We compared\r\nthese samples with each other and with samples compiled by us from the original source code to understand the effect of\r\neach change. \r\nTalos also found a version of the MoonPeak source code which matches the samples built and used by UAT-5394 during the\r\ninitial stages of their campaign, also reported by Ahnlab, as we will demonstrate later. \r\nUnderstanding XenoRAT architecture \r\nBefore diving into the changes implemented in MoonPeak, a quick explanation about how XenoRAT works is necessary to\r\nunderstand the reason for some changes adopted by the threat actors. The original source code released by the developer\r\ncontains a Visual Studio project including the code for a RAT client stub, the main server component and additional plugins\r\nthe C2 server can deploy to the RAT. \r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 10 of 19\n\nThe server can build a new RAT client based on the stub, modifying features like the C2 server address and port, mutex\r\nname, startup settings and the generated malware sample PE’s version properties: \r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 11 of 19\n\nFor the implant to communicate back to this server, it needs to provide a proper encryption password and authentication\r\nstring, and use the right compression protocol, which is defined in the server and client source code and need to match each\r\nother. A mismatch in settings will prevent a client/RAT/implant from effectively communicating with the C2 server.\r\nTherefore, all XenoRAT samples may not be compatible with all C2 servers if there is a settings mismatch. \r\nThe server can also deliver additional plugins to be executed by the client, but these plugins depend on code present in the\r\nclient to properly execute. This can be seen in a plugin source code which includes the client namespace as necessary before\r\nexecuting. \r\nIf the implant uses a different namespace than the one used while compiling the server and plugins, an error will occur every\r\ntime the server attempts to send a plugin to the client, even if the client provided the correct password and authentication\r\nstring. \r\nMoonPeak changes over XenoRAT source code \r\nThe first change observed in MoonPeak samples which is consistent across all versions 1 and 2 samples is to change the\r\nclient namespace to “cmdline” instead of “xeno rat client.” With this simple change, any attempt to connect the MoonPeak\r\nimplant to the original server code will fail, and vice versa, other variants of Xeno RAT will not work when connected to a\r\nMoonPeak server.  \r\nThis is a typical example of updates made to the RAT by the threat actors to enable tactical evasion. The namespace change\r\nprevents rogue implants from connecting to their infrastructure and furthermore prevents their own implants from\r\nconnecting to out-of-box XenoRAT C2 servers. \r\n Another change consistent among all variants of MoonPeak is the forced use of compression before the encryption in the\r\ncommunication protocol. While the original source code uses a variable to define if compression should be used before or\r\nafter encryption. The modified code always assumes compression will happen before encryption and the alternative code\r\nwas removed from the source project. \r\nOriginal code \r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 12 of 19\n\nModified code \r\nThese changes were introduced in MoonPeak source code early in the development, sometime around January - February\r\n2024, since all versions of MoonPeak contain this modification.\r\nWhile we attempted to create a timeline of when these samples were created, we noticed the samples for MoonPeak v1\r\ncontained invalid timestamps in their “compiled date” field. \r\nAccording to Microsoft, this artifact is caused by the samples being compiled with the “/deterministic” parameter, included\r\nby default in the XenoRAT source code, which uses the timestamp field to store a hash of all the options used during\r\ncompilation. That means we had to use the dates in which these samples were submitted to VT to have an idea of when they\r\nwere compiled. All the samples for version 1 were compiled with this parameter which is the default setting in Visual\r\nStudio. The samples for version 2, however, had valid timestamps which indicate they were compiled without the option, a\r\nchange made in the development environment by UAT-5394. The table below shows a summary of these dates. \r\nHash Version Creation Date\r\nfacf3b40a2b99cc15eee7b7aee3b36a57f0951cda45931fcde311c0cc21cdc71 MoonPeak_V1 2/28/24 5:42 AM\r\nb8233fe9e903ca08b9b1836fe6197e7d3e98e36b13815d8662de09832367a98a MoonPeak_V1 3/1/24 5:20 AM\r\n44e492d5b9c48c1df7ef5e0fe9a732f271234219d8377cf909a431a386759555 MoonPeak_V1 3/1/24 5:35 AM\r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 13 of 19\n\nHash Version Creation Date\r\n97ba8d30cf8393c39f61f7e63266914ecafd07bd49911370afb866399446f37d MoonPeak_V1 3/2/24 5:31 AM\r\n0b8897103135d92b89a83093f00d1da845a1eae63da7b57f638bab48a779808e MoonPeak_V1 5/17/24 9:30 PM\r\n148c69a7a1e06dc06e52db5c3f5895de6adc3d79498bc3ccc2cbd8fdf28b2070 MoonPeak_V2\r\n7/2/2024 3:55:41\r\nAM\r\n1ad43ddfce147c1ec71b37011d522c11999a974811fead11fee6761ceb920b10 MoonPeak_V2\r\n7/2/2024 2:49:59\r\nAM\r\n458641936e2b41c425161a9b892d2aa08d1de2bc0db446f214b5f87a6a506432 MoonPeak_V2\r\n7/2/2024 3:39:03\r\nAM\r\n8a4fbcdec5c08e6324e3142f8b8c41da5b8e714b9398c425c47189f17a51d07b MoonPeak_V2\r\n7/2/2024 6:06:17\r\nAM\r\n293b1a7e923be0f554ec44c87c0981c9b5cf0f20c3ad89d767f366afb0c1f24a MoonPeak_V2\r\n7/16/2024 2:23:22\r\nAM\r\nWe can see the group of samples were created close to each other, except\r\n0b8897103135d92b89a83093f00d1da845a1eae63da7b57f638bab48a779808e, compiled around May 2024. This sample\r\nshares the same C2 server (159[.]100[.]29[.]122) with MoonPeak v1, albeit on a different port (8811). This is an interesting\r\nbridge between the two sample sets, as it starts to show changes to the code base present in future variants indicating the\r\nthreat actor actively updated the RAT code. \r\nThe first characteristic of this sample is that it does not contain code to authenticate to the C2 server. This code was\r\nintentionally removed from the client/RAT, leaving only the code to connect to the server port and immediately quit. Since\r\nthis change would prevent the RAT from working as expected, we assess this version was intended to be a test sample used\r\nto test code changes before deploying actual malicious samples. \r\nThis version also introduces a change only observed in MoonPeak v2, which is the change to the class name used to store\r\nutility functions used by the RAT. This class is called “Utils” in the original source code and all other MoonPeak v1 samples,\r\nand changed to “Tools” in this sample and all subsequent MoonPeak v2 samples.\r\nFrom this point on, other changes were introduced in MoonPeak v2 samples to improve the obfuscation and thwart\r\nanalysis.  \r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 14 of 19\n\nHash Version\r\nUses\r\nStrObf\r\nUses\r\nClassObf\r\nCreati\r\nDate\r\n1ad43ddfce147c1ec71b37011d522c11999a974811fead11fee6761ceb920b10 MoonPeak_V2 no yes\r\n7/2/202\r\n2:49:59\r\nAM\r\n458641936e2b41c425161a9b892d2aa08d1de2bc0db446f214b5f87a6a506432 MoonPeak_V2 no yes\r\n7/2/202\r\n3:39:03\r\nAM\r\n148c69a7a1e06dc06e52db5c3f5895de6adc3d79498bc3ccc2cbd8fdf28b2070 MoonPeak_V2 yes yes\r\n7/2/202\r\n3:55:4\r\nAM\r\n8a4fbcdec5c08e6324e3142f8b8c41da5b8e714b9398c425c47189f17a51d07b MoonPeak_V2 yes yes\r\n7/2/202\r\n6:06:17\r\nAM\r\n293b1a7e923be0f554ec44c87c0981c9b5cf0f20c3ad89d767f366afb0c1f24a MoonPeak_V2 yes yes\r\n7/16/20\r\n2:23:22\r\nAM\r\nThese samples introduced the use of State Machines in MoonPeak. State Machines can be used to asynchronously perform\r\ntasks, and the original function now delegates the actual implementation to a member method of the State Machine. .NET\r\nanalysis tools such as dnSpy will recognize the State Machine but hide the actual implementation of the function being\r\ndelegated to the State Machine, making reversing of the malware a more cumbersome task. It is likely that the use of State\r\nMachines is a tactic used by UAT-5394 to prevent or thwart analysis attempts of the malware. \r\nILSpy, however, allows an analyst to view the State Machine and the actual implementation of code. \r\nThe actual implementation in the State Machine above executed the original code present in the called class.\r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 15 of 19\n\nThe number of functions changed and complexity of the class names also increased with each variant above. We can observe\r\nthese changes were introduced in a short span of time for the samples we found. An additional change added later was the\r\nobfuscation of strings used in the code. The obfuscation is a simple AES encryption with the key present in a DotNet\r\nresource object and disguised as a Unicode string. \r\nThis change makes the analysis more demanding, as now it is necessary to decrypt the strings before extracting information\r\nlike the C2 IP and port.  \r\nMoonPeak source code \r\nDuring our investigation, we came across a ZIP file with a copy of the source code for XenoRAT, but upon closer inspection,\r\nwe noticed the source code had many characteristics like the MoonPeak v1 samples we found before.  \r\nThe first thing we noticed was the change of the client namespace to “cmdline” which we explained before was done to\r\nprevent unwanted clients from communicating with their server, and vice-versa. \r\nThe project folder also contained several pre-compiled binaries in both their debug and release versions. Even though the\r\nsource code itself had the C2 hardcoded to the localhost IP 127[.]0[.]0[.]1, the compiled binaries all had the C2 configured\r\nto the IP used by MoonPeak v1: \r\nprivate static string ssssiiiii = \"159[.]100[.]29[.]122\";\r\nAnother similarity was present in the assembly information page inside the project properties. This page contains details\r\nabout the project name, description, company, copyright information and assembly GUID. As an example, this is what the\r\noriginal XenoRAT source code contains: \r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 16 of 19\n\nOn the other hand, all the MoonPeak v1 samples as well as the project inside the forked source code use a different GUID. \r\nWe can see the change in the Assembly Title also reflects the change made to the client namespace. The MoonPeak v2\r\nsamples, however, use different GUID and assembly details than previous samples. \r\nThe timelines of the consistent adoption of new malware and its evolution such as in the case of MoonPeak highlights that\r\nUAT-5394 continues to add and enhance more tooling into their arsenal. The rapid pace of establishing new supporting\r\ninfrastructure by UAT-5394 indicates that the group is aiming to rapidly proliferate this campaign and set up more drop\r\npoints and C2 servers.   \r\nCoverage \r\nWays our customers can detect and block this threat are listed below. \r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in\r\nthis post. Try Secure Endpoint for free here.  \r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these\r\nattacks.  \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their\r\ncampaign. You can try Secure Email for free here.  \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense\r\nVirtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  \r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 17 of 19\n\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure\r\nproducts.  \r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests\r\nsuspicious sites before users access them.  \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.  \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org. \r\nSplunk detections can alert users of this actor's typical TTPs or actions.\r\nIOCs \r\nIOCs for this research can also be found at our GitHub repository here. \r\nMoonPeak v1 \r\n0b8897103135d92b89a83093f00d1da845a1eae63da7b57f638bab48a779808e \r\n2b35ef3080dcc13e2d907f681443f3fc3eda832ae66b0458ca5c97050f849306 \r\n4108c5096a62c0a6664eed781c39bb042eb0adf166fcc5d64d7c89139d525d4f \r\n44e492d5b9c48c1df7ef5e0fe9a732f271234219d8377cf909a431a386759555 \r\n4599a9421e83fb0e2c005e5d9ac171305192beabe965f3385accaf2647be3e8e \r\n58fdc1b6ce4744d6331f8e2efc4652d754e803cae4cc16101fc78438184995e6 \r\n97ba8d30cf8393c39f61f7e63266914ecafd07bd49911370afb866399446f37d \r\na80a35649f638049244a06dd4fb6eca4de0757ef566bfbe1affe1c8bf1d96b04 \r\nb8233fe9e903ca08b9b1836fe6197e7d3e98e36b13815d8662de09832367a98a \r\nf4aa4c6942a87087530494cba770a1dcbc263514d874f12ba93a64b1edbae21c \r\nfacf3b40a2b99cc15eee7b7aee3b36a57f0951cda45931fcde311c0cc21cdc71 \r\n0ed643a30a82daacecfec946031143b962f693104bcb7087ec6bda09ade0f3cb \r\n41d4f7734fbf14ebcdf63f51093718fd5a22ec38a297c0dc3d7704a3fb48b3f9 \r\n6a3839788c0dafe591718a3fb6316d12ccd8e82dbcb41ce40e66b743f2dd344d \r\nMoonPeak v2 \r\n148c69a7a1e06dc06e52db5c3f5895de6adc3d79498bc3ccc2cbd8fdf28b2070 \r\n1ad43ddfce147c1ec71b37011d522c11999a974811fead11fee6761ceb920b10 \r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 18 of 19\n\n458641936e2b41c425161a9b892d2aa08d1de2bc0db446f214b5f87a6a506432 \r\n8a4fbcdec5c08e6324e3142f8b8c41da5b8e714b9398c425c47189f17a51d07b \r\n293b1a7e923be0f554ec44c87c0981c9b5cf0f20c3ad89d767f366afb0c1f24a \r\nPowerShell scripts \r\n6bf8a19deb443bde013678f3ff83ab9db4ddc47838cd9d00935888e00b30cee6 \r\n72a25d959d12e3efe9604aee4b1e7e4db1ef590848d207007419838ddbad5e3f \r\n15eee641978ac318dabc397d9c39fb4cb8e1a854883d8c2401f6f04845a79b4b \r\n3e39fc595db9db1706828b0791161440dc1571eaa07b523df9b721ad65e2369b \r\nf928a0887cf3319a74c90c0bdf63b5f79710e9f9e2f769038ec9969fcc8ee329 \r\n27202534cc03a398308475146f6710b790aa31361931d4fe1b495c31c3ed54f7 \r\nNetwork IOCs \r\n167[.]88[.]173[.]173 \r\n95[.]164[.]86[.]148 \r\n80[.]71[.]157[.]55 \r\n84[.]247[.]179[.]77 \r\n45[.]87[.]153[.]79 \r\n45[.]95[.]11[.]52 \r\n104[.]194[.]152[.]251 \r\nyoiroyse[.]store \r\npumaria[.]store \r\n27[.]255[.]81[.]118 \r\n212[.]224[.]107[.]244 \r\n27[.]255[.]80[.]162 \r\nnmailhostserver[.]store \r\n210[.]92[.]18[.]169 \r\n91[.]194[.]161[.]109 \r\nnsonlines[.]store \r\nSource: https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nhttps://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY" ], "references": [ "https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/" ], "report_names": [ "moonpeak-malware-infrastructure-north-korea" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "0e9d99dc-01ad-49a5-8357-5f147d38559b", "created_at": "2024-09-20T02:00:04.587227Z", "updated_at": "2026-04-10T02:00:03.701875Z", "deleted_at": null, "main_name": "UAT-5394", "aliases": [], "source_name": "MISPGALAXY:UAT-5394", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434638, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f617ffb583ff35a15e26152b1f24cf5e37d22b67.pdf", "text": "https://archive.orkl.eu/f617ffb583ff35a15e26152b1f24cf5e37d22b67.txt", "img": "https://archive.orkl.eu/f617ffb583ff35a15e26152b1f24cf5e37d22b67.jpg" } }