{ "id": "38a73f52-0e33-4415-b2c9-70e9553dc737", "created_at": "2026-04-06T00:07:38.106398Z", "updated_at": "2026-04-10T03:37:40.834529Z", "deleted_at": null, "sha1_hash": "fbf7266e80d36d2762ba1a1e682820b5a1f54a40", "title": "tracking the king of the spear phishing", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4427878, "plain_text": "tracking the king of the spear phishing\r\nArchived: 2026-04-05 18:15:00 UTC\r\nVB2019 paper: Kimsuky group: tracking the king of the spear phishing\r\nJaeki Kim, Kyoung-Ju Kwak \u0026 Min-Chang Jang\r\nFinancial Security Institute, Republic of Korea\r\nAbstract\r\nThe Kimsuky group is a threat group that is known to have been behind the KHNP (Korea Hydro \u0026 Nuclear Power) cyber\r\nterrorism attacks of 2014 and is still active in 2019.\r\nSince 2018, we have been profiling and tracking spear-phishing emails and malicious code related to the Kimsuky group.\r\nThe spear-phishing emails used by the group have been determined to have the purpose of stealing web portal account\r\ninformation and delivering malicious code. The main targets are government and military officials, as well as journalists.\r\nWe have analysed the changing behaviour of the Kimsuky group through ongoing tracking of the IoCs related to Kimsuky,\r\nincluding simple account hijacking.\r\nIn this paper, we present the results of an analysis not only of the malware used by the Kimsuky group but also of server-side samples (tools and templates that send out spear-phishing emails, like a phishing rod) which we recently investigated.\r\nWe have also confirmed that the C\u0026C server used for the earlier attack continues to be used for various purposes, such as\r\ndistribution of malicious code, logging of infections, and sending phishing mail.\r\n1. Introduction\r\nIn September 2013, Kaspersky Lab announced an APT attack targeting major Korean agencies [1]. According to the data,\r\nthe Kimsuky group was using malicious Hangul documents, like other attack groups targeting Korea, and the attack featured\r\nremote control tools (such as Team Viewer) and communication channel configuration using webmail. In February and\r\nMarch 2014, attacks that seemed to have been carried out by the same group against Korean public institutions continued to\r\noccur [2].\r\nIn December 2014, an attempt was made to destroy PC disks by sending 5,986 spear-phishing emails to 3,571 employees of\r\nKorea Hydro \u0026 Nuclear Power Co., Ltd. However, only eight PCs were infected with malware, of which five hard disks\r\nwere initialized.\r\nThe malware used in this spear-phishing attack was similar in structure and operation to the malware used by the Kimsuky\r\ngroup, and the Hangul word processor vulnerability used in the malware was the same as that used in the Kimsuky malware.\r\nFrom these results, we inferred that the focus of the Kimsuky group was on social confusion and monitoring of North\r\nKorean defectors and politicians, rather than acquiring money.\r\nIn June 2015, a number of web portal email accounts were hacked, sending emails with malicious Hangul document files\r\nand phishing emails to steal portal account credentials. In January 2016, a large number of emails with malicious\r\nattachments were sent under the guise of ‘Office of National Security at the Blue House’ to government research institutes.\r\nAnalysis by related organizations identified the malicious attachment as Kimsuky malware [3].\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 1 of 24\n\n2. Related cases\r\nIn January 2019, an email suspected to be carrying malicious code was sent to dozens of journalists, most of whom were\r\ncovering South Korea’s ministry in charge of relations with North Korea, prompting an investigation into the incident. The\r\nemail, which was entitled ‘TF reference info’ and had a compressed file attached, was sent to more than 70 reporters, most\r\nof whom were members of the unification ministry’s press corps. It was sent through a private email address from a person\r\nnamed ‘Yoon Hong-geun’. The ministry suspected that it contained malicious code designed for hacking [4]. This issue was\r\nknown variously as Operation Cobra Venom [5], Operation Kitty Phishing [6] and Operation Kabar Cobra [7].\r\n3. Toolset characteristics\r\nIn the process of tracking the Kimsuky group, we were able to acquire the mail-sending tools and malware used in various\r\nspear-phishing attacks. The attack tools used by the Kimsuky group can be broadly categorized into server-side toolkits and\r\nmalware.\r\nServer-side toolkits\r\nMailer (shape \u0026 core), beaconer, phisher, logger\r\nThe Kimsuky group created a mailing toolkit for attack and used it repeatedly. We found that, when constructing phishing\r\npages for account takeover, they reused the existing source code of the original site and specific arguments in the URL.\r\nFigure 1: Daum portal phishing page.\r\nMalware\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 2 of 24\n\nDropper (malicious or camouflaged HWP documents), script, infostealer\r\nThe malware used by the Kimsuky group in recent spear-phishing attacks includes a dropper that is a malicious or\r\ncamouflaged HWP file; a malicious script, which logs and downloads additional malware to the C\u0026C server; and an\r\ninfostealer. Some infostealers have a module that downloads additional malware.\r\nExamples of the flow of malware used in spear-phishing attacks are shown in Figure 2.\r\nFigure 2: The flow of malware used in spear-phishing attacks.\r\nA classification of the attack tools used by the Kimsuky group is shown in Table 1.\r\nName No. Type Details\r\nMailer (shape) 1 Mailer Mailer (just shape)\r\nMailer (core) 2 Mailer\r\nMailer (actual function)\r\n1) Attachment of malware\r\n2) Link to phishing page for account hijack\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 3 of 24\n\nBeaconer 3 Web beacon Beacon to check whether mail is being viewed\r\nPhisher 4 Account stealer, phishing Phishing toolkit(lod) phishing page for account stealing\r\nLogger 5 Logging, phishing Logging of phishing target information\r\nMalicious HWP 6 Dropper, spear phishing Malicious HWP documents\r\nCamouflaged\r\nHWP\r\n7 Dropper, spear phishing Camouflaged HWP documents (e.g. sfx, exe)\r\nScript 8 Downloader, logging\r\nDownloads additional malware and logs (e.g. *.vbs, *.wsf,\r\n*.jse, *.ps1)\r\nInfostealer 9\r\nC\u0026C, DLL, downloader,\r\nFTP logging\r\nSteals information from infected target and downloads\r\nadditional malware (in some cases using FTP)\r\nTable 1: Kimsuky toolset.\r\n4. Tracking malware and monitoring C\u0026C servers\r\nAttacker ≠ defender: OpSec failures\r\nThe attacker and defender are on different sides [8]. In addition, an attacker who continues to attack does not have a good\r\nunderstanding of defence. There can be a difference between an attacking position and a defending position.\r\nAfter all, attackers are also in the position of developing malware and server-side toolkits.\r\nAttackers who develop various attack tools are in the same position as those in general development. While working within\r\na limited timeframe and with limited resources, information leakage and vulnerabilities can occur naturally due to code\r\nreuse or C\u0026C server operation mistakes.\r\nIn the course of investigating and analysing the C\u0026C server, several security weaknesses were discovered, which provided\r\nus with good information for investigation and tracking. We will look at the following cases of OpSec failure:\r\n1. Directory listing\r\n2. Leaked FTP access information\r\n3. File download vulnerability\r\nOpSec failure case 1: Directory listing\r\nCase 1.1: After DOKKAEBI campaign: H-DS (distribution) type\r\nName No. Type Details\r\nMalicious HWP 6 Dropper, spear-phishing Malicious HWP documents\r\nScript 8 Downloader, logging\r\nDownloads additional malware and logs (e.g.\r\n*.vbs, *.wsf, *.jse, *.ps1)\r\nTable 2: Related toolset.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 4 of 24\n\nFigure 3: Profiling of malicious Hangul files.\r\nFollowing the DOKKAEBI campaign, malicious Hangul documents were continuously analysed [9]. During this process,\r\nwe tracked a C\u0026C server (suppcrt-seourity[.]esy.es) and malware related to malicious Hangul documents.\r\nThe file name of the malicious Hangul sample uploaded to VirusTotal on 23 May 2018 (shown in Figure 4) is ‘종전선\r\n언.hwp’ (‘Declaration of war end’) [10].\r\nFigure 4: Malicious Hangul sample 종전선언.hwp.\r\nThe overall flow of the sample is as follows [11].\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 5 of 24\n\nFigure 5: Sample flow.\r\nName No. Type MD5\r\n‘Second Road to Go: Building a Peace System\r\nfor Unification’\r\n1\r\nInitial\r\ndropper\r\n8332be776617364c16868c1ad6b4efe7\r\ncore.dll (OneDll.dll) 2\r\nDLL\r\n(dropper)\r\n4de21c3af64b3b605446278de92dfff4\r\nfontchk.jse 3 Script f22db1e3ea74af791e34ad5aa0297664\r\nbrid.ige (zerodll.dll) 4 DLL 2FB20830564AC781AFB7D5F422BECFC9\r\nTable 3: Malware.\r\nThe malware fontchk.jse records the infection information (date, time, IP address, MAC address, etc.) in the path\r\n[C\u0026C]/update/fonts/log.txt, as shown in Figure 6. In this way, the files (including the malware) and log files that exist on the\r\nC\u0026C server can easily be obtained.\r\nFigure 6: Fontchk.jse records the infection\r\ninformation in the path [C\u0026C]/update/fonts/log.txt.\r\nSince a lot of resources are required to build and verify (check the actual operation of) the C\u0026C servers used by attackers,\r\nwe monitor them continuously, based on the assumption that they are likely to be recycled (reused) rather than being used\r\nonce and then destroyed.\r\nA new log was recorded on the C\u0026C server on 2018-07-10 (D+49), leading us to conduct further investigation and analysis.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 6 of 24\n\nFigure 7: New infection log.\r\nThe C\u0026C server leaked its directory listing and didn’t have proper access control, so it was possible to check the remaining\r\nlogs following an infection.\r\nFigure 8: MAC address look-up [12].\r\nPreviously, we analysed C\u0026C servers, and we saw that the MAC address is used as the directory path. Using this\r\ninformation, we were able to obtain additional malware by using the MAC address written in the infection log.\r\nName No. Type MD5 Details\r\nzerobase 1 Binary 53ac231e8091abcd0978124f9268b4e4  XOR encoding \r\nHanyangUpload_script.dll\r\n \r\n2 DLL 8b59ea1ee28e0123da82801abc0cce4d \r\nXOR decoding -\r\n0x09FD8477 \r\ncac.wsf   3 Script fa2ffcd70fba43dd0653a0ec87863d8a  File upload to C\u0026C server \r\nTable 4: Malware obtained using MAC address C485088EXXXX.\r\n Figure 9: Tracking the C\u0026C server and\r\ndiscovering new malware zerobase (not found in VirusTotal).\r\nWe confirmed that zerobase (MD5: 53ac231e8091abcd0978124f9268b4e4) had four-byte XOR encoding (key:\r\n0x09FD8477), and a PE file was obtained through decoding, as shown in Figure 10.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 7 of 24\n\nFigure 10: The file had four-byte XOR encoding (key: 0x09FD8477) a PE file was obtained through decoding.\r\nThe original DLL name identified in the four-byte XOR-decoded malware is HanyangUpload_script.dll.\r\nFigure 11: HanyangUpload_script.dll.\r\nThe function of the malware (HanyangUpload_script.dll) is as follows:\r\n1. Collect information from infected computers.\r\nFigure 12: Collecting information.\r\n2. Scan specific files.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 8 of 24\n\nFigure 13: Scanning files.\r\n3. Upload files (AllList_[MAC Address]_YYMMDD_HHMMSS) to the C\u0026C server using a script (cac.wsf)\r\n \r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 9 of 24\n\nFigure 14: Uploading files to C\u0026C server.\r\nCase 1.2: Malware camouflaged as HWP documents\r\nName No. Type Details\r\nMailer (shape) 1 Mailer Mailer (just shape)\r\nMailer (core) 2 Mailer\r\nMailer (actual function)\r\n1) Attachment of malware\r\n2) Link to phishing page for account hijack\r\nBeaconer 3 Web beacon Beacon to check whether mail is being viewed\r\nCamouflaged\r\nHWP\r\n7\r\nDropper, spear\r\nphishing\r\nCamouflaged HWP documents (e.g. sfx, exe)\r\nScript 8\r\nDownloader,\r\nlogging\r\nDownloads additional malware and logs (e.g. *.vbs, *.wsf, *.jse,\r\n*.ps1)\r\nInfostealer 9 C\u0026C, DLL, FTP\r\nSteals information from infected target and downloads additional\r\nmalware (in some cases using FTP)\r\nTable 5: Related toolset.\r\nAmong the tools described above, this malware is camouflaged as an HWP document [13].\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 10 of 24\n\nFigure 15: Malware camouflaged as an HWP document.\r\nName No. Type MD5 Details\r\n111.scr 1 SFX 10a120f573874c2af6b9172a26fdc597 Camouflaged as HWP documents\r\n1.hwp 2 HWP ae5ddda3749dcd72bc6cf6d658c5e31c Normal HWP\r\n1.vbs 2 Script 0718bfc5957758d22af02e726cb25fe3 Base64 decoding ⇒ ps1\r\nPowershell 3 Script fa2ffcd70fba43dd0653a0ec87863d8a\r\nAdditional malware download (C\u0026C:\r\nprimary-help[.]esy.es)\r\nTable 6: Malware.\r\nAt the time of analysing the malware, additional malware was downloaded from the C\u0026C server.\r\nFigure 16: Additional malware being downloaded from the C\u0026C server.\r\nAs in the previous case, we continued to monitor the server, based on the assumption that the attacker would reuse the C\u0026C\r\nserver they had built.\r\nAs a result of our continued monitoring, we confirmed that a new file was uploaded to the C\u0026C server on 2019-04-01\r\n(D+42) and conducted further investigation and analysis.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 11 of 24\n\nFigure 17: Mailer (shape): mail.php.\r\nThe C\u0026C server (primary-help[.]esy.es) is also a directory listing as shown in Figure 8.\r\nWe checked that the new files, mail.php and mail_ok.php, were uploaded to the C\u0026C server.\r\n Figure 18: The new files were uploaded to the\r\nC\u0026C server.\r\nWe confirmed that these files are tools for sending mail (i.e. mailers).\r\nIf we enter the sender and receiver information (name/email), title and contents and select ‘COMMIT’, then we can confirm\r\nthat mail.php is a mailer – the actual operation is performed by mail_ok.php.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 12 of 24\n\nFigure 19: Mail.php is a mailer. The actual operation is performed by mail_ok.php.\r\nWhen using the mailer, the mail was indeed sent the normal way, but with new malware attached.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 13 of 24\n\nFigure 20: The mail\r\nwas sent normally and new malware was attached.\r\nIn addition, we confirmed that the web beacon was applied to check whether the mail was read, using reading.php defined in\r\nthe \u003cimg\u003e tag in the mail sent by the mailer.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 14 of 24\n\nFigure 21: The web beacon was applied to check whether the mail was read.\r\nOpSec failure case 2: Leaked FTP access information\r\nName No. Type Details\r\nMailer\r\n(shape)\r\n1 Mailer Mailer (just shape)\r\nMailer (core) 2 Mailer\r\nMailer (actual function)\r\n1) Attachment of malware\r\n2) Link to phishing page for account hijack\r\nBeaconer 3 Web beacon Beacon to check whether mail is being viewed\r\nPhisher 4\r\nAccount stealer,\r\nphishing\r\nPhishing toolkit(lod) phishing page for account stealing\r\nLogger 5 Logging, phishing Logging of phishing target information\r\nScript 8 Downloader, logging Downloads additional malware and logs (e.g. *.vbs, *.wsf, *.jse, *.ps1)\r\nInfostealer 9 C\u0026C, DLL, FTP\r\nSteals information from infected target and downloads additional\r\nmalware (in some cases using FTP)\r\nTable 7: Related toolset.\r\nAmong infostealers used by the Kimsuky group, some samples have been found that use FTP to download additional\r\nmalware after logging infected targets to the C\u0026C [14, 15].\r\nThe malware uses the Hostinger free hosting service as a C\u0026C server, and there is a security weakness in that the account\r\n(u428325809 ) and password (victory123!@#) used for FTP communication are exposed in plain text.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 15 of 24\n\nFigure 22: The account\r\n(u428325809 ) and password (victory123!@#) used for FTP communication are exposed in plain text.\r\nThe same (or similar) FTP account information was identified in the other malware found after this malware (2019-04-03).\r\nMD5: f38a8ba888c5732236a5e0653826a267\r\nMD5: 0b65e3f7a40261232dd93f472933fb72\r\nFigure 23: The same or similar FTP account information was used.\r\nC\u0026C Date Login ID Password Details\r\nuser-daum-center[.]pe.hu @2019/04/03 u859027282 victory123!@# Same password (1)\r\nuser-protect-center[.]pe.hu @2019/04/09 u428325809 victory123!@# Same password (1)\r\nnid-protect-team[.]pe.hu @2019/04/17 u621356999 victory123!@# Same password (1)\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 16 of 24\n\noeks39402[.]890m.com @2019/05/15 u487458083 rhdwn111 Same password (2) same UID\r\nnid-management-team[.]890m.com\r\n@2019/05/16 u142759695 victory123!@# Same password (1)\r\nnaiei-aldiel[.]16mb.com @2019/05/27 u487458083 Victorious!@#\r\nSimilar password (1) same\r\nUID\r\nvkcxvkweo[.]96.lt @2019/06/07 u487458083 rhdwn111 Same password (2) same UID\r\nTable 8: Leaked FTP authentication information.\r\nThe FTP account information used in the malware can expose the C\u0026C server to attacks. The string ‘victory’ used in the\r\npassword has also been found in the b374k webshell used by the Kimsuky group.\r\nFigure 24: The b374k webshell.\r\nOpSec failure case 3: File download vulnerability\r\nName No. Type Details\r\nMailer\r\n(shape)\r\n1 Mailer Mailer (just shape)\r\nMailer (core) 2 Mailer\r\nMailer (actual function)\r\n1) Attachment of malware\r\n2) Link to phishing page for account\r\nMalicious\r\nHWP\r\n6\r\nDropper, spear\r\nphishing\r\nMalicious HWP documents\r\nScript 8\r\nDownloader,\r\nlogging\r\nDownloads additional malware and logs (e.g. *.vbs, *.wsf, *.jse, *.ps1)\r\nInfostealer 9 C\u0026C, DLL, FTP\r\nSteals information from infected target and downloads additional\r\nmalware (in some cases using FTP)\r\nTable 9: Related toolsets.\r\nWe captured the situation where the mailer and attachments used the same C\u0026C server (member-authorize[.]com) when the\r\nKimsuky group also sent attachments with spear-phishing emails.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 17 of 24\n\nFigure 25: The mailer and attachments used the same C\u0026C server (member-authorize[.]com).\r\nThe C\u0026C server had directory listings enabled, and there was a file download vulnerability in download.php, the file used to\r\ndownloaded the .hwp attachment.\r\n Figure 26: Index of the\r\n/security/downloads directory on the C\u0026C server.\r\nName No. Type MD5 Details\r\n1234.eml 0 EML b90ed8fe3160ce49d69d000b1005c0c5 Spear-phishing email\r\n20190312_Japanrelated\r\ndaily trends(FN).hwp\r\n1 HWP abafa0cbfbe18afe6dd635d14e7d03d3\r\nMalicious Hangul documents\r\n(malicious postscript)\r\nPowershell 2 Script 6d73e394762022f3cc426b0a37c4e694 GET ddlove[.]kr/bbs/data/1\r\n1.wsf   3 Script e3dcfd19a6054f7b436b09e8ea9f37a5 \r\n(a) Set var (b) Check Extract Util –\r\nWinRAR / ALZip (c) Check response\r\n(d) Save file \u0026 extract (e) or Save file\r\n\u0026 decode (f) Execute file \r\nRomanic.fm  4\r\nEncoded\r\nPE \r\n9d453684e78ae95b0833c16ef8df6c4f  Base64 encoding \r\nRomanic.ft   4 RAR da2eefeb7ff5a13c0d890d4ccc0e35e1  Extract P/W: 201811 \r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 18 of 24\n\nFreedom.dll  5 PE 05075cb9a05d0cce7263842c43f5cf8b \r\nExport name: GrapHouse Check Env\r\n(32/64) 64bit : /bbs/data/font/exts.fmt\r\nProcess Hollowing (explorer.exe) -\r\n[SND]: /register.php?\r\nWORD=com_XXXXXXXX\u0026NOTE=\r\n[GET]:\r\n/bbs/data/ariaK[T]_XXXXXXXX -\r\n[DEL]: /join.php?file= \r\nariaK_XXXXXXXX   6\r\nEncoded\r\nPE \r\ne8d9d604615bd85862dce00bd8121b92  XOR TABLE encoding \r\nOnlyFileList.dll  7 PE cd5bee99bcae12da1d92cd252f30bd86 \r\nExport name: GrapHouse\r\nFileUpload(AllList_[MAC\r\nAddress]_YYMMDD_HHMMSS) to\r\nC\u0026C server \r\nTable 10: Malware.\r\nThe attacker has built a mailer in the path of the name of each phishing target.\r\n Figure 27: Phishing targets include\r\nDaum, KINU and Naver.\r\nThe mailer was found on the C\u0026C server just as in the first OpSec failure case.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 19 of 24\n\nFigure 28: Mailer found on the C\u0026C server.\r\nRelationships analysis\r\nIn the process of tracking the Kimsuky group attack, we analysed the relationships of a large quantity of data, and\r\ninvestigated C\u0026C servers located in South Korea through an investigation agency. Figure 29 show the associations that were\r\nfound between the toolsets and C\u0026C servers classified in our research.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 20 of 24\n\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 21 of 24\n\nFigure 29: Relationships between C\u0026C servers and toolsets.\r\nSome of the results of analysing the relationships between toolsets and C\u0026C servers used by the Kimsuky group in spear-phishing attacks are as follows.\r\ngyjmc[.]com (KR) → member-authorize[.]com (HOSTINGER) →\r\nddlovke[.]kr (KR) → military[.]co.kr (KR) ← suppcrt-seourity[.]esy.es(HOSTINGER)\r\nFigure 30 shows a graphical representation of the relationships.\r\nFigure 30: Graphical representation of the Kimsuky relationships.\r\nThrough its reuse of resources, we were able to track the attack performed by the Kimsuky group.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 22 of 24\n\nConclusion\r\nDue to the particular circumstances of South Korea, the Kimsuky group continuously conducts malicious acts by abusing (or\r\ncamouflaging) documents created in Hangul and phishing for email account credentials in order to hijack accounts. Similar\r\nattacks have continued.\r\nHowever, in the process of tracking the Kimsuky group, we have obtained various pieces of important information through\r\ncases of OpSec failure on the part of the attackers.\r\nThe information obtained in this way can be used to infer to what extent the next attack will proceed, and, if such a new\r\nspear-phishing attack occurs, the appropriate proactive response can be taken by analysing correlations with various\r\nindicators found in previous attacks.\r\nWe will continue to strive to prevent the future spread of spear-phishing attacks by the Kimsuky group, and we hope that this\r\npaper will help in responding to threats in many areas including domestic.\r\nReferences\r\n[1] The Kimsuky Operation: a North Korean APT? https://securelist.com/the-kimsuky-operation-a-north-koreanapt/57915/.\r\n[2] http://asec.ahnlab.com/993.\r\n[3] http://www.hani.co.kr/arti/PRINT/730395.html.\r\n[4] South Korean reporters get malware emails; North Korea suspected.\r\nhttp://www.koreatimes.co.kr/www/nation/2019/01/356_261573.html.\r\n[5] Operation Cobra Venom. https://blog.alyac.co.kr/2066.\r\n[6] The Double Life of SectorA05 Nesting in Agora (Operation Kitty Phishing).\r\nhttps://threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/.\r\n[7] Operation Kabar Cobra. https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation\r\nKabar Cobra (1).pdf.\r\n[8] Writing Secure Code - The Attacker’s Advantage and the Defender’s Dilemma (2002).\r\nhttps://www.oreilly.com/library/view/writing-secure-code/0735617228/.\r\n[9] DOKKAEBI: Documents of Korean and Evil Binary.\r\nhttps://www.virusbulletin.com/conference/vb2018/abstracts/dokkaebi-documents-korean-and-evil-binary.\r\n[10] VirusTotal (5f2ac8672e19310bd532c47d209272bd75075696dea6ffcc47d1d37f18aff141).\r\nhttps://www.virustotal.com/gui/file/5f2ac8672e19310bd532c47d209272bd75075696dea6ffcc47d1d37f18aff141/de.\r\n[11] Hybrid-Analysis (8332be776617364c16868c1ad6b4efe7).\r\nhttps://www.hybridanalysis.com/sample/5f2ac8672e19310bd532c47d209272bd75075696dea6ffcc47d1d37f18aff141?\r\nenvironmentId=110.\r\n[12] OUI Lookup. https://ip.rst.im/oui/C48508.\r\n[13] VirusTotal (f7d2780bc7bb24d7525012a566a37c5baeeba79e0d199120c9f3ccaf5ae3448c).\r\nhttps://www.virustotal.com/gui/file/f7d2780bc7bb24d7525012a566a37c5baeeba79e0d199120c9f3ccaf5ae3448c/d.\r\n[14] Twitter @anyrun. https://twitter.com/anyrun_app/status/1115513990711521280.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 23 of 24\n\n[15] Anyrun. https://app.any.run/tasks/680af12b-e8c3.\r\nSource: https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nhttps://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/" ], "report_names": [ "vb2019-paper-kimsuky-group-tracking-king-spearphishing" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "f3d402c5-5b55-4029-a639-cf38a2f5f0e1", "created_at": "2023-01-06T13:46:38.922371Z", "updated_at": "2026-04-10T02:00:03.146355Z", "deleted_at": null, "main_name": "Operation Kabar Cobra", "aliases": [], "source_name": "MISPGALAXY:Operation Kabar Cobra", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434058, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fbf7266e80d36d2762ba1a1e682820b5a1f54a40.pdf", "text": "https://archive.orkl.eu/fbf7266e80d36d2762ba1a1e682820b5a1f54a40.txt", "img": "https://archive.orkl.eu/fbf7266e80d36d2762ba1a1e682820b5a1f54a40.jpg" } }