{ "id": "bf92bd3b-67b6-4159-8a75-d5176e203ad8", "created_at": "2026-04-29T02:21:25.510612Z", "updated_at": "2026-04-29T10:18:29.580276Z", "deleted_at": null, "sha1_hash": "ffaaf49f0ead72966c28858a9674927f78fe951a", "title": "Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2081898, "plain_text": "Detailed Analysis of DocSwap Malware Disguised as Security\r\nDocument Viewer\r\nBy S2W\r\nPublished: 2025-08-13 · Archived: 2026-04-29 02:03:21 UTC\r\n6 min read\r\nMar 13, 2025\r\nAuthor: HyeongJun Kim | S2W TALON\r\nLast Modified : Mar 13, 2025\r\nPress enter or click to view image in full size\r\nPhoto by Dmitry Ratushny on Unsplash\r\nExecutive Summary\r\n(Threat Hunting) On January 21, 2025, S2W Threat Research and Intelligence Center Talon hunted and\r\nanalyzed a malware sample on VirusTotal, identified as the “문서열람 인증 앱”(Document Viewing\r\nAuthentication App) which is suspected to be linked to a North Korean-backed APT group.\r\nhttps://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff\r\nPage 1 of 13\n\n(Malware) The malicious app was first signed on December 13, 2024. It decrypts the “security.db” file\r\nwithin the package using an XOR operation and dynamically loads a DEX file. Ultimately, it receives\r\ncommands from the C2 server and performs malicious functions related to keylogging and information\r\ntheft.\r\n(Key Features) Based on the malicious app's name and the presence of Korean-language strings, it is\r\nsuspected to target mobile device users in South Korea. This malware represents a previously unidentified\r\ntype of threat, masquerading as a Document-viewing authentication app. A phishing page impersonating\r\nCoinSwap was found at the C2 Infrastructure, leading to its designation as DocSwap.\r\n(Attribution) When DocSwap malware was first discovered, a phishing page impersonating CoinSwap\r\nwas identified on the C2 IP address used for socket communication. However, as of February 27, 2025,\r\naccessing the C2 address displayed Naver’s favicon and the message “Million OK !!!!”, indicating a\r\npossible connection to the Kimsuky group.\r\n(Attribution) S2W Threat Research and Intelligence Center TALON separately manages unidentified\r\nthreat groups. Among them, attack groups linked to North Korea are tracked under the name puNK and the\r\nthreat actors using the DocSwap malware have been designated as puNK-004\r\nIntroduction\r\nOn January 21, 2025, a malicious app named “문서열람 인증 앱” was identified through VirusTotal and\r\nanalyzed. This malware decrypts an obfuscated APK file and executes the code from an internally stored DEX\r\nfile.\r\nDuring the APK decryption process, the LoadedApkPlugin open-source project was utilized, with modifications\r\nintroducing an additional XOR operation to the original code.\r\nTable 1. Comparison of Original Code and Malicious App Code\r\nThe decrypted APK file then loads and executes the DEX file. Ultimately, the app performs information theft\r\nfunctions, such as keylogging through accessibility services, file transfers via socket communication, camera\r\nmanipulation, and audio recording.\r\nhttps://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff\r\nPage 2 of 13\n\nPress enter or click to view image in full size\r\nFigure 1. Malicious App Execution Process\r\nDetailed Analysis of DocSwap\r\nTable 2. Malicious App Information\r\nWhen the initial MainActivity is executed, the malicious app performs an XOR (0xC9) operation on the\r\n“security.db” file in a subdirectory. This process drops an APK file and loads the DEX file stored within it.\r\nFigure 2. Decryption of the security.db File\r\nThe malicious app retrieves all permissions declared in the AndroidManifest.xml file and prompts the user to grant\r\nany unauthorized permissions. The permissions requested during runtime by this malware are as follows:\r\nhttps://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff\r\nPage 3 of 13\n\nPress enter or click to view image in full size\r\nTable 3. List of Permissions Requested by DocSwap\r\nAdditionally, to perform keylogging, the malware repeatedly generates notifications to request accessibility\r\npermissions. (“To ensure proper functionality, please enable accessibility permissions”)\r\nPress enter or click to view image in full size\r\nFigure 3. Accessibility Permission Request Notification\r\nThe malicious app’s “com.security.library.MainService” service is executed, and it uses the StartForeground API\r\nto generate a notification and maintain persistence. (“Tap to view more details or stop the app”)\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff\r\nPage 4 of 13\n\nFigure 4. Notification for Maintaining Persistence\r\nThe malicious app ensures that the malware runs even after a phone reboot by triggering the\r\n“com.security.library.MainService” service when boot-related intents occur. This service initializes socket\r\ncommunication and executes the overall malicious behavior.\r\nTable 4. Registered Intent Filters in DocSwap\r\nOnce accessibility permissions are granted to the malicious app, the accessibility service is activated, and the\r\nkeylogging function is executed. During keylogging, the package name of the app where the event occurred, the\r\napp’s icon, and the text associated with the event are transmitted to the C2 server. Additionally, this information is\r\nstored locally in the following path\r\n/data/data/com.security.library/Security/download_{dd — mm-yyyy}.dat\r\nFigure 5. Keylogging via Accessibility Service\r\nThe “com.security.library.MainService” service is responsible for socket communication and receiving commands\r\nto execute malicious activities. The IP and port for socket communication are hardcoded, and a total of 57\r\nmalicious commands have been identified in the implementation.\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nSocket Communication IP \u0026 Port: 204.12.253[.]10:6834\r\nhttps://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff\r\nPage 5 of 13\n\nhttps://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff\r\nPage 6 of 13\n\nhttps://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff\r\nPage 7 of 13\n\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff\r\nPage 8 of 13\n\nhttps://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff\r\nPage 9 of 13\n\nTable 5. List of Commands Received from C2 Server\r\nAttribution\r\nOn February 21, 2025, when accessing the app’s C2 address, a phishing page masquerading as CoinSwap was\r\nobserved. However, on February 27, 2025, it was noticed that the Naver favicon and the string “Million OK !!!!”\r\nappeared. Given that a similar characteristic was previously observed in phishing servers targeting Naver accounts\r\nof the Kimsuky group.\r\nhttps://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff\r\nPage 10 of 13\n\nTable 6. C2 Server Image\r\nS2W Threat Research and Intelligence Center TALON separately manages unidentified threat groups. Among\r\nthem, attack groups linked to North Korea are tracked under the name puNK and the threat actors using the\r\nDocSwap malware have been designated as puNK-004. And the list of puNK groups currently being tracked by\r\nS2W TALON is shown in Table 7.\r\nPress enter or click to view image in full size\r\nTable 7. Threat Group by puNK Classification\r\nConclusion\r\nOn January 21, 2025, a malicious app named “문서열람 인증 앱”(Document Viewing Authentication\r\nApp) was identified. This app, a new type of malware not previously observed, impersonates a Document-https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff\r\nPage 11 of 13\n\nviewing authentication app. Additionally, a phishing page masquerading as CoinSwap was found at the C2\r\naddress, leading to the app being named DocSwap.\r\nThe malicious app performs keylogging through accessibility services. Via socket communication with the\r\nC2 server, it receives malicious commands to carry out information theft functions such as camera\r\nrecording, microphone recording, file downloading and deletion, among others.\r\nOn February 21, 2025, when accessing the app’s C2 address, a phishing page masquerading as CoinSwap\r\nwas observed. However, on February 27, 2025, it was noticed that the Naver favicon and the string\r\n“Million OK !!!!” appeared. Given that a similar characteristic was previously observed in phishing servers\r\ntargeting Naver accounts of the Kimsuky group.\r\nS2W Threat Research and Intelligence Center TALON separately manages unidentified threat groups.\r\nAmong them, attack groups linked to North Korea are tracked under the name puNK and the threat actors\r\nusing the DocSwap malware have been designated as puNK-004.\r\nThe DocSwap malware disguises itself as a document viewing authentication app, tricking users into\r\ninstalling and clicking on it. Therefore, it is essential to be cautious and avoid executing links or email\r\nattachments that lead to downloading malicious apps with uncertain origins.\r\nMITRE ATT\u0026CK\r\nPersistence\r\n(T1398) Boot or Logon Initialization Scripts\r\n(T1541) Foreground Persistence\r\nDefense Evasion\r\n(T1655.001) Match Legitimate Name or Location\r\n(T1406) Obfuscated Files or Information\r\nDiscovery\r\n(T1420) File and Directory Discovery\r\n(T1418) Software Discovery\r\n(T1426) System Information Discovery\r\nCollection\r\n(T1532) Archive Collected Data\r\n(T1429) Audio Capture\r\n(T1616) Call Control\r\n(T1417.001) Keylogging\r\n(T1636.002) Call Log\r\n(T1636.003) Contact List\r\n(T1636.004) SMS Messages\r\n(T1512) Video Capture\r\nhttps://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff\r\nPage 12 of 13\n\nExfiltration\r\n(T1646) Exfiltration Over C2 Channel\r\nAppendix A. IoCs\r\nFull IoC list can be found our github\r\nFile hash\r\nDocSwap\r\nbf134495142d704f9009a7d325fb9546db407971ade224e3718a84254e9ff03e (APK)\r\n0c84233ca90e5be15f6cdafa43d84207590b3fe522a01e20807915d3af715e9c (DEX)\r\n28e2221b90e9ef4c8e38593efd383dc218686fc38398bcf0a55c673420a63119 (DEX)\r\nae1721ce930929dfb060371cd0012aa38f29d2aac1dac761ec1d6302a46fa2fe (security.db, xor encrypted)\r\n18e92e57568ad5aad4635c932782ee1c44add6c0718e5c794f6e66a70f78a984 (security.db, xor decrypted)\r\nNetwork\r\n204.12.253[.]10\r\nhxxp://change.pi-usdt.o-r[.]kr\r\nhxxp://hange.pi-usdt.o-r[.]kr\r\ncopyrightⓒ 2025 All rights reserved by S2W Inc.\r\nSource: https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff\r\nhttps://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" ], "report_names": [ "detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-29T09:01:47.560571Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail", "Earth Kumiho", "PatheticSlug" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "HTTPTroy", "schtasks", "certutil", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-29T09:01:46.572313Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "APT43", "Velvet Chollima", "Black Banshee", "Operation Stolen Pencil", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "RevClient", "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-29T09:01:47.983085Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-29T09:01:48.2777Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777429285, "ts_updated_at": 1777457909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ffaaf49f0ead72966c28858a9674927f78fe951a.pdf", "text": "https://archive.orkl.eu/ffaaf49f0ead72966c28858a9674927f78fe951a.txt", "img": "https://archive.orkl.eu/ffaaf49f0ead72966c28858a9674927f78fe951a.jpg" } }