Detailed Analysis of DocSwap Malware Disguised as Security
Document Viewer
By S2W
Published: 2025-08-13 · Archived: 2026-04-29 02:03:21 UTC
6 min read
Mar 13, 2025
Author: HyeongJun Kim | S2W TALON
Last Modified : Mar 13, 2025
Press enter or click to view image in full size
Photo by Dmitry Ratushny on Unsplash
Executive Summary
(Threat Hunting) On January 21, 2025, S2W Threat Research and Intelligence Center Talon hunted and
analyzed a malware sample on VirusTotal, identified as the “문서열람 인증 앱”(Document Viewing
Authentication App) which is suspected to be linked to a North Korean-backed APT group.
https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff
Page 1 of 13

(Malware) The malicious app was first signed on December 13, 2024. It decrypts the “security.db” file
within the package using an XOR operation and dynamically loads a DEX file. Ultimately, it receives
commands from the C2 server and performs malicious functions related to keylogging and information
theft.
(Key Features) Based on the malicious app's name and the presence of Korean-language strings, it is
suspected to target mobile device users in South Korea. This malware represents a previously unidentified
type of threat, masquerading as a Document-viewing authentication app. A phishing page impersonating
CoinSwap was found at the C2 Infrastructure, leading to its designation as DocSwap.
(Attribution) When DocSwap malware was first discovered, a phishing page impersonating CoinSwap
was identified on the C2 IP address used for socket communication. However, as of February 27, 2025,
accessing the C2 address displayed Naver’s favicon and the message “Million OK !!!!”, indicating a
possible connection to the Kimsuky group.
(Attribution) S2W Threat Research and Intelligence Center TALON separately manages unidentified
threat groups. Among them, attack groups linked to North Korea are tracked under the name puNK and the
threat actors using the DocSwap malware have been designated as puNK-004
Introduction
On January 21, 2025, a malicious app named “문서열람 인증 앱” was identified through VirusTotal and
analyzed. This malware decrypts an obfuscated APK file and executes the code from an internally stored DEX
file.
During the APK decryption process, the LoadedApkPlugin open-source project was utilized, with modifications
introducing an additional XOR operation to the original code.
Table 1. Comparison of Original Code and Malicious App Code
The decrypted APK file then loads and executes the DEX file. Ultimately, the app performs information theft
functions, such as keylogging through accessibility services, file transfers via socket communication, camera
manipulation, and audio recording.
https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff
Page 2 of 13

Press enter or click to view image in full size
Figure 1. Malicious App Execution Process
Detailed Analysis of DocSwap
Table 2. Malicious App Information
When the initial MainActivity is executed, the malicious app performs an XOR (0xC9) operation on the
“security.db” file in a subdirectory. This process drops an APK file and loads the DEX file stored within it.
Figure 2. Decryption of the security.db File
The malicious app retrieves all permissions declared in the AndroidManifest.xml file and prompts the user to grant
any unauthorized permissions. The permissions requested during runtime by this malware are as follows:
https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff
Page 3 of 13

Press enter or click to view image in full size
Table 3. List of Permissions Requested by DocSwap
Additionally, to perform keylogging, the malware repeatedly generates notifications to request accessibility
permissions. (“To ensure proper functionality, please enable accessibility permissions”)
Press enter or click to view image in full size
Figure 3. Accessibility Permission Request Notification
The malicious app’s “com.security.library.MainService” service is executed, and it uses the StartForeground API
to generate a notification and maintain persistence. (“Tap to view more details or stop the app”)
Press enter or click to view image in full size
https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff
Page 4 of 13

Figure 4. Notification for Maintaining Persistence
The malicious app ensures that the malware runs even after a phone reboot by triggering the
“com.security.library.MainService” service when boot-related intents occur. This service initializes socket
communication and executes the overall malicious behavior.
Table 4. Registered Intent Filters in DocSwap
Once accessibility permissions are granted to the malicious app, the accessibility service is activated, and the
keylogging function is executed. During keylogging, the package name of the app where the event occurred, the
app’s icon, and the text associated with the event are transmitted to the C2 server. Additionally, this information is
stored locally in the following path
/data/data/com.security.library/Security/download_{dd — mm-yyyy}.dat
Figure 5. Keylogging via Accessibility Service
The “com.security.library.MainService” service is responsible for socket communication and receiving commands
to execute malicious activities. The IP and port for socket communication are hardcoded, and a total of 57
malicious commands have been identified in the implementation.
Get S2W’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
Socket Communication IP & Port: 204.12.253[.]10:6834
https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff
Page 5 of 13

https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff
Page 6 of 13

https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff
Page 7 of 13

Press enter or click to view image in full size
https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff
Page 8 of 13

https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff
Page 9 of 13

Table 5. List of Commands Received from C2 Server
Attribution
On February 21, 2025, when accessing the app’s C2 address, a phishing page masquerading as CoinSwap was
observed. However, on February 27, 2025, it was noticed that the Naver favicon and the string “Million OK !!!!”
appeared. Given that a similar characteristic was previously observed in phishing servers targeting Naver accounts
of the Kimsuky group.
https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff
Page 10 of 13

Table 6. C2 Server Image
S2W Threat Research and Intelligence Center TALON separately manages unidentified threat groups. Among
them, attack groups linked to North Korea are tracked under the name puNK and the threat actors using the
DocSwap malware have been designated as puNK-004. And the list of puNK groups currently being tracked by
S2W TALON is shown in Table 7.
Press enter or click to view image in full size
Table 7. Threat Group by puNK Classification
Conclusion
On January 21, 2025, a malicious app named “문서열람 인증 앱”(Document Viewing Authentication
App) was identified. This app, a new type of malware not previously observed, impersonates a Document-https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff
Page 11 of 13

viewing authentication app. Additionally, a phishing page masquerading as CoinSwap was found at the C2
address, leading to the app being named DocSwap.
The malicious app performs keylogging through accessibility services. Via socket communication with the
C2 server, it receives malicious commands to carry out information theft functions such as camera
recording, microphone recording, file downloading and deletion, among others.
On February 21, 2025, when accessing the app’s C2 address, a phishing page masquerading as CoinSwap
was observed. However, on February 27, 2025, it was noticed that the Naver favicon and the string
“Million OK !!!!” appeared. Given that a similar characteristic was previously observed in phishing servers
targeting Naver accounts of the Kimsuky group.
S2W Threat Research and Intelligence Center TALON separately manages unidentified threat groups.
Among them, attack groups linked to North Korea are tracked under the name puNK and the threat actors
using the DocSwap malware have been designated as puNK-004.
The DocSwap malware disguises itself as a document viewing authentication app, tricking users into
installing and clicking on it. Therefore, it is essential to be cautious and avoid executing links or email
attachments that lead to downloading malicious apps with uncertain origins.
MITRE ATT&CK
Persistence
(T1398) Boot or Logon Initialization Scripts
(T1541) Foreground Persistence
Defense Evasion
(T1655.001) Match Legitimate Name or Location
(T1406) Obfuscated Files or Information
Discovery
(T1420) File and Directory Discovery
(T1418) Software Discovery
(T1426) System Information Discovery
Collection
(T1532) Archive Collected Data
(T1429) Audio Capture
(T1616) Call Control
(T1417.001) Keylogging
(T1636.002) Call Log
(T1636.003) Contact List
(T1636.004) SMS Messages
(T1512) Video Capture
https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff
Page 12 of 13

Exfiltration
(T1646) Exfiltration Over C2 Channel
Appendix A. IoCs
Full IoC list can be found our github
File hash
DocSwap
bf134495142d704f9009a7d325fb9546db407971ade224e3718a84254e9ff03e (APK)
0c84233ca90e5be15f6cdafa43d84207590b3fe522a01e20807915d3af715e9c (DEX)
28e2221b90e9ef4c8e38593efd383dc218686fc38398bcf0a55c673420a63119 (DEX)
ae1721ce930929dfb060371cd0012aa38f29d2aac1dac761ec1d6302a46fa2fe (security.db, xor encrypted)
18e92e57568ad5aad4635c932782ee1c44add6c0718e5c794f6e66a70f78a984 (security.db, xor decrypted)
Network
204.12.253[.]10
hxxp://change.pi-usdt.o-r[.]kr
hxxp://hange.pi-usdt.o-r[.]kr
copyrightⓒ 2025 All rights reserved by S2W Inc.
Source: https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff
https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff
Page 13 of 13