疑似Kimsuky(APT-Q-2)针对韩国企业发起攻击
2025-04-11 • Qianxin • Suspected Kimsuky (APT-Q-2) Attack Against Korean Enterprises •
Qi An Xin reports suspected Kimsuky, tracked internally as APT-Q-2, targeting Korean organizations in sectors including defense, education, energy, government, healthcare, and think tanks. The observed malware set includes a Go dropper, DLL backdoors, and tooling delivered with BlueMoonSoft-signed decoy software, with C2 over dynamic DNS and functions for host and network reconnaissance, payload download, execution, keylogging, clipboard access, and screenshots. A newer backdoor variant checks hostnames against an embedded target list that includes DANAM, suggesting a possible focus on a Korean company tied to electronics, communications, and defense.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | http://gtfydu.surfnet.ca/index.… | 2025-04-11 | 2026-04-07 |
| DOMAIN | gtfydu.surfnet.ca | 2025-04-11 | 2026-04-07 |
| HASH | e8f5d4bbf96855f7f4ad0ff4d67efe5e | 2025-04-11 | 2025-04-11 |
| HASH | 920f408fdc80c5697739cda9cf9a4ca7 | 2025-04-11 | 2025-04-11 |
| HASH | a52e10dd48d64372d94f87d8eb7ed8bf | 2025-04-11 | 2025-04-11 |
| HASH | 0f06fe847a43108a211233a9c7aa9780 | 2025-04-11 | 2025-04-11 |
| HASH | 6efa53232350a76a52c7050b548ffe83 | 2025-04-11 | 2025-04-11 |
| HASH | d37569b238ec6c073a06a28bc665072c | 2025-04-11 | 2025-04-11 |
| URL | http://sudifo.ftp.sh/index.php | 2025-04-11 | 2025-04-11 |
| DOMAIN | auth.worksmobile.r-e.kr | 2025-04-11 | 2025-04-11 |
| DOMAIN | sudifo.ftp.sh | 2025-04-11 | 2025-04-11 |
| DOMAIN | auth.linkedin.r-e.kr | 2025-04-11 | 2025-04-11 |
| DOMAIN | secure.navdomain.n-e.kr | 2025-04-11 | 2025-04-11 |
| DOMAIN | login.hiwork.o-r.kr | 2025-04-11 | 2025-04-11 |
| IPv4 | 104.37.184.39 | 2025-04-11 | 2025-04-11 |