软件安装包伪装下的Kimsuky（APT-Q-2）窃密行动

2024-01-30 • Qianxin • Kimsuky (APT-Q-2) secret theft operation disguised as software installation package •

https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==&mid=2247509476&idx=1&sn=b0e09436095203b75710836d718d6699&chksm=eb3f7f9b7c2d9f7c2100ae4042ca2b6f455b7861453a14de70bdbb63aa85497ffa8a414a5ebc&scene=132

#APT-Q-2 #D2Innovation

Thumbnail for 软件安装包伪装下的Kimsuky（APT-Q-2）窃密行动

QiAnXin attributes a January 2024 intrusion set to Kimsuky/APT-Q-2 based on overlap with earlier Kimsuky malware and shared signing, packing, language, and victim-ID patterns. The activity used installers disguised as SGA Solutions products to drop normal setup files while running VMProtect-packed Go malware, including a one-shot stealer identified as TrollAgent and a related backdoor. TrollAgent collects configuration data, SSH and FileZilla directories, Microsoft Sticky Notes, browser data, screenshots, installed-program and system information, then encrypts and exfiltrates the results to C2 URLs such as ar.kostin.p-e.kr and ai.kostin.p-e.kr before deleting itself. The related backdoor persists as svchost.exe via a WindowsUpdate scheduled task and communicates with a compromised Korean domain over randomized POST parameters.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	7457dc037c4a5f3713d9243a0dfb1a2c	2024-01-30	2024-07-15
HASH	88f183304b99c897aacfa321d58e1840	2024-01-30	2024-07-15
HASH	27ef6917fe32685fdf9b755eb8e97565	2024-01-30	2024-07-15
HASH	7b6d02a459fdaa4caa1a5bf741c4bd42	2024-01-30	2024-07-15
HASH	c8e7b0d3b6afa22e801cacaf16b37355	2024-01-30	2024-07-15
URL	http://qi.limsjo.p-e.kr/index.p…	2024-01-30	2024-07-15
URL	http://ol.negapa.p-e.kr/index.p…	2024-01-30	2024-07-15
URL	http://ai.negapa.p-e.kr/index.p…	2024-01-30	2024-07-15
URL	http://ar.kostin.p-e.kr/index.p…	2024-01-30	2024-07-15
DOMAIN	ai.negapa.p-e.kr	2024-01-30	2024-07-15
DOMAIN	ar.kostin.p-e.kr	2024-01-30	2024-07-15
DOMAIN	ol.negapa.p-e.kr	2024-01-30	2024-07-15
DOMAIN	qi.limsjo.p-e.kr	2024-01-30	2024-07-15
HASH	19c2decfa7271fa30e48d4750c1d18c1	2024-01-30	2024-03-25
HASH	87429e9223d45e0359cd1c41c0301836	2024-01-30	2024-03-25
DOMAIN	ai.kostin.p-e.kr	2024-01-30	2024-03-25
DOMAIN	coolsystem.co.kr	2024-01-30	2024-03-25
DOMAIN	ai.limsjo.p-e.kr	2024-01-30	2024-03-25
HASH	d259ef7500e7e667afc42e9570f9707a	2024-01-30	2024-03-05
HASH	eb8d073840e95cf24c9c3f5a2b6470e0	2024-01-30	2024-03-05
URL	http://ai.limsjo.p-e.kr/index.p…	2024-01-30	2024-03-05
URL	http://ai.kostin.p-e.kr/index.p…	2024-01-30	2024-03-05
URL	http://coolsystem.co.kr/admin/m…	2024-01-30	2024-03-05
HASH	d6abeeb469e2417bbcd3c122c06ba099	2023-11-21	2024-03-05

Related Actors

APT-Q-2

Qianxin

Kimsuky

First seen: Mar 2022

Last seen: Jun 2025

Related Reports

2024-03-05 • 100% Match

Espionage Operation Disguised as Software Installers by Kimsuky (APT-Q-2)

Qianxin

#APT-Q-2 #D2Innovation

Shares tags: APT-Q-2, D2Innovation • Shares 24 IOCs • Same author: Qianxin

2024-02-08 • 76% Match

Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer…

S2W

#Kimsuky #D2Innovation #TrollStealer #T1082 #T1059.003 #T1005 #T1041 #T1113 #T1560 #T1071.001 #T1083 #T1204.002 #T1555.003 #T1057 #T1518.001 #T1539 #T1059.001 #T1027.002 #T1016 #T1087.001 #T1588.004

Shares tag: D2Innovation • Shares 22 IOCs • Published within a month

2024-02-07 • 76% Match