김수키(Kimsuky)그룹의 'BlueShark' 위협 전술 분석
2024-10-04 • Genians • Analysis of Kimsuky BlueShark Threat Tactics •
https://www.genians.co.kr/blog/threat_intelligence/blueshark
Genians analyzes Kimsuky BlueShark activity, describing the group's continued use of varied malware delivery formats including LNK, ISO, MSC, and HWP files in South Korea-focused APT operations. The report links BlueShark to the broader BabyShark family, including related names such as ToddlerShark and ReconShark, and highlights MSC-based tradecraft previously documented by Genians Security Center. Evidence includes lecture-request spear-phishing themes aimed at North Korea-related experts, follow-up targeting after victim engagement, and observed command-and-control infrastructure plus linguistic clues in attacker tooling.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | temuco.xyz | 2024-10-04 | 2025-07-01 |
| DOMAIN | mem.mcgnu.kro.kr | 2024-10-04 | 2025-03-07 |
| IPv4 | 9.2.13.9 | 2024-10-04 | 2025-03-07 |
| DOMAIN | rem.zoom-meeting.kro.kr | 2024-08-29 | 2025-03-07 |
| HASH | 391fa4e57f91e3422ef5d32523d4dfc7 | 2024-10-04 | 2024-11-22 |
| DOMAIN | petssecondchance.larcity.dev | 2024-09-13 | 2024-11-22 |
| HASH | 366dc66c1f46690de881c17290986741 | 2024-10-04 | 2024-10-04 |
| HASH | 844fb1dddeb432d9c950965fb78d1c52 | 2024-10-04 | 2024-10-04 |
| HASH | 234158822419e64d8d3c177d3169bc3e | 2024-10-04 | 2024-10-04 |
| HASH | dfa3a2ec607144b803c66816e1a996fa | 2024-10-04 | 2024-10-04 |
| HASH | 21ed2cad9dc18e453da40bc3ba5dd756 | 2024-10-04 | 2024-10-04 |
| HASH | b9116a07ec93f3f14e805851e24b0372 | 2024-10-04 | 2024-10-04 |
| HASH | 4c3039e229aaa4ffb5efec9f9764f077 | 2024-10-04 | 2024-10-04 |
| HASH | 2af5efc90cecfb76935549a3f4d95613 | 2024-10-04 | 2024-10-04 |
| HASH | 5654c2280c193fc7dc0e6919bd240435 | 2024-10-04 | 2024-10-04 |
| HASH | c5685de9e05657ee5ae4c3b29fc08dd4 | 2024-10-04 | 2024-10-04 |
| HASH | 16074a3f76b7860a180e0ec54dd19ed6 | 2024-10-04 | 2024-10-04 |
| HASH | 36c3af92792affb8a2f515526597d216 | 2024-10-04 | 2024-10-04 |
| HASH | 31909632fb7f1a53507f65a1ae96a519 | 2024-10-04 | 2024-10-04 |
| HASH | 309a3b7b130fdec0f383d7a6ea8f6c90 | 2024-10-04 | 2024-10-04 |
| HASH | d5dd153ac17a79723f33fb45849a533b | 2024-10-04 | 2024-10-04 |
| HASH | f25ae3627b4ec411882d56732e0fa433 | 2024-10-04 | 2024-10-04 |
| HASH | 1549ede872ca017eea0f053ec08c0f34 | 2024-10-04 | 2024-10-04 |
| DOMAIN | handhygieneforhealth.org | 2024-10-04 | 2024-10-04 |
| DOMAIN | drequsm.secbesm.kro.kr | 2024-10-04 | 2024-10-04 |
| DOMAIN | cicctv.co.kr | 2024-10-04 | 2024-10-04 |
| DOMAIN | jinsungm.com | 2024-10-04 | 2024-10-04 |
| DOMAIN | dh00386.com | 2024-10-04 | 2024-10-04 |
| DOMAIN | ns.gethompy.com | 2024-10-04 | 2024-10-04 |
| DOMAIN | blushaak.co.kr | 2024-10-04 | 2024-10-04 |
| IPv4 | 210.92.18.162 | 2024-10-04 | 2024-10-04 |
| IPv4 | 112.175.50.142 | 2024-10-04 | 2024-10-04 |
| IPv4 | 152.32.243.136 | 2024-10-04 | 2024-10-04 |
| IPv4 | 158.247.223.235 | 2024-10-04 | 2024-10-04 |
| HASH | bec918dd7c6f9d09f6cb4caeeee6fe03 | 2024-09-02 | 2024-10-04 |
| HASH | ef8947d291107256cb5883ac3bc163d0 | 2024-08-29 | 2024-10-04 |
| HASH | 52d073c181531c7f0b8b3aa764c6551d | 2024-06-28 | 2024-10-04 |
| IPv4 | 112.175.85.243 | 2023-01-10 | 2024-10-04 |
| IPv4 | 183.111.161.156 | 2018-02-02 | 2024-10-04 |