{ "type": "bundle", "id": "bundle--8813bfd8-0c77-4ac9-a53b-7f692fe091f7", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--71744950-6fe5-4398-9ea3-38dad07c82b7", "created": "2025-05-18T23:37:18.015579Z", "modified": "2025-05-18T23:37:18.015614Z", "name": "Shubho57", "identity_class": "organization" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--039528e7-6eff-4aae-8491-f865e96a07ed", "created": "2026-06-24T18:42:12.000983Z", "modified": "2026-06-24T18:42:12.000983Z", "name": "YARA Rule", "pattern": "rule KIMSUKY_Dropper_Archive {\r\nmeta:\r\ndescription = \u201cDetects KIMSUKY dropper archives with Korean social engineering\u201d\r\nauthor = \u201cMalware Analysis Report \u2014 January 2026\u201d\r\ndate = \u201c2026\u201301\u201331\u201d\r\nthreat_actor = \u201cKIMSUKY (Velvet Chollima)\u201d\r\nseverity = \u201chigh\u201d\r\n\r\nstrings:\r\n// Korean health document lure\r\n$korean_health1 = { AC 80 AB B9 EA B2 80 EC A7 84 20 EC 95 88 EB 82 B4 EC 84 9C } // \u201c\uac74\uac15\uac80\uc9c4 \uc548\ub0b4\uc11c\u201d\r\n$korean_health2 = \u201cHealth Checkup\u201d ascii wide\r\n$korean_health3 = \u201cNHIS\u201d ascii // National Health Insurance Service\r\n\r\n// Archive signatures\r\n$rar = { 52 61 72 21 } // RAR signature\r\n$zip = { 50 4B 03 04 } // ZIP signature\r\n$alz = { 41 4C 5A } // ALZ signature\r\n\r\n// Embedded malicious extensions\r\n$ext1 = \u201c.jse\u201d ascii wide\r\n$ext2 = \u201c.js\u201d ascii wide\r\n$ext3 = \u201c.vbs\u201d ascii wide\r\n$ext4 = \u201c.wsf\u201d ascii wide\r\n\r\n// Suspicious long filenames (SHA256-like)\r\n$long_filename = /[0\u20139a-f]{64}\\.(jse|js|exe)/ ascii\r\n\r\ncondition:\r\n(1 of ($rar, $zip, $alz)) and\r\n(\r\n(1 of ($korean_*)) or\r\n(1 of ($ext*) and $long_filename)\r\n) and\r\nfilesize < 10MB\r\n}", "pattern_type": "yara", "valid_from": "2026-02-03T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--43b2e8c7-d265-491f-88f4-d69c47d94030", "created": "2026-06-24T18:42:12.001796Z", "modified": "2026-06-24T18:42:12.001796Z", "name": "YARA Rule", "pattern": "rule KIMSUKY_NUKESPED_DLL_Payload {\r\nmeta:\r\ndescription = \u201cDetects KIMSUKY NUKESPED DLL payload with spreading capabilities\u201d\r\nauthor = \u201cMalware Analysis Report \u2014 January 2026\u201d\r\ndate = \u201c2026\u201301\u201331\u201d\r\nthreat_actor = \u201cKIMSUKY (Velvet Chollima)\u201d\r\nmalware_family = \u201cNUKESPED\u201d\r\nseverity = \u201ccritical\u201d\r\nhash = \u201c485a886acdf832ce3fb902483e30f623bbdef1629f9e84\u201d\r\n\r\nstrings:\r\n// DLL characteristics\r\n$dll1 = \u201cDllRegisterServer\u201d ascii\r\n$dll2 = \u201cDllUnregisterServer\u201d ascii\r\n\r\n// Network/C2 patterns\r\n$net1 = \u201cfastly\u201d ascii nocase\r\n$net2 = \u201cUser-Agent:\u201d ascii\r\n$net3 = \u201cPOST\u201d ascii\r\n$net4 = \u201cGET\u201d ascii\r\n\r\n// Persistence mechanisms\r\n$persist1 = \u201cSoftware\\\\Classes\u201d ascii wide\r\n$persist2 = \u201cCurrentVersion\\\\Run\u201d ascii wide\r\n$persist3 = \u201cshell\\\\open\\\\command\u201d ascii wide\r\n\r\n// Encryption/encoding\r\n$crypto1 = { 56 46 5A 78 55 55 46 42 } // \u201cVFZxUUFB\u201d base64 pattern\r\n$crypto2 = \u201cbase64\u201d ascii nocase\r\n\r\n// Anti-analysis\r\n$anti1 = \u201cIsDebuggerPresent\u201d ascii\r\n$anti2 = \u201cCheckRemoteDebuggerPresent\u201d ascii\r\n$anti3 = \u201cVirtualProtect\u201d ascii\r\n\r\n// Spreading capability indicators\r\n$spread1 = \u201cspreader\u201d ascii\r\n$spread2 = \u201cpedll\u201d ascii\r\n$spread3 = \u201c64bits\u201d ascii\r\n\r\ncondition:\r\nuint16(0) == 0x5A4D and // PE file\r\nuint32(uint32(0x3C)) == 0x00004550 and // Valid PE\r\n(\r\n(2 of ($dll*) and 2 of ($net*) and 1 of ($persist*)) or\r\n(1 of ($crypto*) and 2 of ($anti*) and 1 of ($spread*)) or\r\n(3 of ($persist*) and 2 of ($net*))\r\n) and\r\nfilesize < 5MB and\r\nfilesize > 50KB\r\n}", "pattern_type": "yara", "valid_from": "2026-02-03T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--283bf39c-5394-4509-999b-09d7cc4cb7e7", "created": "2026-06-24T18:42:12.002403Z", "modified": "2026-06-24T18:42:12.002403Z", "name": "YARA Rule", "pattern": "rule KIMSUKY_NUKESPED_JSE_Loader {\r\nmeta:\r\ndescription = \u201cDetects KIMSUKY NUKESPED JScript loader with base64 and PowerShell execution\u201d\r\nauthor = \u201cSubhankar H.\u201d\r\ndate = \u201c2026\u201301\u201331\u201d\r\nthreat_actor = \u201cKIMSUKY (Velvet Chollima)\u201d\r\nmalware_family = \u201cNUKESPED\u201d\r\nseverity = \u201chigh\u201d\r\nreference = \u201cKIMSUKY APT Campaign January 2026\u201d\r\nhash1 = \u201c81e384471fcfa6752cb81ca1b7b9ee455cc78f1580d260ed7a11fd682a378930e\u201d\r\nhash2 = \u201c485a886acdf832ce3fb902483e30f623bbdef1629f9e84\u201d\r\n\r\nstrings:\r\n// Base64 operations\r\n$base64_1 = \u201cbin.base64\u201d ascii nocase\r\n$base64_2 = \u201cIXMLDOMElement\u201d ascii\r\n$base64_3 = \u201cdataType\u201d ascii\r\n$base64_4 = \u201ctext/xml\u201d ascii\r\n\r\n// PowerShell execution patterns\r\n$ps_1 = \u201cpowershell\u201d ascii nocase\r\n$ps_2 = \u201c-windowstyle hidden\u201d ascii nocase\r\n$ps_3 = \u201c-decode\u201d ascii nocase\r\n$ps_4 = \u201cIWshShell\u201d ascii\r\n$ps_5 = \u201cWScript.Shell\u201d ascii\r\n\r\n// File system operations\r\n$fs_1 = \u201cScripting.FileSystemObject\u201d ascii\r\n$fs_2 = \u201cGetSpecialFolder\u201d ascii\r\n$fs_3 = \u201cGetFile\u201d ascii\r\n$fs_4 = \u201cIFileSystem3\u201d ascii\r\n$fs_5 = \u201cScriptFullName\u201d ascii\r\n\r\n// ADODB Stream operations\r\n$adodb_1 = \u201cADODB.Stream\u201d ascii\r\n$adodb_2 = \u201cSaveToFile\u201d ascii\r\n$adodb_3 = \u201c_Stream\u201d ascii\r\n$adodb_4 = \u201cWrite\u201d ascii wide\r\n\r\n// Obfuscated file patterns in ProgramData\r\n$file_pattern1 = /C:\\\\\\\\ProgramData\\\\\\\\[a-zA-Z0\u20139]{10,25}\\\\.(a9oc|lpXD)/ ascii\r\n$file_pattern2 = /\\\\\\\\ProgramData\\\\\\\\[A-Za-z]{2}[a-zA-Z0\u20139]{13,20}/ ascii\r\n\r\n// Korean language social engineering\r\n$korean1 = { AC 80 AB B9 } // Part of \u201c\uac74\uac15\uac80\uc9c4\u201d\r\n$korean2 = \u201cnhis.or.kr\u201d ascii // Korean National Health Insurance Service\r\n\r\n// Registry manipulation\r\n$reg_1 = \u201cHKCR\\\\exefile\u201d ascii wide\r\n$reg_2 = \u201cRegQueryKey\u201d ascii\r\n$reg_3 = \u201cRegOpenKey\u201d ascii\r\n\r\n// Anti-analysis indicators\r\n$anti_1 = \u201cdetect-debug-environment\u201d ascii\r\n$anti_2 = \u201clong-sleeps\u201d ascii\r\n\r\n// Specific malware artifacts\r\n$artifact1 = \u201cbEyjSlpZvbJpIVv9\u201d ascii\r\n$artifact2 = \u201czlrenu8.exe\u201d ascii\r\n$artifact3 = \u201chkNlPHF5\u201d ascii\r\n\r\ncondition:\r\nuint16(0) == 0x5A4D or // PE file\r\nuint16(0) == 0x4B50 or // ZIP/archive (for .jse in archive)\r\n(\r\n// High confidence detection\r\n(\r\n(3 of ($base64_*)) and\r\n(2 of ($ps_*)) and\r\n(1 of ($adodb_*))\r\n) or\r\n\r\n// Medium confidence detection\r\n(\r\n(2 of ($ps_*)) and\r\n(2 of ($fs_*)) and\r\n(1 of ($adodb_*))\r\n) or\r\n\r\n// Korean-targeted campaign\r\n(\r\n($korean1 or $korean2) and\r\n(2 of ($ps_*)) and\r\n(1 of ($base64_*))\r\n) or\r\n\r\n// File pattern match\r\n(\r\n(1 of ($file_pattern*)) and\r\n(1 of ($ps_*)) and\r\n(1 of ($adodb_*))\r\n) or\r\n\r\n// Specific artifacts\r\n(1 of ($artifact*))\r\n) and\r\nfilesize < 10MB\r\n}", "pattern_type": "yara", "valid_from": "2026-02-03T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--a7473380-e7bc-4d2e-8d83-4404d8f40486", "hashes": { "SHA-256": "485a886acdf832cce3fb902483e30f623bbdef1629f9e8409fb865043e6f5da0" } }, { "type": "file", "spec_version": "2.1", "id": "file--9a2352af-d776-4b0c-9a99-9f1b98396381", "hashes": { "SHA-1": "c89af74145a6dd5d6ee0f8283ae94205aae5360a" } }, { "type": "file", "spec_version": "2.1", "id": "file--b1e6cf2b-545e-4fc8-8e33-38179f23fb31", "hashes": { "SHA-256": "81e384471fcfa6752cb81ca1b7b9ee455cc78f1580d260ed7a1fd682a378930e" } }, { "type": "file", "spec_version": "2.1", "id": "file--72d2c7b3-4ea4-4261-bafb-c437688bdd79", "hashes": { "MD5": "7d994b591c2d4fafeb3e71278229566e" } }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1", "created": "2026-06-24T18:42:12.007253Z", "modified": "2026-06-24T18:42:12.007253Z", "name": "Kimsuky" }, { "type": "report", "spec_version": "2.1", "id": "report--b04acaf9-eb21-4f58-8758-dd4b5a165540", "created_by_ref": "identity--71744950-6fe5-4398-9ea3-38dad07c82b7", "created": "2026-06-24T18:42:12.009863Z", "modified": "2026-06-24T18:42:12.009863Z", "name": "Analysis of a JSE File (Kimsuky APT)", "published": "2026-02-03T00:00:00Z", "object_refs": [ "identity--71744950-6fe5-4398-9ea3-38dad07c82b7", "indicator--039528e7-6eff-4aae-8491-f865e96a07ed", "indicator--43b2e8c7-d265-491f-88f4-d69c47d94030", "indicator--283bf39c-5394-4509-999b-09d7cc4cb7e7", "file--a7473380-e7bc-4d2e-8d83-4404d8f40486", "file--9a2352af-d776-4b0c-9a99-9f1b98396381", "file--b1e6cf2b-545e-4fc8-8e33-38179f23fb31", "file--72d2c7b3-4ea4-4261-bafb-c437688bdd79", "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1" ], "external_references": [ { "source_name": "source", "url": "https://medium.com/@shubhandrew/analysis-of-a-jse-file-kimsuky-apt-79588d103f73" } ] } ] }