APT그룹 추적 보고서 - Larva-24005
2025-04-13 • Ahnlab • APT Group Tracking Report - Larva-24005 •
AhnLab attributes Larva-24005 to activity associated with Kimsuky, describing intrusions against software, energy, and financial targets in South Korea and broader infrastructure spanning multiple countries. The report cites RDP exposure and BlueKeep CVE-2019-0708 as part of the intrusion context, followed by MySpy deployment, RDPWrap installation, RDP configuration changes, and keyloggers such as KimaLogger or RandomQuery. It also notes phishing mail activity from compromised systems and infrastructure using r-e.kr and kro.kr domains.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | r-e.kr | 2023-03-23 | 2026-06-01 |
Related Actors
Related Reports
Shares tags: RandomQuery, Larva-24005, CVE-2019-0708 • Shares 1 IOC • Same author: Ahnlab • Published within a week
2025-04-01 •
60% Match
#Somansa
#T1082
#T1059.003
#T1140
#T1070.004
#T1041
#T1113
#T1046
#T1083
#T1057
#T1590.005
#T1553.002
#T1573.001
#T1592
#T1132.002
#T1070.006
#T1134.002
#T1027.007
#T1106
#T1134.001
#T1033
#T1485
#T1565.001
#T1069.001
#T1030
#T1027.008
Shares 1 IOC • Published within a month
Shares tag: Larva-24005 • Same author: Ahnlab
Shares tag: Larva-24005 • Same author: Ahnlab
Shares 1 IOC
Shares 1 IOC • Same author: Ahnlab