apt-get install kimsuky

2020-03-20 • Strangereal Intel •

https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Kimsuky/2020-03-20/Analysis.md

#Kimsuky #T1082 #T1057 #T1012 #T1060 #T1064 #T1086

StrangerealIntel analyzes a Kimsuky intrusion chain that begins with a malicious Office document using remote template injection to fetch a second-stage macro from crphone.mireene.com. On macOS, the macro uses Office's bundled Python 2.7 support to execute fileless Python code, replace normal.dotm for persistence, gather system and file-listing data from user directories, compress the collection into backup.zip, and upload it to the same C2 infrastructure. The report also covers a Windows PowerShell implant from the same campaign, showing cross-platform tradecraft built around Office macros, in-memory scripting, persistence through template abuse, and HTTP-based collection staging.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	1fcd9892532813a27537f4e1a1c21ec…	2020-03-20	2024-03-02
URL	http://mybobo.mygamesonline.org…	2020-03-20	2024-03-02
DOMAIN	mybobo.mygamesonline.org	2020-03-20	2024-03-02
IPv4	185.176.43.82	2020-03-20	2024-03-02
DOMAIN	mireene.com	2019-05-10	2023-10-30
URL	http://schemas.openxmlformats.o…	2020-03-20	2023-06-06
DOMAIN	nhpurumy.mireene.com	2020-03-20	2020-11-02
DOMAIN	vnext.mireene.com	2020-03-20	2020-07-29
HASH	828a5527e25e3cab4e97ed25ec2b3d2…	2020-03-20	2020-03-20
HASH	757a71f0fbd6b3d993be2a213338d1f2	2020-03-20	2020-03-20
HASH	0588510dddbd802a5a95fa299d8fa72…	2020-03-20	2020-03-20
HASH	7d2b9f391588cc07d9ba78d652819d3…	2020-03-20	2020-03-20
HASH	7f83912127f5b9680ff57581fc40123…	2020-03-20	2020-03-20
HASH	5f2d3ed67a577526fcbd9a154f522cce	2020-03-20	2020-03-20
HASH	a4388c4d0588cd3d8a607594347663e0	2020-03-20	2020-03-20
URL	http://crphone.mireene.com/plug…	2020-03-20	2020-03-20
URL	http://crphone.mireene.com/plug…	2020-03-20	2020-03-20
URL	http://crphone.mireene.com/plug…	2020-03-20	2020-03-20
URL	http://crphone.mireene.com/plug…	2020-03-20	2020-03-20
URL	http://mybobo.mygamesonline.org…	2020-03-20	2020-03-20
URL	http://mybobo.mygamesonline.org…	2020-03-20	2020-03-20
URL	http://crphone.mireene.com/plug…	2020-03-20	2020-03-20
URL	http://crphone.mireene.com/plug…	2020-03-20	2020-03-20
DOMAIN	crphone.mireene.com	2020-03-20	2020-03-20
IPv4	101.79.5.222	2020-03-20	2020-03-20

Related Actors

Kimsuky

Kaspersky

First seen: Sep 2013

Last seen: Jun 2026

Related Reports

2019-11-12 • 49% Match

A Look into the Lazarus Group's Operations in October 2019

Strangereal Intel

#Lazarus #T1082 #T1005 #T1112 #T1115 #T1124 #T1057 #T1059 #T1055 #T1049 #T1087 #T1016 #T1010 #T1012 #T1132 #T1060 #T1064 #T1085 #T1086 #T1022 #T1179 #T1089

Shares tags: T1082, T1057, T1012 • Same author: Strangereal Intel

2024-03-30 • 48% Match

揭开 Kimsuky 黑客的面纱

haidragon

#Kimsuky #TODDLERSHARK #T1082 #T1112 #T1059 #T1012 #T1060 #T1064

Shares tags: Kimsuky, T1082, T1012

2020-02-25 • 48% Match

DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity

Sentinel One

#HiddenCobra #T1082 #T1090 #T1005 #T1041 #T1083 #T1027 #T1124 #T1204 #T1057 #T1003 #T1105 #T1055 #T1016 #T1048 #T1074 #T1056 #T1033 #T1012 #T1132 #T1043 #T1060 #T1064 #T1193 #T1065 #T1050 #T1024

Shares tags: T1082, T1057, T1012 • Published within a month

2020-04-10 • 46% Match