Espionage Operation Disguised as Software Installers by Kimsuky (APT-Q-2)

2024-03-05 • Qianxin •

https://ti.qianxin.com/blog/articles/Espionage-Operation-Disguised-as-Software-Installers-by-Kimsuky-APT-Q-2-EN/

#APT-Q-2 #D2Innovation

Thumbnail for Espionage Operation Disguised as Software Installers by Kimsuky (APT-Q-2)

This backdoor software shares multiple characteristics with historical attack samples from the Kimsuky organization, leading us to believe that both types of malicious software are associated with the Kimsuky group. These two points indicate that the backdoor is started by other malware. The group typically employs social engineering, spear-phishing emails, watering hole attacks, and other methods to deliver malicious software, with a variety of attack techniques and weapons targeting both Windows and Android platforms. Kimsuky, also known as Mystery Baby, Baby Coin, Smoke Screen, Black Banshe, etc., internally tracked as APT-Q-2 by QiAnXin.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	7457dc037c4a5f3713d9243a0dfb1a2c	2024-01-30	2024-07-15
HASH	88f183304b99c897aacfa321d58e1840	2024-01-30	2024-07-15
HASH	27ef6917fe32685fdf9b755eb8e97565	2024-01-30	2024-07-15
HASH	7b6d02a459fdaa4caa1a5bf741c4bd42	2024-01-30	2024-07-15
HASH	c8e7b0d3b6afa22e801cacaf16b37355	2024-01-30	2024-07-15
URL	http://qi.limsjo.p-e.kr/index.p…	2024-01-30	2024-07-15
URL	http://ol.negapa.p-e.kr/index.p…	2024-01-30	2024-07-15
URL	http://ai.negapa.p-e.kr/index.p…	2024-01-30	2024-07-15
URL	http://ar.kostin.p-e.kr/index.p…	2024-01-30	2024-07-15
DOMAIN	ai.negapa.p-e.kr	2024-01-30	2024-07-15
DOMAIN	ar.kostin.p-e.kr	2024-01-30	2024-07-15
DOMAIN	ol.negapa.p-e.kr	2024-01-30	2024-07-15
DOMAIN	qi.limsjo.p-e.kr	2024-01-30	2024-07-15
HASH	19c2decfa7271fa30e48d4750c1d18c1	2024-01-30	2024-03-25
HASH	87429e9223d45e0359cd1c41c0301836	2024-01-30	2024-03-25
DOMAIN	ai.kostin.p-e.kr	2024-01-30	2024-03-25
DOMAIN	coolsystem.co.kr	2024-01-30	2024-03-25
DOMAIN	ai.limsjo.p-e.kr	2024-01-30	2024-03-25
HASH	d259ef7500e7e667afc42e9570f9707a	2024-01-30	2024-03-05
HASH	eb8d073840e95cf24c9c3f5a2b6470e0	2024-01-30	2024-03-05
URL	http://ai.limsjo.p-e.kr/index.p…	2024-01-30	2024-03-05
URL	http://ai.kostin.p-e.kr/index.p…	2024-01-30	2024-03-05
URL	http://coolsystem.co.kr/admin/m…	2024-01-30	2024-03-05
HASH	d6abeeb469e2417bbcd3c122c06ba099	2023-11-21	2024-03-05

Related Actors

APT-Q-2

Qianxin

Kimsuky

First seen: Mar 2022

Last seen: Jun 2025

Related Reports

2024-01-30 • 100% Match

软件安装包伪装下的Kimsuky（APT-Q-2）窃密行动

Qianxin

#APT-Q-2 #D2Innovation

Shares tags: APT-Q-2, D2Innovation • Shares 24 IOCs • Same author: Qianxin

2024-02-08 • 76% Match

Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer…

S2W

#Kimsuky #D2Innovation #TrollStealer #T1082 #T1059.003 #T1005 #T1041 #T1113 #T1560 #T1071.001 #T1083 #T1204.002 #T1555.003 #T1057 #T1518.001 #T1539 #T1059.001 #T1027.002 #T1016 #T1087.001 #T1588.004

Shares tag: D2Innovation • Shares 22 IOCs • Published within a month

2024-02-07 • 76% Match