Kimsuky 5

2024-08-14 • somedieyoung ZZ •

https://somedieyoungzz.github.io/posts/kimsuky-5/

#Kimsuky

The analysis examines a 2019 Kimsuky sample disguised as a Korean-language HWP quotation document with a double extension ending in .exe. The loader drops a decoy HWP file and a DLL named NewAct.dat, then uses regsvr32 to register the DLL. The DLL checks system architecture, injects into explorer.exe on 32-bit systems, creates mutexes, adds AutoRun registry persistence, and communicates with the C2 URL hxxp://antichrist.or.kr/data/cheditor/dir1/F.php for further instructions. The lure ties the social engineering theme to a South Korea and Vietnam event, matching Kimsuky tradecraft around Korean-language document impersonation.

Indicators of Compromise

Type	Value	First Seen	Last Seen
URL	http://antichrist.or.kr/data/ch…	2024-08-14	2024-08-14
IPv4	114.207.244.99	2024-08-14	2024-08-14
HASH	35d60d2723c649c97b414b3cb701df1c	2019-12-03	2024-08-14
HASH	03c35e4c6a641373db665e7d58cea42…	2019-12-03	2024-08-14
HASH	1050935f6acee3afda3876478718632…	2019-12-03	2024-08-14
HASH	6dfce07abc39e5d6aebd74a1850ad65…	2019-12-03	2024-08-14
HASH	e54b370d96ca0e2ecc083c2d42f05210	2019-12-03	2024-08-14
HASH	9944ce9354fb8961826339770ffc118…	2019-12-03	2024-08-14
DOMAIN	antichrist.or.kr	2019-12-03	2024-08-14

Related Actors

Kimsuky

Kaspersky

First seen: Sep 2013

Last seen: Jun 2026

Related Reports

2019-12-03 • 91% Match

exe malware including hwp, disguised as a Vietnamese event estimate

kino

#Kimsuky

Shares tag: Kimsuky • Shares 7 IOCs

2024-09-17 • 80% Match

Kimsuky A Gift That Keeps on Giving

somedieyoung ZZ

#Kimsuky #LNK

Shares tag: Kimsuky • Same author: somedieyoung ZZ

2024-09-13 • 80% Match

"북한 신형 자폭드론" 관련 내용으로 위장한 악성 MSC 문서

Hauri

#Kimsuky #MSC

Shares tag: Kimsuky • Published within a month

2024-09-13 • 80% Match

게임 링크 단축 및 수익 창출 LootLabs 으로 위장한것으로 추정 되는 김수키(Kimsuky) 악성코드-Twitch x Loot Lab Event-2025.msc(2024.9.9)

Sakai

#Kimsuky #MSC

Shares tag: Kimsuky • Published within a month

2024-09-12 • 80% Match

APT PROFILE – KIMSUKY

Cyfirma

#Kimsuky #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1005 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1083 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1583.006 #T1518.001 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1552.001 #T1585.001 #T1105 #T1219 #T1055 #T1553.002 #T1562.001 #T1027.002 #T1133 #T1190 #T1098 #T1016 #T1074.001 #T1588.002 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1593.002 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1589.003 #T1594 #T1218.010 #T1557 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1021.001 #T1560.001 #T1176 #T1136.001 #T1543.003 #T1012 #T1534 #T1560.003 #T1007 #T1564.003 #T1114.003 #T1114.002 #T1564.002 #T1040 #T1546.001 #T1505.003

Shares tag: Kimsuky • Published within a month

2024-09-10 • 80% Match

2024-09-10 KIMSUKY (North Korean APT) Sample (Sakai @sakaijjan - Terms and Conditions.msc)

Contagio

#Kimsuky #MSC

Shares tag: Kimsuky • Published within a month

« Back