Kimsuky APT continues to target South Korean government using AppleSeed backdoor

2021-06-01 Malwarebytes

https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

Thumbnail for Kimsuky APT continues to target South Korean government using AppleSeed backdoor

Malwarebytes tracked Kimsuky, also known as Thallium, Black Banshee, and Velvet Chollima, using phishing sites, malicious documents, and scripts against high-profile South Korean government targets. One lure translated as “Ministry of Foreign Affairs Edition 2021-05-07,” and the victim set included South Korean foreign-affairs officials and related diplomatic roles. The actor built credential-harvesting pages that mimicked Google, Gmail, Yahoo, and other services, adapted pages for Korean or English users, and used Twitter and Gmail accounts to research targets and register infrastructure. The same infrastructure was reused for AppleSeed command-and-control, with Windows and Android backdoors sharing command patterns and C2 resources such as riseknite.life, ikpoo.cf, travelmountain.ml, and letterpaper.press domains.

Indicators of Compromise

Type Value First Seen Last Seen
IPv4 58.229.208.146 2021-06-01 2025-09-14
IPv4 27.102.114.89 2021-06-01 2023-11-01
IPv4 27.102.107.63 2021-06-01 2023-11-01
EMAIL [email protected] 2021-06-01 2021-06-01
URL http://myaccount.google.nkaac.n… 2021-06-01 2021-06-01
URL https://signin.gmrail.ml 2021-06-01 2021-06-01
URL https://accounts.grnail-signing… 2021-06-01 2021-06-01
URL https://signin.grnail-login.ml 2021-06-01 2021-06-01
URL https://protect.grnail-signin.g… 2021-06-01 2021-06-01
URL https://myaccount.google-signin… 2021-06-01 2021-06-01
URL https://myaccounts-gmail.autho.… 2021-06-01 2021-06-01
URL https://myaccount.grnail-securi… 2021-06-01 2021-06-01
URL https://myaccounts.grnail-signi… 2021-06-01 2021-06-01
URL http://accounts.goggle.hol.es/M… 2021-06-01 2021-06-01
URL https://myaccount.grnail-signin… 2021-06-01 2021-06-01
URL https://myaccount.grnail-signin… 2021-06-01 2021-06-01
URL https://login.gmeil.kro.kr 2021-06-01 2021-06-01
URL https://accounts.google-manager… 2021-06-01 2021-06-01
URL https://accounts.grnail-signin.… 2021-06-01 2021-06-01
URL http://myaccount.google.newkda.… 2021-06-01 2021-06-01
URL https://myaccount.google.newkda… 2021-06-01 2021-06-01
URL https://account.googgle.kro.kr 2021-06-01 2021-06-01
URL https://login.gmail-account.gq 2021-06-01 2021-06-01
URL https://accounts.google-signin.… 2021-06-01 2021-06-01
URL https://account.grnail-signin.g… 2021-06-01 2021-06-01
URL http://myaccounts-gmail.kr-info… 2021-06-01 2021-06-01
URL http://myaccount.cgmail.pe.hu/s… 2021-06-01 2021-06-01
DOMAIN accounts.grnail-signin.ga 2021-06-01 2021-06-01
DOMAIN signin.gmrail.ml 2021-06-01 2021-06-01
DOMAIN myaccount.google.newkda.com 2021-06-01 2021-06-01
DOMAIN accounts.google-signin.ga 2021-06-01 2021-06-01
DOMAIN account.grnail-signin.ga 2021-06-01 2021-06-01
DOMAIN myaccount.google.nkaac.net 2021-06-01 2021-06-01
DOMAIN login.gmeil.kro.kr 2021-06-01 2021-06-01
DOMAIN accounts.grnail-signing.work 2021-06-01 2021-06-01
DOMAIN signin.grnail-login.ml 2021-06-01 2021-06-01
DOMAIN login.gmail-account.gq 2021-06-01 2021-06-01
DOMAIN accounts.goggle.hol.es 2021-06-01 2021-06-01
DOMAIN myaccount.grnail-signing.work 2021-06-01 2021-06-01
DOMAIN myaccounts-gmail.kr-infos.com 2021-06-01 2021-06-01
DOMAIN accounts.google-manager.ga 2021-06-01 2021-06-01
DOMAIN myaccount.google-signin.ga 2021-06-01 2021-06-01
DOMAIN myaccount.cgmail.pe.hu 2021-06-01 2021-06-01
DOMAIN account.googgle.kro.kr 2021-06-01 2021-06-01
DOMAIN protect.grnail-signin.ga 2021-06-01 2021-06-01
DOMAIN myaccounts.grnail-signin.ga 2021-06-01 2021-06-01
DOMAIN myaccounts-gmail.autho.co 2021-06-01 2021-06-01
DOMAIN myaccount.grnail-signin.ga 2021-06-01 2021-06-01
DOMAIN myaccount.grnail-security.work 2021-06-01 2021-06-01
IPv4 210.16.121.137 2021-06-01 2021-06-01
IPv4 45.58.55.73 2021-06-01 2021-06-01
IPv4 216.189.157.89 2021-06-01 2021-06-01
IPv4 210.16.120.34 2021-06-01 2021-06-01
IPv4 45.13.135.103 2020-03-04 2021-06-01

Related Actors

Related Reports

2024-09-12 • 48% Match
#Kimsuky #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1005 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1083 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1583.006 #T1518.001 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1552.001 #T1585.001 #T1105 #T1219 #T1055 #T1553.002 #T1562.001 #T1027.002 #T1133 #T1190 #T1098 #T1016 #T1074.001 #T1588.002 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1593.002 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1589.003 #T1594 #T1218.010 #T1557 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1021.001 #T1560.001 #T1176 #T1136.001 #T1543.003 #T1012 #T1534 #T1560.003 #T1007 #T1564.003 #T1114.003 #T1114.002 #T1564.002 #T1040 #T1546.001 #T1505.003
Shares tags: Kimsuky, T1082, T1140
2026-01-13 • 43% Match
#Kimsuky #T1102.002 #T1059.003 #T1567.002 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1059.005 #T1583.006 #T1566.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1566 #T1585.001 #T1656 #T1205 #T1105 #T1055 #T1553.002 #T1620 #T1102.001 #T1027.002 #T1133 #T1190 #T1593 #T1588.002 #T1657 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1585 #T1593.002 #T1598 #T1583 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1588.003 #T1589.003 #T1594 #T1218.010 #T1557 #T1219.002 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1596
Shares tags: Kimsuky, T1070.004, T1587.001
2024-07-19 • 42% Match
#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584
Shares tags: Kimsuky, T1082, T1140
« Back