{ "type": "bundle", "id": "bundle--a99e05fb-c7a1-4f99-be01-ab97ea5eb11c", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--49cc63f3-b5a1-4d5c-be95-7453281b704f", "created": "2024-07-15T12:08:31.764005Z", "modified": "2025-06-30T05:06:50.380749Z", "name": "Darkatlas", "identity_class": "organization" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1ab3cb7f-f6ca-47fe-926a-86d6aed93218", "created": "2026-06-24T18:11:24.187026Z", "modified": "2026-06-24T18:11:24.187026Z", "name": "YARA Rule", "pattern": "rule TrollAgent_Kimsuky_Stealer { meta: description = \"Detect TrollAgent Stealer\" author = \"Dark Atlas Squad\" date = \"2024-07-14\" strings: $ex1 = \"rollbackHookTrampoline\" wide ascii $ex2 = \"preUpdateHookTrampoline\" wide ascii $ex3 = \"compareTrampoline\" wide ascii $ex4 = \"doneTrampoline\" wide ascii $ex5 = \"authorizerTrampoline\" wide ascii condition: uint16(0) == 0x5a4d and pe.characteristics & pe.DLL and all of them and pe.number_of_exports > 11 and for any i in (0 .. pe.number_of_sections) : ( pe.sections[i].name == \".vmp0\" or pe.sections[i].name == \".vmp1\" ) }", "pattern_type": "yara", "valid_from": "2024-07-15T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--93eb440f-77c1-419d-be9c-6fac889105d5", "hashes": { "MD5": "2e5f2a154e1b67cd0d6a2f6b5feb6de7" } }, { "type": "file", "spec_version": "2.1", "id": "file--6595dd02-bda9-4f41-ae88-95e4be1f2661", "hashes": { "MD5": "3b596ca429cf1b733f1ff3676189e44a" } }, { "type": "file", "spec_version": "2.1", "id": "file--91c0a32d-fc6e-441b-b2de-70075c50ba19", "hashes": { "MD5": "045f28a479ba19a95c0407a663e2f188" } }, { "type": "file", "spec_version": "2.1", "id": "file--4e3e365f-3f36-40be-ad35-017b114b79a2", "hashes": { "MD5": "9e75705b4930f50502bcbd740fc3ece1" } }, { "type": "file", "spec_version": "2.1", "id": "file--913da24a-cb95-470a-a8f8-8683850bb629", "hashes": { "MD5": "a67cf9add2905c11f5c466bc01d554b0" } }, { "type": "url", "spec_version": "2.1", "id": "url--3593f81e-60fa-4527-a7b6-83708d5eacba", "value": "http://sa.netup.p-e.kr/index.php" }, { "type": "url", "spec_version": "2.1", "id": "url--e8788c7a-f67d-433d-acda-9fcc1dfc3ff5", "value": "http://dl.netup.p-e.kr/index.php" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--2472c579-3042-4dc2-94c1-8c15d1175789", "value": "sa.netup.p-e.kr" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--467d4d98-b0eb-40da-980f-2097f01267a9", "value": "dl.netup.p-e.kr" }, { "type": "file", "spec_version": "2.1", "id": "file--d8a1157c-61d9-4311-a2b8-123ccadba0fe", "hashes": { "SHA-256": "2e0ffaab995f22b7684052e53b8c64b9283b5e81503b88664785fe6d6569a55e" } }, { "type": "file", "spec_version": "2.1", "id": "file--47fcd9a6-b235-45e5-94b9-5c6d7e908773", "hashes": { "MD5": "7457dc037c4a5f3713d9243a0dfb1a2c" } }, { "type": "file", "spec_version": "2.1", "id": "file--9af1c554-d7c1-4334-a56e-90bf90faf2a2", "hashes": { "MD5": "88f183304b99c897aacfa321d58e1840" } }, { "type": "file", "spec_version": "2.1", "id": "file--5b9bae94-6491-48e1-97bd-b5bc0d06c018", "hashes": { "MD5": "27ef6917fe32685fdf9b755eb8e97565" } }, { "type": "file", "spec_version": "2.1", "id": "file--f1427f19-cd4c-4a93-bc73-214ecf7018a1", "hashes": { "MD5": "7b6d02a459fdaa4caa1a5bf741c4bd42" } }, { "type": "file", "spec_version": "2.1", "id": "file--ab025434-4079-4d14-a797-9f97c1d9c813", "hashes": { "MD5": "c8e7b0d3b6afa22e801cacaf16b37355" } }, { "type": "url", "spec_version": "2.1", "id": "url--8bebe6a1-1beb-45a1-80d3-74a7ad87ba2b", "value": "http://qi.limsjo.p-e.kr/index.php" }, { "type": "url", "spec_version": "2.1", "id": "url--63a4722d-8ddc-457f-a6b6-6e5f1a3cd43c", "value": "http://ol.negapa.p-e.kr/index.php" }, { "type": "url", "spec_version": "2.1", "id": "url--888e6bd4-f278-400c-a374-bb62c934120f", "value": "http://ai.negapa.p-e.kr/index.php" }, { "type": "url", "spec_version": "2.1", "id": "url--8cfb1781-c7f1-4b76-92e2-721d5ff352e4", "value": "http://ar.kostin.p-e.kr/index.php" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--59bf25ac-0dd6-44d1-a941-55b10f0b55a6", "value": "ai.negapa.p-e.kr" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--4021851c-cd46-4620-88ee-d6ade3210b99", "value": "ar.kostin.p-e.kr" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--32cc4c56-b274-4ee9-92c2-4922895e6738", "value": "ol.negapa.p-e.kr" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--b087534e-3965-4a3f-8a8e-e473cb91a00e", "value": "qi.limsjo.p-e.kr" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1", "created": "2026-06-24T18:11:24.201356Z", "modified": "2026-06-24T18:11:24.201356Z", "name": "Kimsuky" }, { "type": "report", "spec_version": "2.1", "id": "report--1d13e468-cb6a-4d61-a103-b9c55f34f35a", "created_by_ref": "identity--49cc63f3-b5a1-4d5c-be95-7453281b704f", "created": "2026-06-24T18:11:24.227442Z", "modified": "2026-06-24T18:11:24.227442Z", "name": "Kimsuky APT: The TrollAgent Stealer Analysis", "published": "2024-07-15T00:00:00Z", "object_refs": [ "identity--49cc63f3-b5a1-4d5c-be95-7453281b704f", "indicator--1ab3cb7f-f6ca-47fe-926a-86d6aed93218", "file--93eb440f-77c1-419d-be9c-6fac889105d5", "file--6595dd02-bda9-4f41-ae88-95e4be1f2661", "file--91c0a32d-fc6e-441b-b2de-70075c50ba19", "file--4e3e365f-3f36-40be-ad35-017b114b79a2", "file--913da24a-cb95-470a-a8f8-8683850bb629", "url--3593f81e-60fa-4527-a7b6-83708d5eacba", "url--e8788c7a-f67d-433d-acda-9fcc1dfc3ff5", "domain-name--2472c579-3042-4dc2-94c1-8c15d1175789", "domain-name--467d4d98-b0eb-40da-980f-2097f01267a9", "file--d8a1157c-61d9-4311-a2b8-123ccadba0fe", "file--47fcd9a6-b235-45e5-94b9-5c6d7e908773", "file--9af1c554-d7c1-4334-a56e-90bf90faf2a2", "file--5b9bae94-6491-48e1-97bd-b5bc0d06c018", "file--f1427f19-cd4c-4a93-bc73-214ecf7018a1", "file--ab025434-4079-4d14-a797-9f97c1d9c813", "url--8bebe6a1-1beb-45a1-80d3-74a7ad87ba2b", "url--63a4722d-8ddc-457f-a6b6-6e5f1a3cd43c", "url--888e6bd4-f278-400c-a374-bb62c934120f", "url--8cfb1781-c7f1-4b76-92e2-721d5ff352e4", "domain-name--59bf25ac-0dd6-44d1-a941-55b10f0b55a6", "domain-name--4021851c-cd46-4620-88ee-d6ade3210b99", "domain-name--32cc4c56-b274-4ee9-92c2-4922895e6738", "domain-name--b087534e-3965-4a3f-8a8e-e473cb91a00e", "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1" ], "external_references": [ { "source_name": "source", "url": "https://darkatlas.io/blog/kimsuky-apt-the-trollagent-stealer-analysis" } ] } ] }