Kimsuky’s GoldDragon cluster and its C2 operations

2022-08-25 • Kaspersky •

https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/

#Kimsuky #GoldDragon

Thumbnail for Kimsuky’s GoldDragon cluster and its C2 operations

Kaspersky describes a Kimsuky GoldDragon cluster campaign against South Korean media and think-tank targets, using spear-phishing emails that led victims to macro-enabled Word documents or Hangeul decoys tied to Korean Peninsula geopolitical themes. The infection chain abused HTA and VBS components hosted on legitimate blog and commercial hosting services before delivering Windows malware capable of collecting file lists, keystrokes, and stored browser credentials. Server-side C2 scripts verified victim email, IP address, operating system, and user-agent values before serving payloads, reducing exposure during analysis. The report highlights Kimsuky’s multi-stage C2 tradecraft and rapid tool updates for DPRK-linked espionage operations.

Indicators of Compromise

Type	Value	First Seen	Last Seen
DOMAIN	ac.kr	2013-06-26	2025-09-14
URL	http://yulsohnyonsei.atwebpages…	2022-08-25	2022-09-14
URL	http://yulsohnyonsei.atwewbpage…	2022-08-25	2022-09-14
DOMAIN	yulsohnyonsei.atwewbpages.com	2022-08-25	2022-09-14
DOMAIN	yulsohnyonsei.atwebpages.com	2022-08-25	2022-09-14
HASH	b237b484c5c0fb020952e99b1134a527	2022-08-25	2022-08-30
HASH	596251e844abdaa77eeca905f0cb7677	2022-08-25	2022-08-30
HASH	8289771e7eeffd28fb8a9e1bdeb3e86c	2022-08-25	2022-08-30
HASH	238e6952a990fd3f6b75569feceb26a2	2022-08-25	2022-08-30
HASH	8735788b2422c7ab910953178af57376	2022-08-25	2022-08-30
HASH	809f60589ee8be7daf075446c2180eaa	2022-08-25	2022-08-30
HASH	85f24b0f10b77b033e6e66ae8b7d55fc	2022-08-25	2022-08-30
HASH	96f5ef3d58a750a6db60f2e0566dc6e6	2022-08-25	2022-08-30
HASH	7a3e966d30fe5d52cfe97d998e8c49cb	2022-08-25	2022-08-30
HASH	c0097cfa2e05ab1d18cf3dad93d98050	2022-08-25	2022-08-30
HASH	490b2496434e6a20dae758d0b6fc6e00	2022-08-25	2022-08-30
HASH	b80d15cbb729e6ca86e3b41924407c30	2022-08-25	2022-08-30
HASH	dfb8d00ce89172bfc7ee7b73b37129a9	2022-08-25	2022-08-30
HASH	7fb868e6baf93a86d7a6a17ac00f4827	2022-08-25	2022-08-30
HASH	3fa45dcacf2193759086319c0d264341	2022-08-25	2022-08-30
HASH	b6ba7e07b4867e4bd36dc9713744aedc	2022-08-25	2022-08-30
HASH	56b5fec59e118ba324ccee8a336f7f12	2022-08-25	2022-08-30
HASH	c5ad15506ab05f054d547587111d6393	2022-08-25	2022-08-30
HASH	75ae786fe89491dc57509801c212fa8b	2022-08-25	2022-08-30
HASH	c4a69dab3f8369d2f823c538590de345	2022-08-25	2022-08-30
HASH	40de99fb06e52e3364f2cd70f100ff71	2022-08-25	2022-08-30
HASH	3265b2d5e61971c43a076347fb405c4b	2022-08-25	2022-08-30
HASH	a871511ef8abae9f103a3dfe77b12b6d	2022-08-25	2022-08-30
HASH	5b5247ee7b43f51092ab07a1d1a31936	2022-08-25	2022-08-30
HASH	edde6a385c86f60342831f24c3651925	2022-08-25	2022-08-30
HASH	d9f2acfed7ede76f110334e2c572b74e	2022-08-25	2022-08-30
HASH	56df55ef50e9b9c891437c7148a0764a	2021-11-19	2022-08-30
HASH	5f38c57f83ee5d682ddf692442204fba	2022-08-25	2022-08-25
HASH	25eed4e06f9ed309331aaa6418ebd90d	2022-08-25	2022-08-25
URL	http://faust22.mypressonline.co…	2022-08-25	2022-08-25
URL	http://yulsohnyonsei.medianewso…	2022-08-25	2022-08-25
URL	http://hochulindddcheon.mypress…	2022-08-25	2022-08-25
URL	http://weworld78.atwebpages.com…	2022-08-25	2022-08-25
URL	http://hochulincheon.mypressonl…	2022-08-25	2022-08-25
URL	http://dmengineer.co.kr/images/…	2022-08-25	2022-08-25
URL	http://weworld79.mygamesonline.…	2022-08-25	2022-08-25
URL	http://yulsohnyonsei.medianewso…	2022-08-25	2022-08-25
URL	http://21nari.scienceontheweb.n…	2022-08-25	2022-08-25
URL	http://dmengineer.co.kr/images/…	2022-08-25	2022-08-25
URL	http://hochulincheon.mypressonl…	2022-08-25	2022-08-25
URL	http://hochulidncheon.mypresson…	2022-08-25	2022-08-25
URL	http://weworld78.atwebpages.com…	2022-08-25	2022-08-25
URL	http://yulsohnyonsei.medianewso…	2022-08-25	2022-08-25
URL	http://hochuliasdfasfdncheon.my…	2022-08-25	2022-08-25
URL	http://21nari.getenjoyment.net/…	2022-08-25	2022-08-25
URL	http://o61666ch.getenjoyment.ne…	2022-08-25	2022-08-25
URL	http://o61666ch.getenjoyment.ne…	2022-08-25	2022-08-25
URL	http://glib-warnings.000webhost…	2022-08-25	2022-08-25
URL	http://glib-warnings.000webhost…	2022-08-25	2022-08-25
URL	http://chunyg21.sportsontheweb.…	2022-08-25	2022-08-25
URL	http://hochulincddheon.mypresso…	2022-08-25	2022-08-25
URL	http://yulsohnyonsei.medianewso…	2022-08-25	2022-08-25
URL	http://koreajjjjj.sportsonthewe…	2022-08-25	2022-08-25
URL	http://hochulincheon.mypressonl…	2022-08-25	2022-08-25
URL	http://yulsohnyonsei.medianewso…	2022-08-25	2022-08-25
URL	http://hochulindcheon.mypresson…	2022-08-25	2022-08-25
URL	http://leehr36.mypressonline.co…	2022-08-25	2022-08-25
URL	http://koreajjjjj.atwebpages.co…	2022-08-25	2022-08-25
URL	http://chunyg21.sportsontheweb.…	2022-08-25	2022-08-25
URL	http://hochulinsfdgasdfcheon.my…	2022-08-25	2022-08-25
URL	http://weworld78.atwebpages.com…	2022-08-25	2022-08-25
URL	http://dmengineer.co.kr/images/…	2022-08-25	2022-08-25
URL	http://hochdlincheon.mypressonl…	2022-08-25	2022-08-25
URL	http://weworld59.myartsonline.c…	2022-08-25	2022-08-25
URL	http://21nari.mypressonline.com…	2022-08-25	2022-08-25
URL	http://hochulincheon.mypressonl…	2022-08-25	2022-08-25
URL	http://hochulincheon.mypressonl…	2022-08-25	2022-08-25
URL	http://yulsohnyonsei.medianewso…	2022-08-25	2022-08-25
URL	http://hochulidncheon.mypresson…	2022-08-25	2022-08-25
URL	http://leehr24.mywebcommunity.o…	2022-08-25	2022-08-25
URL	http://chmguide.atwebpages.com/…	2022-08-25	2022-08-25
URL	http://kpsa20201.getenjoyment.n…	2022-08-25	2022-08-25
URL	http://hochulincheon.mypressonl…	2022-08-25	2022-08-25
URL	http://faust22.mypressonline.co…	2022-08-25	2022-08-25
URL	http://glib-warnings.000webhost…	2022-08-25	2022-08-25
URL	http://hochulincheon.mypressonl…	2022-08-25	2022-08-25
URL	http://hochulincheon.mypressonl…	2022-08-25	2022-08-25
DOMAIN	kpsa20201.getenjoyment.net	2022-08-25	2022-08-25
DOMAIN	koreajjjjj.atwebpages.com	2022-08-25	2022-08-25
DOMAIN	hochulincddheon.mypressonline.c…	2022-08-25	2022-08-25
DOMAIN	attachment.a0001.net	2022-08-25	2022-08-25
DOMAIN	dmengineer.co.kr	2022-08-25	2022-08-25
DOMAIN	hochulidncheon.mypressonline.com	2022-08-25	2022-08-25
DOMAIN	21nari.mypressonline.com	2022-08-25	2022-08-25
DOMAIN	weworld79.mygamesonline.org	2022-08-25	2022-08-25
DOMAIN	global.onedriver.epizy.com	2022-08-25	2022-08-25
DOMAIN	hochuliasdfasfdncheon.mypresson…	2022-08-25	2022-08-25
DOMAIN	hochulincheon.mypressonline.com	2022-08-25	2022-08-25
DOMAIN	hochulinsfdgasdfcheon.mypresson…	2022-08-25	2022-08-25
DOMAIN	bigfile.totalh.net	2022-08-25	2022-08-25
DOMAIN	chunyg21.sportsontheweb.net	2022-08-25	2022-08-25
DOMAIN	faust22.mypressonline.com	2022-08-25	2022-08-25
DOMAIN	leehr24.mywebcommunity.org	2022-08-25	2022-08-25
DOMAIN	weworld78.atwebpages.com	2022-08-25	2022-08-25
DOMAIN	21nari.scienceontheweb.net	2022-08-25	2022-08-25
DOMAIN	global.web1337.net	2022-08-25	2022-08-25
DOMAIN	hochdlincheon.mypressonline.com	2022-08-25	2022-08-25
DOMAIN	leehr36.mypressonline.com	2022-08-25	2022-08-25
DOMAIN	hochulindddcheon.mypressonline.…	2022-08-25	2022-08-25
DOMAIN	glib-warnings.000webhostapp.com	2022-08-25	2022-08-25
DOMAIN	weworld59.myartsonline.com	2022-08-25	2022-08-25
DOMAIN	attach.42web.io	2022-08-25	2022-08-25
DOMAIN	21nari.getenjoyment.net	2022-08-25	2022-08-25
DOMAIN	hochulindcheon.mypressonline.com	2022-08-25	2022-08-25
DOMAIN	chmguide.atwebpages.com	2022-08-25	2022-08-25
DOMAIN	koreajjjjj.sportsontheweb.net	2022-01-25	2022-08-25
DOMAIN	yulsohnyonsei.medianewsonline.c…	2022-01-25	2022-08-25
DOMAIN	o61666ch.getenjoyment.net	2021-11-10	2022-08-25
URL	http://0knw2300.mypressonline.c…	2021-10-15	2022-08-25
DOMAIN	0knw2300.mypressonline.com	2021-10-15	2022-08-25

Related Actors

Kimsuky

Kaspersky

First seen: Sep 2013

Last seen: Jun 2026

Related Reports

2023-03-06 • 70% Match

Understanding the Context of Cyber Threats: Lessons from the Kimsuky Group Attack

Kaspersky

#Kimsuky #GoldDragon

Shares tags: Kimsuky, GoldDragon • Same author: Kaspersky

2022-08-27 • 70% Match

What if.. We Can See Another Dimension of Cyber Attacks?

Kaspersky

#Kimsuky #Slides

Shares tag: Kimsuky • Same author: Kaspersky • Published within a week

2022-03-18 • 65% Match

탄소배출 전문기업 타겟 워드문서 공격

Ahnlab

#Kimsuky #GoldDragon

Shares tags: Kimsuky, GoldDragon

2022-09-14 • 61% Match

来自Kimsuky组织的突刺：多种攻击武器针对韩国的定向猎杀

Qianxin

#Kimsuky

Shares tag: Kimsuky • Shares 4 IOCs • Published within a month

2024-12-27 • 60% Match

Exposing the Steps of the Kimsuky APT Group

Picus Security

#Kimsuky #GoldDragon #xRAT #RandomQuery #T1082 #T1560 #T1071.001 #T1056.001 #T1059.004 #T1027 #T1059.005 #T1566.001 #T1547.001 #T1059.001 #T1003 #T1219 #T1055 #T1573.001 #T1074.001 #T1562.004 #T1048 #T1114.003

Shares tags: Kimsuky, GoldDragon

2022-09-07 • 60% Match

S/2022/668 Midterm report of the Panel of Experts

UN

#DreamJob #Kimsuky #Sanctions #Bluenoroff #NukeSped #Stonefly #VHD

Shares tag: Kimsuky • Published within a month

« Back