{ "type": "bundle", "id": "bundle--32a6c8e8-fff6-4bbc-8887-b6413ef956b5", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--b30ab30c-aa6b-40ed-a5cd-d380ee04f5ca", "created": "2024-06-22T09:20:00.990747Z", "modified": "2024-06-22T09:20:00.990782Z", "name": "Cyberarmor", "identity_class": "organization" }, { "type": "file", "spec_version": "2.1", "id": "file--c92758cb-8914-47aa-843e-9715e839861a", "hashes": { "MD5": "8346d90508b5d41d151b7098c7a3e868" } }, { "type": "file", "spec_version": "2.1", "id": "file--914e53de-847b-46dd-b169-e239caabaa03", "hashes": { "MD5": "537806c02659a12c5b21efa51b2322c1" } }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--55234dcf-76e5-4b83-aec5-a23a3c9bd50e", "value": "download.uberlingen.com" }, { "type": "file", "spec_version": "2.1", "id": "file--c65f1fd2-9e29-4377-8d78-c8a086db8f36", "hashes": { "MD5": "aa8936431f7bc0fabb0b9efb6ea153f9" } }, { "type": "file", "spec_version": "2.1", "id": "file--9e821a22-0556-4394-9b98-fb12adbb6ffa", "hashes": { "MD5": "73d2899aade924476e58addf26254c2e" } }, { "type": "file", "spec_version": "2.1", "id": "file--cf34c206-08c1-4c30-a698-4e9a1273cdfb", "hashes": { "MD5": "27d4ff7439694041ef86233c2b804e1f" } }, { "type": "file", "spec_version": "2.1", "id": "file--e360ded4-ded8-4abb-ab77-f3fa5d7497d3", "hashes": { "MD5": "8d948bb863ea38ecb46b7e78d1b1abfa" } }, { "type": "url", "spec_version": "2.1", "id": "url--c2bc54f9-1e05-4061-90ea-282bd4e8f220", "value": "http://imagedownload.ignorelist.com/index.php" }, { "type": "url", "spec_version": "2.1", "id": "url--604876dd-3800-483d-8ddb-12d91952bd62", "value": "http://en.uberlingen.com/index.php" }, { "type": "url", "spec_version": "2.1", "id": "url--e70e2c83-a131-4958-a826-7ae57e9e2cc5", "value": "http://playboys.chickenkiller.com/index.php" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--73832d5f-106e-4920-b098-35b4f7f04baf", "value": "imagedownload.ignorelist.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--2fecf269-4433-4a61-ad57-f4b58aeec09f", "value": "download-attachments.mooo.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--203c09ed-4b5f-48b4-970e-4166261c86e2", "value": "en.uberlingen.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--1e879598-89b2-4750-b576-a76a02179fed", "value": "playboys.chickenkiller.com" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--d5a0c08a-3bf5-4d53-807e-1218d310ec80", "value": "67.217.62.219" }, { "type": "url", "spec_version": "2.1", "id": "url--a380b125-abfe-4d55-b0d9-2dba3c2b665a", "value": "http://download.uberlingen.com/index.php" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ae41763c-61e3-4e21-b7d3-a29814ecc4ba", "created": "2026-06-24T19:53:15.800349Z", "modified": "2026-06-24T19:53:15.800349Z", "name": "YARA Rule", "pattern": "import \"pe\"\r\nrule NikiCert\r\n{\r\nmeta:\r\ndescription = \"Identifies Nexaweb digital certificate used in (likely) Kimsuky\r\ncampaign.\"\r\nauthor = \"@bartblaze, @nsquar3\"\r\ndate = \"2024-06\"\r\ntlp = \"White\"\r\nhash_a =\r\n\"cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d\"\r\nhash_b =\r\n\"000e2926f6e094d01c64ff972e958cd38590299e9128a766868088aa273599c7\"\r\ncondition:\r\nuint16(0) == 0x5A4D and\r\nfor any i in (0 .. pe.number_of_signatures) : (\r\npe.signatures[i].serial ==\r\n\"03:15:e1:37:a6:e2:d6:58:f0:7a:f4:54:c6:3a:0a:f2\"\r\n)\r\n}", "pattern_type": "yara", "valid_from": "2024-06-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--464ab589-12f2-47e9-8c18-4c3d48492072", "created": "2026-06-24T19:53:15.801064Z", "modified": "2026-06-24T19:53:15.801064Z", "name": "YARA Rule", "pattern": "rule NikiGo\r\n{\r\nmeta:\r\ndescription = \"Identifies NikiGo, a Go dropper by (likely) Kimsuky.\"\r\nauthor = \"@bartblaze, @nsquar3\"\r\ndate = \"2024-06\"\r\ntlp = \"White\"\r\nhash =\r\n\"000e2926f6e094d01c64ff972e958cd38590299e9128a766868088aa273599c7\"\r\nstrings:\r\n$go = \"Go build ID:\"\r\n$func1 = \"main.ParseCommandLine\" ascii wide fullword\r\n$func2 = \"main.RunCmd\" ascii wide fullword\r\n$func3 = \"main.HttpGet\" ascii wide fullword\r\n$func4 = \"main.SelfDel\" ascii wide fullword\r\n$func5 = \"main.RandomBytes\" ascii wide fullword\r\n$pdb_src = \"C:/Users/niki/go/src/niki/auxiliary/engine-binder/main.go\" ascii\r\nwide\r\n$pdb_path = \"/Users/niki/go/src/niki/auxiliary/engine-binder/\" ascii wide\r\ncondition:\r\nuint16(0) == 0x5A4D and $go and (\r\nall of ($func*) or\r\nany of ($pdb*)\r\n)\r\n}", "pattern_type": "yara", "valid_from": "2024-06-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3b532b86-8f06-4567-b92a-19cc629e35a0", "created": "2026-06-24T19:53:15.801721Z", "modified": "2026-06-24T19:53:15.801721Z", "name": "YARA Rule", "pattern": "rule NikiHTTP\r\n{\r\nmeta:\r\ndescription = \"Identifies NikiHTTP, a versatile backdoor by (likely) Kimsuky.\"\r\nauthor = \"@bartblaze, @nsquar3\"\r\ndate = \"2024-06\"\r\ntlp = \"White\"\r\nhash_a =\r\n\"3314b6ea393e180c20db52448ab6980343bc3ed623f7af91df60189fec637744\"\r\nhash_b =\r\n\"c94a5817fcd6a4ea93d47d70b9f2b175923a8b325234a77f127c945ae8649874\"\r\nstrings:\r\n$cmd = {4? 8d 0d be 2f 03 00 4? 85 c0 4? 8d 15 8c 2f 03 00}\r\n$str_1 = \"%s%sc %s >%s 2>&1\" ascii wide\r\n$str_2 = \"%s%sc %s 2>%s\" ascii wide\r\n$str_3 = \"%s:info\" ascii wide\r\n//D:\\02.data\\03.atk-tools\\engine\\niki\\httpSpy\\..\\bin\\httpSpy.pdb\r\n$pdb_full = \"\\\\02.data\\\\03.atk-tools\\\\\" ascii wide\r\n$pdb_httpspy = \"\\\\bin\\\\httpSpy.pdb\" ascii wide\r\n$code = { 0f 57 c0 4? 89 7? ?? 33 c0 c7 4? ?? 68 00 00 00 0f 11 4? ?? c7 4?\r\n?? 01 00 00 00 66 4? 89 7? 00 0f 11 4? ?? 4? 89 4? ?? 0f 11 4? ?? c7 44 ?? ?? 53 71\r\n80 60 0f 11 4? ?? c7 44 ?? ?? 71 79 7c 5c 0f 11 4? ?? c7 44 ?? ?? 6d 80 74 63 0f 11\r\n4? ?? 88 44 ?? ?? 0f 11 4? ?? 0f 1f 44 00 00 }\r\ncondition:\r\nuint16(0) == 0x5A4D and (\r\n$cmd or (2 of ($str_*)) or\r\nany of ($pdb_*) or $code\r\n)\r\n}", "pattern_type": "yara", "valid_from": "2024-06-19T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--5f34b120-3a05-4e46-a033-c5106b86d279", "hashes": { "MD5": "e86ed825887efef54feff4dec45855f9" } }, { "type": "file", "spec_version": "2.1", "id": "file--eb4ac719-9802-4866-bf0c-a8d924c17d19", "hashes": { "SHA-256": "a637d9836285254831c80fdd407f4dae440ad382a23ca12abae2d721cffe913f" } }, { "type": "file", "spec_version": "2.1", "id": "file--6dbc81d3-6c7a-4830-abef-bb1a3afec74d", "hashes": { "SHA-1": "3671eaf95ce83f769ee2bd73f5c1c9e85b34fee1" } }, { "type": "file", "spec_version": "2.1", "id": "file--c30777d3-0e0c-491f-89dc-68612cdf2466", "hashes": { "SHA-256": "162b24784dd0dd19c2ce08961a9b836b5ff645d1d02da9c18616a0d348467e61" } }, { "type": "file", "spec_version": "2.1", "id": "file--1d55c53d-2d0e-4ae8-b4b5-d075730eb104", "hashes": { "SHA-1": "5d40a3422b4d5fa9c77eb5c6fd7605c26fa7f0e7" } }, { "type": "file", "spec_version": "2.1", "id": "file--3054c025-6b3d-4893-b80b-beb5b95a3049", "hashes": { "SHA-1": "596880007009d7bc21bed99022b02fd22b7d6107" } }, { "type": "file", "spec_version": "2.1", "id": "file--f2624ac0-13b1-49aa-b2c7-d19b2f45b992", "hashes": { "SHA-1": "df3dd9685d47b0b79d81fb049df3e5a5f2e19db6" } }, { "type": "file", "spec_version": "2.1", "id": "file--410db34a-49ab-4fa7-b183-a6f505442ecf", "hashes": { "MD5": "b75816a259098d39e5b666a867edf708" } }, { "type": "file", "spec_version": "2.1", "id": "file--31682fe1-aca9-4198-8ac1-1f9d3707be7f", "hashes": { "SHA-1": "d2b7e3c736a38c56ec3d7d3779fb463a3e472a3a" } }, { "type": "file", "spec_version": "2.1", "id": "file--b0c86e7e-3c0d-4b44-95f9-7ea1a330de2a", "hashes": { "SHA-1": "fd578bbc1a967a345d09ef09209612b9750fa263" } }, { "type": "file", "spec_version": "2.1", "id": "file--421c507a-e1ff-432f-809c-fd97c351011e", "hashes": { "SHA-1": "c90a00b80670da65da968e0503f41b433888b9d2" } }, { "type": "file", "spec_version": "2.1", "id": "file--778e44d4-91af-44ff-8620-a440ea65c060", "hashes": { "SHA-256": "5b3cc9cced1ef0cb0bba5549cc2ac09c49ae10554d2409ea16bc5e118d278c15" } }, { "type": "file", "spec_version": "2.1", "id": "file--b013980b-b06d-4c11-b969-3e082beecb96", "hashes": { "SHA-1": "3775bf222c77eea4683941bd7c51e801f35e07de" } }, { "type": "file", "spec_version": "2.1", "id": "file--1b5517d8-0899-4da1-baad-db155c126705", "hashes": { "SHA-1": "5dd9f817d184115d17da659f59641d0cac65db3d" } }, { "type": "file", "spec_version": "2.1", "id": "file--a26bb2ca-5ad4-49b9-bb51-b140662055a0", "hashes": { "SHA-256": "faca8b6f046dad8f0e27a75fa2dc5477d3ccf44adced64481ef1b0dd968b4b0e" } }, { "type": "file", "spec_version": "2.1", "id": "file--5a499e91-a103-46b0-b580-a1ca6943a2a5", "hashes": { "MD5": "6951bdbd78deb691b9a12de360f31628" } }, { "type": "file", "spec_version": "2.1", "id": "file--e0e7ed2c-1ec4-48e9-b0a8-3670b3baa712", "hashes": { "MD5": "3de6024e95b875885b42d19fce2baa18" } }, { "type": "file", "spec_version": "2.1", "id": "file--0517b967-ae7c-492c-897e-dbc55e96b6e6", "hashes": { "SHA-256": "cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d" } }, { "type": "file", "spec_version": "2.1", "id": "file--293f3920-11f6-4746-ab09-6da118f70370", "hashes": { "SHA-256": "c94a5817fcd6a4ea93d47d70b9f2b175923a8b325234a77f127c945ae8649874" } }, { "type": "file", "spec_version": "2.1", "id": "file--5c8ffcfd-bd75-48f6-9ba4-31098c5c9222", "hashes": { "SHA-256": "4f463f3fe541288d16ffd89f81d83d7e9e7e5a5e476850eac48c782a61a26bc0" } }, { "type": "file", "spec_version": "2.1", "id": "file--c4c19dec-ca42-48c9-8c39-598c8c4efdf0", "hashes": { "SHA-1": "0e42f20eb0aab1a4570b0e96b36ceb88f2c82643" } }, { "type": "file", "spec_version": "2.1", "id": "file--007b229e-207b-4b21-88e1-cfdb3fab251a", "hashes": { "SHA-256": "000e2926f6e094d01c64ff972e958cd38590299e9128a766868088aa273599c7" } }, { "type": "file", "spec_version": "2.1", "id": "file--389acdb6-c475-4f9f-b834-0590c9cf3f98", "hashes": { "SHA-1": "e9f134a3f4bc5bec1f71906c37f325808b9da2d9" } }, { "type": "file", "spec_version": "2.1", "id": "file--d16fc34c-93ef-47b5-9021-4ac7c71c161b", "hashes": { "SHA-1": "20ea6517f4490dc504756299263a06b1cc8e87e0" } }, { "type": "file", "spec_version": "2.1", "id": "file--20a2dd90-c135-4765-8f03-ad6460672d9e", "hashes": { "MD5": "a8ed2e894dd32e31dc7a19b5c27686c5" } }, { "type": "file", "spec_version": "2.1", "id": "file--dfb41674-9395-4ef8-9fc2-11b060afe37f", "hashes": { "SHA-256": "62840447d4d17f14047d7aa0b0916ed94114741846fbac3743e0b393a0273a9c" } }, { "type": "url", "spec_version": "2.1", "id": "url--c916ccd8-2fe1-4cf1-8b15-142a230af3bc", "value": "http://download-attachments.mooo.com/down.php?ctx=bin&id=danielinternal" }, { "type": "url", "spec_version": "2.1", "id": "url--c80e1059-fc5e-4a3b-9a49-c6e5795d7f4b", "value": "http://download-attachments.mooo.com/down.php?ct" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--8f0c60e3-d8ab-47e9-8f30-8110f0ea8eed", "value": "afraid.org" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--54a7fea2-db65-4cc0-b614-303802c3d350", "value": "attachments.mooo.com" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--f773636e-b914-4896-b371-b3263d5107b7", "value": "100.100.100.2" }, { "type": "file", "spec_version": "2.1", "id": "file--e0f21978-6d66-4a75-bdd8-86f81cb07114", "hashes": { "MD5": "6e5d5a8d06452852f1ccbc9b6dbab3eb" } }, { "type": "file", "spec_version": "2.1", "id": "file--724ae1fe-6493-46b1-a2c0-14bc34c7dbde", "hashes": { "SHA-256": "f58a9905aad4d82a89a787017f1a357309caa01e2da081d76671f3319c66aa74" } }, { "type": "file", "spec_version": "2.1", "id": "file--56a9fe38-6833-4d53-bc5c-94b045e13d11", "hashes": { "SHA-256": "3314b6ea393e180c20db52448ab6980343bc3ed623f7af91df60189fec637744" } }, { "type": "file", "spec_version": "2.1", "id": "file--da972014-f077-4f7c-a406-ed42485aef96", "hashes": { "SHA-256": "24a42a912c6ad98ab3910cb1e031edbdf9ed6f452371d5696006c9cf24319147" } }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1", "created": "2026-06-24T19:53:15.823591Z", "modified": "2026-06-24T19:53:15.823591Z", "name": "Kimsuky" }, { "type": "report", "spec_version": "2.1", "id": "report--a0c77577-0d75-4029-a3d3-72aaa25289aa", "created_by_ref": "identity--b30ab30c-aa6b-40ed-a5cd-d380ee04f5ca", "created": "2026-06-24T19:53:15.838317Z", "modified": "2026-06-24T19:53:15.838317Z", "name": "New North-Korean based backdoor packs a punch", "published": "2024-06-19T00:00:00Z", "object_refs": [ "identity--b30ab30c-aa6b-40ed-a5cd-d380ee04f5ca", "file--c92758cb-8914-47aa-843e-9715e839861a", "file--914e53de-847b-46dd-b169-e239caabaa03", "domain-name--55234dcf-76e5-4b83-aec5-a23a3c9bd50e", "file--c65f1fd2-9e29-4377-8d78-c8a086db8f36", "file--9e821a22-0556-4394-9b98-fb12adbb6ffa", "file--cf34c206-08c1-4c30-a698-4e9a1273cdfb", "file--e360ded4-ded8-4abb-ab77-f3fa5d7497d3", "url--c2bc54f9-1e05-4061-90ea-282bd4e8f220", "url--604876dd-3800-483d-8ddb-12d91952bd62", "url--e70e2c83-a131-4958-a826-7ae57e9e2cc5", "domain-name--73832d5f-106e-4920-b098-35b4f7f04baf", "domain-name--2fecf269-4433-4a61-ad57-f4b58aeec09f", "domain-name--203c09ed-4b5f-48b4-970e-4166261c86e2", "domain-name--1e879598-89b2-4750-b576-a76a02179fed", "ipv4-addr--d5a0c08a-3bf5-4d53-807e-1218d310ec80", "url--a380b125-abfe-4d55-b0d9-2dba3c2b665a", "indicator--ae41763c-61e3-4e21-b7d3-a29814ecc4ba", "indicator--464ab589-12f2-47e9-8c18-4c3d48492072", "indicator--3b532b86-8f06-4567-b92a-19cc629e35a0", "file--5f34b120-3a05-4e46-a033-c5106b86d279", "file--eb4ac719-9802-4866-bf0c-a8d924c17d19", "file--6dbc81d3-6c7a-4830-abef-bb1a3afec74d", "file--c30777d3-0e0c-491f-89dc-68612cdf2466", "file--1d55c53d-2d0e-4ae8-b4b5-d075730eb104", "file--3054c025-6b3d-4893-b80b-beb5b95a3049", "file--f2624ac0-13b1-49aa-b2c7-d19b2f45b992", "file--410db34a-49ab-4fa7-b183-a6f505442ecf", "file--31682fe1-aca9-4198-8ac1-1f9d3707be7f", "file--b0c86e7e-3c0d-4b44-95f9-7ea1a330de2a", "file--421c507a-e1ff-432f-809c-fd97c351011e", "file--778e44d4-91af-44ff-8620-a440ea65c060", "file--b013980b-b06d-4c11-b969-3e082beecb96", "file--1b5517d8-0899-4da1-baad-db155c126705", "file--a26bb2ca-5ad4-49b9-bb51-b140662055a0", "file--5a499e91-a103-46b0-b580-a1ca6943a2a5", "file--e0e7ed2c-1ec4-48e9-b0a8-3670b3baa712", "file--0517b967-ae7c-492c-897e-dbc55e96b6e6", "file--293f3920-11f6-4746-ab09-6da118f70370", "file--5c8ffcfd-bd75-48f6-9ba4-31098c5c9222", "file--c4c19dec-ca42-48c9-8c39-598c8c4efdf0", "file--007b229e-207b-4b21-88e1-cfdb3fab251a", "file--389acdb6-c475-4f9f-b834-0590c9cf3f98", "file--d16fc34c-93ef-47b5-9021-4ac7c71c161b", "file--20a2dd90-c135-4765-8f03-ad6460672d9e", "file--dfb41674-9395-4ef8-9fc2-11b060afe37f", "url--c916ccd8-2fe1-4cf1-8b15-142a230af3bc", "url--c80e1059-fc5e-4a3b-9a49-c6e5795d7f4b", "domain-name--8f0c60e3-d8ab-47e9-8f30-8110f0ea8eed", "domain-name--54a7fea2-db65-4cc0-b614-303802c3d350", "ipv4-addr--f773636e-b914-4896-b371-b3263d5107b7", "file--e0f21978-6d66-4a75-bdd8-86f81cb07114", "file--724ae1fe-6493-46b1-a2c0-14bc34c7dbde", "file--56a9fe38-6833-4d53-bc5c-94b045e13d11", "file--da972014-f077-4f7c-a406-ed42485aef96", "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1" ], "external_references": [ { "source_name": "source", "url": "https://cyberarmor.tech/wp-content/uploads/2024/06/New-North-Korean-based-backdoor-packs-a-punch.pdf" } ] } ] }