20231016_threat_inteligence_report_DarkHorse.pdf (15 MB)

Genians tracks Operation DarkHorse, a CHM-based phishing campaign distributed by email and followed under that operation name after repeated detections since the previous year. The activity initially used virtual-asset and game-server development themes in early 2022, then shifted in late 2023 toward finance-themed lures such as contracts, card limit adjustments, and insurance payment notices. The report notes that some analysts suspected APT37, but similarities to Kimsuky led GSC to assess Kimsuky as the likely operator rather than APT37. The infection flow involves attacker-prepared C2 infrastructure, target selection, spear-phishing emails, malicious CHM files, and embedded HTML script execution that evolved from saving and running VBS files to compiling malicious JSE files inside CHM attachments.